From isn at c4i.org Mon Oct 3 08:31:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:55:52 2005 Subject: [ISN] Interior Dept. Computer System Insecure Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/09/29/AR2005092901862.html By JENNIFER TALHELM The Associated Press September 29, 2005 WASHINGTON -- An investigation of the computer systems in several Interior Department offices found numerous security flaws that threaten the department's overall computer security and must be fixed, according to an internal report. Tests by the Interior Department's Office of the Inspector General found several bureaus and offices "still suffer from serious weaknesses in their security posture," Inspector General Earl Devaney wrote in a Sept. 6 memo to Assistant Secretary Lynn Scarlett. According to the report, obtained by The Associated Press on Thursday, investigators several times were able to masquerade as authorized users, roam the internal networks of some of the department's most sensitive computer systems and manipulate data. The tests were performed in phases beginning in November 2004. But Devaney said the department has balked at fixing the system. "Rather than simply accepting the results of our testing and promptly addressing the underlying vulnerabilities, the department and bureaus have, to date, expended considerable time and energy debating our findings, challenging our methodology and impugning the credentials and integrity of our staff and contractors," Devaney wrote. "I do not wish to repeat this past experience," he added, suggesting the department work to fix the problem. Interior Department spokesman Dan DuBray said the investigation was done as part of an internal effort to identify any "potential weaknesses or conceivable potential vulnerabilities." The department's computer security has been challenged recently as part of a class-action lawsuit in which thousands of American Indians accuse the department of cheating them out of billions of dollars by mismanaging oil, gas, grazing, timber and other royalties from their land since 1887. Plaintiffs have asked that a federal district court judge order Interior Secretary Gale Norton to shut down the information technology systems to protect data. DuBray said the department will continue to aggressively work to strengthen the computer systems, "which are now among the most intricately examined in all of government." -=- On the Net: Interior Department: http://www.doi.gov From isn at c4i.org Mon Oct 3 08:31:59 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:56:13 2005 Subject: [ISN] Trojan rides in on unpatched Office flaw Message-ID: http://news.com.com/Trojan+rides+in+on+unpatched+Office+flaw/2100-1002_3-5886543.html By Joris Evers Staff Writer, CNET News.com September 30, 2005 A new Trojan horse exploits an unpatched flaw in Microsoft Office and could let an attacker commandeer vulnerable computers, security experts have warned. The malicious code takes advantage of a flaw in Microsoft's Jet Database Engine, a lightweight database used in the company's Office productivity software. The security hole was reported to Microsoft in April, but the company has yet to provide a fix for the problem. "Microsoft is aware that a Trojan recently released into the wild may be exploiting a publicly reported vulnerability in Microsoft Office," a company representative said in a statement sent via e-mail on Friday. The software maker is investigating the issue and will take "appropriate action," the representative said. Previous Next The Trojan horse arrives in the guise of a Microsoft Access file, security software maker Symantec said in an advisory. When run on a vulnerable system, it would give a remote attacker full access to a compromised computer, Symantec said. The company calls the pest "Backdoor.Hesive" and notes that it is not widespread. Although exploits had already been released in April when HexView publicly reported the flaw, the Trojan is believed to be the first actual threat to take advantage of the security hole. Security monitoring firm Secunia rates the issue "highly critical," one notch below its most serious rating. "The vulnerability is caused due to a memory handling error when...parsing database files," Secunia said in its April advisory. "This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access." Symantec advises users to be cautious when opening unknown files. The security software maker lists all recent Windows releases as vulnerable to the Trojan attack. From isn at c4i.org Mon Oct 3 08:33:07 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:56:36 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-39 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-09-22 - 2005-09-29 This week : 67 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been discovered in RealPlayer / Helix Player, which potentially can be exploited by malicious people to compromise a user's system. Currently, no solution is available from the vendor. Please see the referenced Secunia advisories for additional details. References: http://secunia.com/SA16961 http://secunia.com/SA16954 -- Apple has release a security update for Mac OS X, which fixes 10 vulnerabilities. A complete list and details about the vulnerabilities fixed can be found in the Secunia advisory below. Reference: http://secunia.com/SA16920 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16869] Firefox Command Line URL Shell Command Injection 2. [SA16901] Thunderbird Command Line URL Shell Command Injection 3. [SA16911] Firefox Multiple Vulnerabilities 4. [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection 5. [SA16922] Sony PSP Photo Viewer TIFF File Handling Buffer Overflow 6. [SA16917] Mozilla Multiple Vulnerabilities 7. [SA16920] Mac OS X Security Update Fixes Multiple Vulnerabilities 8. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 9. [SA16944] Netscape Multiple Vulnerabilities 10. [SA16764] Firefox IDN URL Domain Name Buffer Overflow ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16958] FL Studio FLP File Handling Buffer Overflow [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection [SA16909] SecureW2 Insecure Pre-Master Secret Generation UNIX/Linux: [SA16965] Fedora update for firefox [SA16960] Slackware update for mozilla [SA16928] Ubuntu update for mozilla/mozilla-firefox [SA16919] Red Hat update for firefox [SA16986] Fedora update for HelixPlayer [SA16980] TWiki "%INCLUDE" Shell Command Injection Vulnerability [SA16976] Gentoo update for php [SA16974] SGI Advanced Linux Environment Multiple Updates [SA16964] Fedora update for mozilla [SA16962] Red Hat update for HelixPlayer [SA16961] RealPlayer Error Message Format String Vulnerability [SA16954] Helix Player Error Message Format String Vulnerability [SA16953] Mandriva update for mozilla [SA16948] Trustix update for clamav [SA16930] SUSE update for clamav [SA16920] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA16918] Red Hat update for mozilla [SA16972] Debian update for python2.3 [SA16968] SUSE update for opera [SA16967] Astaro Security Linux PPTP Denial of Service Vulnerability [SA16957] Gentoo update for qt [SA16945] jPortal Download Search SQL Injection Vulnerability [SA16940] Gentoo update for webmin/usermin [SA16939] Debian update for courier [SA16938] Gentoo update for mantis [SA16936] wzdftpd SITE Command Arbitrary Shell Command Injection [SA16923] Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities [SA16914] Debian update for python2.1 [SA16943] IBM HMC apache/mod_ssl Vulnerabilities [SA16978] Polipo Disclosure of Sensitive Information [SA16950] Red Hat update for cups [SA16912] Fedora update for cups [SA16969] Linux Kernel URB Handling Denial of Service Vulnerability [SA16959] Slackware update for x11 [SA16955] Sun Solaris Xsun and Xprt Privilege Escalation Vulnerability [SA16935] Qpopper poppassd Insecure Trace File Creation Vulnerability [SA16927] Ubuntu update for kernel [SA16925] SUSE update for XFree86-server/xorg-x11-server [SA16924] SUN Solaris UFS File System Denial of Service [SA16916] Debian update for kdeedu [SA16910] Fedora update for kernel [SA16984] Red Hat update for wget Other: [SA16956] Avaya Products httpd/mod_ssl Vulnerabilities [SA16922] Sony PSP Photo Viewer TIFF File Handling Buffer Overflow [SA16952] Anycom Blue Stereo Headset BSH-100 Pairing Mode Vulnerability [SA16931] Plantronics M2500 Bluetooth Headset Pairing Mode Vulnerability Cross Platform: [SA16944] Netscape Multiple Vulnerabilities [SA16941] AlstraSoft E-Friends "mode" File Inclusion Vulnerability [SA16933] phpMyFAQ Multiple Vulnerabilities [SA16917] Mozilla Multiple Vulnerabilities [SA16911] Firefox Multiple Vulnerabilities [SA16979] PostNuke Local File Inclusion and Comment Bypass Vulnerabilities [SA16949] SEO-Board admin.php SQL Injection Vulnerability [SA16937] Mailgust "email" SQL Injection Vulnerability [SA16929] ContentServ "ctsWebsite" Local File Inclusion Vulnerability [SA16926] MultiTheftAuto Server "motd.txt" Modification and Denial of Service [SA16913] My Little Forum "search" SQL Injection Vulnerability [SA16908] PunBB Two Vulnerabilities [SA16947] RSyslog Syslog Message SQL Injection Vulnerability [SA16970] CJ LinkOut "123" Cross-Site Scripting Vulnerability [SA16966] CJ Tag Board Cross-Site Scripting Vulnerabilities [SA16963] CJ Web2Mail Cross-Site Scripting Vulnerabilities [SA16934] IPB Riverdark RSS Syndicator Module Cross-Site Scripting [SA16971] PHP Trailing Slash "open_basedir" Security Bypass ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16958] FL Studio FLP File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-27 varunuppal has discovered a vulnerability in FL Studio, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16958/ -- [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-09-26 Amit Klein has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to manipulate certain data and conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/16942/ -- [SA16909] SecureW2 Insecure Pre-Master Secret Generation Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-09-26 Simon Josefsson has reported a security issue in SecureW2, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16909/ UNIX/Linux:-- [SA16965] Fedora update for firefox Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-27 Fedora has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16965/ -- [SA16960] Slackware update for mozilla Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-27 Slackware has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16960/ -- [SA16928] Ubuntu update for mozilla/mozilla-firefox Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-26 Ubuntu has issued updates for mozilla and mozilla-firefox. These fix some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16928/ -- [SA16919] Red Hat update for firefox Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-23 Red Hat has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16919/ -- [SA16986] Fedora update for HelixPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-28 Fedora has issued an update for HelixPlayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16986/ -- [SA16980] TWiki "%INCLUDE" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-28 A vulnerability has been reported in TWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16980/ -- [SA16976] Gentoo update for php Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-28 Gentoo has issued an update for php. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16976/ -- [SA16974] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-28 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16974/ -- [SA16964] Fedora update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-27 Fedora has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16964/ -- [SA16962] Red Hat update for HelixPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-27 Red Hat has issued an update for HelixPlayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16962/ -- [SA16961] RealPlayer Error Message Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-27 c0ntex has discovered a vulnerability in RealPlayer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16961/ -- [SA16954] Helix Player Error Message Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-27 c0ntex has discovered a vulnerability in Helix Player, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16954/ -- [SA16953] Mandriva update for mozilla Critical: Highly critical Where: From remote Impact: System access, Manipulation of data, Spoofing, Security Bypass Released: 2005-09-27 Mandriva has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16953/ -- [SA16948] Trustix update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-26 Trustix has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16948/ -- [SA16930] SUSE update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-26 SUSE has issued an update for clamav. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16930/ -- [SA16920] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, Privilege escalation, System access Released: 2005-09-23 Apple has issued a security update for Mac OS X, which fixes 10 vulnerabilities. Full Advisory: http://secunia.com/advisories/16920/ -- [SA16918] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-23 Red Hat has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16918/ -- [SA16972] Debian update for python2.3 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-28 Debian has issued an update for python2.3. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16972/ -- [SA16968] SUSE update for opera Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Spoofing Released: 2005-09-27 SUSE has issued an update for opera. This fixes two vulnerabilities, which can be exploited by a malicious person to conduct script insertion attacks and to spoof the name of attached files. Full Advisory: http://secunia.com/advisories/16968/ -- [SA16967] Astaro Security Linux PPTP Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-27 A vulnerability has been reported in Astaro Security Linux, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16967/ -- [SA16957] Gentoo update for qt Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-27 Gentoo has issued an update for qt. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/16957/ -- [SA16945] jPortal Download Search SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-27 krasza has discovered a vulnerability in jPortal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16945/ -- [SA16940] Gentoo update for webmin/usermin Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-26 Gentoo has issued an update for webmin/usermin. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16940/ -- [SA16939] Debian update for courier Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-26 Debian has issued an update for courier. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16939/ -- [SA16938] Gentoo update for mantis Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-09-26 Gentoo has issued an update for mantis. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16938/ -- [SA16936] wzdftpd SITE Command Arbitrary Shell Command Injection Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-26 kcope has discovered a vulnerability in wzdftpd, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16936/ -- [SA16923] Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data Released: 2005-09-23 Two vulnerabilities have been reported in Interchange, which can be exploited by malicious people to conduct SQL injection attacks, or to perform actions with an unknown impact. Full Advisory: http://secunia.com/advisories/16923/ -- [SA16914] Debian update for python2.1 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-23 Debian has issued an update for python2.1. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16914/ -- [SA16943] IBM HMC apache/mod_ssl Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Privilege escalation Released: 2005-09-26 IBM has acknowledged some vulnerabilities in IBM HMC, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges, or by malicious people to bypass certain security restrictions or conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/16943/ -- [SA16978] Polipo Disclosure of Sensitive Information Critical: Less critical Where: From local network Impact: Unknown, Exposure of sensitive information Released: 2005-09-28 A vulnerability has been reported in Polipo, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/16978/ -- [SA16950] Red Hat update for cups Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-27 Red Hat has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16950/ -- [SA16912] Fedora update for cups Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-23 Fedora has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16912/ -- [SA16969] Linux Kernel URB Handling Denial of Service Vulnerability Critical: Less critical Where: Local system Impact: DoS Released: 2005-09-27 A vulnerability and a security issue have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16969/ -- [SA16959] Slackware update for x11 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-27 Slackware has issued an update for x11. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16959/ -- [SA16955] Sun Solaris Xsun and Xprt Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-27 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16955/ -- [SA16935] Qpopper poppassd Insecure Trace File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-26 kcope has discovered a vulnerability in Qpopper, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16935/ -- [SA16927] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: DoS Released: 2005-09-26 Ubuntu has issued an update for the kernel. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16927/ -- [SA16925] SUSE update for XFree86-server/xorg-x11-server Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-26 SUSE has issued an update for XFree86-server/xorg-x11-server. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16925/ -- [SA16924] SUN Solaris UFS File System Denial of Service Critical: Less critical Where: Local system Impact: DoS Released: 2005-09-23 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16924/ -- [SA16916] Debian update for kdeedu Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-23 Debian has issued an update for kdeedu. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/16916/ -- [SA16910] Fedora update for kernel Critical: Less critical Where: Local system Impact: DoS, Privilege escalation, Exposure of sensitive information Released: 2005-09-23 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to disclose certain sensitive information, cause a DoS (Denial of Service), and gain escalated privileges. Full Advisory: http://secunia.com/advisories/16910/ -- [SA16984] Red Hat update for wget Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-28 Red Hat has issued an update for wget. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16984/ Other:-- [SA16956] Avaya Products httpd/mod_ssl Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-09-27 Avaya has acknowledged some vulnerabilities in httpd/mod_ssl included in some products, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16956/ -- [SA16922] Sony PSP Photo Viewer TIFF File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-26 A vulnerability has been reported in Sony PSP, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16922/ -- [SA16952] Anycom Blue Stereo Headset BSH-100 Pairing Mode Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS Released: 2005-09-26 KF has reported a vulnerability in Anycom Blue Stereo Headset BSH-100, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, and manipulate certain data. Full Advisory: http://secunia.com/advisories/16952/ -- [SA16931] Plantronics M2500 Bluetooth Headset Pairing Mode Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-09-26 KF has reported a vulnerability in Plantronics M2500 Bluetooth Headset, which can be exploited by malicious people to disclose sensitive information and manipulate certain data. Full Advisory: http://secunia.com/advisories/16931/ Cross Platform:-- [SA16944] Netscape Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-26 Some vulnerabilities have been discovered in Netscape, which can be exploited by malicious people to manipulate certain data, conduct spoofing attacks, bypass certain security restrictions and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16944/ -- [SA16941] AlstraSoft E-Friends "mode" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-26 Kurdish Hackers Clan has reported a vulnerability in AlstraSoft E-Friends, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16941/ -- [SA16933] phpMyFAQ Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2005-09-26 rgod has discovered some vulnerabilities in phpMyFAQ, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, disclose system and sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16933/ -- [SA16917] Mozilla Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-23 Multiple vulnerabilities have been reported in Mozilla Suite, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16917/ -- [SA16911] Firefox Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-23 Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16911/ -- [SA16979] PostNuke Local File Inclusion and Comment Bypass Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-09-28 Two vulnerabilities have been reported in PostNuke, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/16979/ -- [SA16949] SEO-Board admin.php SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-09-26 foster RST/GHC has reported a vulnerability in SEO-Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16949/ -- [SA16937] Mailgust "email" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-09-26 rgod has reported a vulnerability in Mailgust, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16937/ -- [SA16929] ContentServ "ctsWebsite" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-09-26 qobaiashi has reported a vulnerability in ContentServ, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/16929/ -- [SA16926] MultiTheftAuto Server "motd.txt" Modification and Denial of Service Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS Released: 2005-09-26 Luigi Auriemma has reported two vulnerabilities in MultiTheftAuto Server, which can be exploited by malicious people to modify certain information or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16926/ -- [SA16913] My Little Forum "search" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-23 rgod has discovered a vulnerability in My Little Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16913/ -- [SA16908] PunBB Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting Released: 2005-09-22 Two vulnerabilities have been reported in PunBB, where one has an unknown impact and the other can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16908/ -- [SA16947] RSyslog Syslog Message SQL Injection Vulnerability Critical: Moderately critical Where: From local network Impact: Manipulation of data, System access Released: 2005-09-26 A vulnerability has been reported in RSyslog, which can be exploited by malicious people to conduct SQL injection attacks, and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16947/ -- [SA16970] CJ LinkOut "123" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-27 Psymera has discovered a vulnerability in CJ LinkOut, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16970/ -- [SA16966] CJ Tag Board Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-27 Psymera has discovered some vulnerabilities in CJ Tag Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16966/ -- [SA16963] CJ Web2Mail Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-27 Psymera has discovered some vulnerabilities in CJ Web2Mail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16963/ -- [SA16934] IPB Riverdark RSS Syndicator Module Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-26 X1NG has reported two vulnerabilities in the Riverdark RSS Syndicator module for Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16934/ -- [SA16971] PHP Trailing Slash "open_basedir" Security Bypass Critical: Not critical Where: Local system Impact: Security Bypass Released: 2005-09-27 thorben has discovered a security issue in PHP, which can be exploited by malicious, local users to access certain files outside the "open_basedir" root. Full Advisory: http://secunia.com/advisories/16971/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Oct 3 08:33:49 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:57:02 2005 Subject: [ISN] The next IT security leaders - Know the tools to succeed in growing field Message-ID: http://federaltimes.com/index2.php?S=1147134 By JANE SCOTT NORRIS September 30, 2005 The 2002 Federal Information Security Management Act introduced the position of chief information security officer (CISO) to the federal government - albeit with the ungainly moniker of senior agency information security official. Today, as the CISO position is earning widespread recognition and increasing stature in both the public and private sectors, we ask: "Where will the next generation of CISOs come from?" First, we need to pose and answer two other questions: "What is the background and experience of current CISOs?" and "How is the CISO role evolving?" Most, if not all, of those who currently hold CISO positions did not begin their careers with the ambition of becoming the senior information security officer for a large enterprise; rather, they came into their positions through a confluence of skills, innovation and opportunity. In fact, until recently, only a few people worked in this rapidly expanding discipline, so there was no career ladder to the executive suite. However, the importance of information security and the demand for information security professionals are both growing - thanks to ever-increasing connectivity, the rush to market by vendors, expanding threats and readily available hacking tools. The 2004 Work Force Study, conducted by the International Information Systems Security Certification Consortium, projected a compounded annual growth rate for the information security profession, worldwide through 2008, at almost 14 percent, while the information technology profession's growth was projected at only 5 percent to 8 percent over the same period. Today's CISOs have typically worked in information technology, but they have traveled a variety of routes to their current positions. According to the work-force study, information security professionals are very experienced, having worked an average 13 years in IT and seven years in information security. CISOs, however, require broader knowledge than the typical information security practitioner and strong management skills. With varying years of experience in the security arena, the most successful among my colleagues have several nontechnical traits in common. Each can use plain English, rather than "geek-speak," to communicate with business managers and to balance security with mission objectives. The consideration of business requirements is the key factor in evolving the security profession?s attitude from one of risk aversion to one of risk management. With interconnectivity, we've abandoned the search for absolute security and perfectly safe systems as an impossible and impractical quest. We have accepted the need for availability and usability of information and information systems, leading to the creation of the information assurance discipline. But it doesn't stop there. Just as information management is transitioning into knowledge management, with the emphasis shifting from technical outputs to business outcomes, so the former information security profession is maturing from a purely technical approach to one that is mission-focused. To succeed, the CISO must be a strategic partner with business units. Often under the auspices of the National Security Agency's Centers of Academic Excellence program, many colleges and universities have recently established information assurance curricula at the undergraduate and graduate levels, typically in the computer science departments. Graduates from these programs are entering the information assurance work force and expect to spend their entire careers in this discipline. Many will aspire to become CISOs at some point in their professional lives. For junior- and midlevel information security personnel, there is no well-defined CISO model and no clear path to the CISO position. Moreover, by the time they attain the C-level, there probably will not even be a CISO position: It is more likely to be CRO - chief risk officer. My final advice to those aspiring to become a CISO/CRO: * Gain a solid foundation in IT, information security and risk management. * Know pertinent laws and regulations. * Get credentials in information security, project management, and in chief information officer competencies or business administration. * Learn the business of the organization for which you work. * Hone your communication and marketing skills. Think and talk in business terms, and master the art of making your case in one page. -=- Jane Scott Norris is chief information security officer of the State Department. From isn at c4i.org Mon Oct 3 08:34:05 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:58:02 2005 Subject: [ISN] Political hackers deface Novell SUSE sites Message-ID: http://www.theregister.co.uk/2005/10/03/opensuse_hacked/ By John Leyden 3rd October 2005 Three Novell OpenSUSE community web site were defaced on Sunday by politically motivated hackers. Defacement archive Zone-H reports that a group called IHS Iran Hackers Sabotage [1] broke into OpenSUSE.org, wiki.novell.com and forge.novell.com to post a message stating that it was Iran's right to develop nuclear power. All three sites were defaced in the same way (archive here) [2]. OpenSUSE.org and forge.novell.com have since been restored to normal operation and the offending images removed. The wiki.novell.com site has been taken temporarily offline. Although somewhat embarrassing all early indications are that the attack was not serious. Of greater concern are reports that hackers compromised a gaming-related server maintained by Novell and used it to scan for other vulnerable machines. The hacked system - which ran a mail server for a gaming site called Neticus.com - has been scanning for vulnerable SSH systems since 21 September, Computerworld reports [3]. The rogue behaviour was spotted by net security firm Brandon Internet Security which traced attacks against its clients' systems back to the compromised servers. A Novell spokesman played down that incident by saying the hacked servers were part of test systems located outside Novell's corporate network. ? [1] http://www.zone-h.org/defacements/filter/filter_defacer=IHS%20IRAN%20HACKERS%20SABOTAGE [2] http://www.zone-h.org/en/defacements/mirror/id=2917402 [3] http://www.linuxworld.com.au/index.php/id;2128628770;fp;2;fpid;1 From isn at c4i.org Mon Oct 3 08:38:07 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:58:23 2005 Subject: [ISN] InfoSec News List Subscription Information Message-ID: http://www.infosecnews.org/ InfoSec News is a privately run, medium traffic list that caters to the distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. To subscribe to InfoSec News, Click here [1]. The subject line will always contain the title of the article, so that you may quickly and efficiently filter past the articles of no interest. This list will contain: Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. Information on where to obtain articles in current magazines. Security Book reviews and information. Security conference/seminar information. New security product information. And anything else that comes to mind... Feedback is encouraged. The list maintainers would like to hear what you think of the list, What could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Anonymous feedback is always welcome. Please DO NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as 75+ returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). This is not a whim! Other moderators have begun to do the same. Special thanks to the following for continued contribution: William Knowles, Will Spencer, Jay Dyson, Emerson Tan, Nicholas Brawn, Felix von Leitner, Robert G. Ferrell, Eric Wolbrom, Brian Martin, Marjorie Simmons, Richard Forno Darren Reed, Robert Slade, Attrition.org, Curiosity.org and several other contributors. InfoSec News Archives: http://www.landfield.com/isn http://lists.jammed.com/ISN/ http://lists.insecure.org/isn/ http://www.attrition.org/pipermail/isn http://online.securityfocus.com/archive/12 http://marc.theaimsgroup.com/?l=isn&r=1&w=2 InfoSec News is Moderated by William Knowles wk(at)c4i.org. ISN is a private list. Moderation of topics, member subscription, & everything else about the list is solely at his discretion. The InfoSec News membership list is NOT available for sale or disclosure. InfoSec News is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. [1] http://www.infosecnews.org From isn at c4i.org Mon Oct 3 08:50:47 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:58:40 2005 Subject: [ISN] White hat, gray hat, black hat Message-ID: Forwarded from: William Knowles http://www.fcw.com/article90994-10-03-05 By Michael Arnone Oct. 3, 2005 For a long time, most computer network crackers hacked a system for the same reason George Mallory climbed Mt. Everest: "Because it's there." But that's no longer the only reason or even the dominant one. More hackers now follow the philosophy frequently attributed to Willie Sutton, a bankrobber during the 1930s. According to legend, when asked why he robbed banks, Sutton replied matter-of-factly: "It's where the money is." During the past six years, malicious black-hat hackers have changed from script kiddies who deface Web sites and spread worms to earn glory within the hacker community to professionals sponsored by foreign governments and organized crime. They target specific government and industry victims and commit real crimes, sometimes for significant financial gain. "We're now seeing sociopaths intent on doing...more devious and sophisticated stuff," said Dragos Ruiu, chief organizer of the PacSec, CanSecWest and EUSecWest hacker conferences, which annually draw hundreds of hackers worldwide. But in general, hackers secure their computers better than the rest of the computing community. Government and industry can learn from their hacking techniques and protection skills to improve information technology security, experts say. In addition, government can learn from two other groups: the paid professionals - known as white hats - who research vulnerabilities to protect employers' and customers' data and the unaffiliated tinkerers - known as gray hats - who alert users to vulnerabilities. Government and industry have always learned security techniques from hackers, whether they realize that or not. For example, penetration testing, which is a search for security holes in a computer system, is a common hacker practice that the federal government is using more often, said Steven Manzuik, security product manager at eEye Digital Security. The company provides penetration testing, vulnerability assessment and proactive security services to the Defense Department and federal intelligence agencies. Penetration testing is a good way to demonstrate actual risk and secure systems by patching or applying other protections, Manzuik said. DOD has come to appreciate the value of penetration testing and now has a solid schedule and process in place for it, he said. Because the federal government is a huge target for hackers for political and financial reasons, agency officials have started issuing information security regulations based in part on consultations with ? and learning lessons from ? hackers, said Mark Loveless, a senior security analyst at BindView and a hacker for 25 years. The Graham-Leach-Bliley Act of 1999, Health Insurance Portability and Accountability Act, Federal Information Security Management Act of 2002, and Sarbanes-Oxley Act of 2002 all require fortification of computer networks to protect information based on real-life hacker attacks, Loveless said. He added that following federal regulations can make it easier to fix many common vulnerabilities. Military officials have learned the fastest from hackers and are starting to pay serious attention to software policies to bolster their security, Ruiu said. Civil agencies are the most vulnerable because they don't have money for adequate IT security, let alone improvements to it, he said. DOD and intelligence agencies enjoy talking with hackers who do not have malicious intentions, and the two groups often tip each other off about developments and discoveries, Loveless said. Information analysis and intelligence gathering units are particularly willing to learn from attacks to plug holes in their security, said Marc Maiffret, founder and chief hacking officer at eEye. But not all government agencies listen to hackers, Loveless said. Old-school agents in the FBI and the Secret Service don't trust hackers because they consider many of them to be criminals. Hackers' importance as teachers, though, is increasing. As software insecurity remains the norm, the number of targets increases and the stakes involved in losing control of financial and confidential data rises, experts say. 'Millions of monkeys' A common bond among hackers is curiosity. "What if I try this?" and "What can I do to make it do what I want?" are two hacker mantras, said Martin Roesch, founder and chief technology officer of Sourcefire, a provider of intrusion-prevention systems. But that unrelenting, inquisitive skepticism, sometimes bordering on paranoia, yields superior quality assurance. "Everything you forget, they will find," Roesch said. "It's like the proverbial millions of monkeys typing on typewriters. They have infinite resources and infinite time to find weaknesses in your system." Another hacker tenet is always follow the path of least resistance, said Matthew Gray, founder of and CTO at Newbury Networks. In doing so, hackers use network engineers' desire for efficiency against them to design more effective and stealthy attacks. This path of least resistance is often through the front door, said Paul Proctor, research vice president of security and risk at Gartner. Attackers hack only enough to insert malicious payloads that contain keystroke and network sniffers and other means to collect information they can use to fool the system into thinking the attackers are legitimate users. Once they get that, they can come and go as they please without scrutiny. Nine times out of 10, vigilante gray hats, black hats and cybercriminals follow the path of least resistance, Proctor said. But most government and industry cyberprotectors try to thwart the primary method gray hats use: burrowing into the system code to find flaws. Gray hats, however, pose almost no real risk to computer security because they don't act maliciously, he said. A failure of imagination An obstacle to blocking hackers is the implementation of IT security by network engineers instead of software developers and engineers, said John Viega, founder of and CTO at Secure Software. On the other hand, most hackers are software engineers or use software engineering tools built by software experts. Thus, the primary defenders of IT assets have different perspectives, skills and experiences from the attackers, Viega said. This compounds the problem that most organizations consider IT security only when they are under attack, said Roger Thornton, founder of and CTO at Fortify Software. Few organizations look at their IT capabilities in terms of the risk they face from black hats and cybercriminals, he said. This failure of imagination to ask what would happen if hackers could access their information is the main stumbling block to effective security, Thornton said. "Anything that government and industry learn from hackers must be seen through the lens of their own risk management needs," Proctor said. Another problem is that government and industry have fallen for the negative hacker stereotypes shown on film and television, and are not using valuable, available assets. "Not every hacker is a cracker," which is the old slang for a black hat, Maiffret said. Organizations should invite more white and gray hats to their conferences, Maiffret said. Many government and commercial organizations, such as Microsoft, have already heeded that advice and even pay to be sponsors at hacker conferences. Because talented Internet security professionals, such as hackers, are tough to find and hire, "the greatest defense against hackers is that you can make a mighty good living on the right side of the fence," Thornton said. Government and industry hire white and gray hats who want to have their fun legally, which can defuse part of the threat, Ruiu said. But it's impossible to reach every potential attacker through a job advertisement, he said. Many hackers are willing to help the government, particularly in fighting terrorism. Loveless said that after the 2001 terrorist attacks, several individuals approached him to offer their services in fighting al Qaeda. Hiring black hats, however, is a bad idea. Bruce Murphy, vice president of worldwide security services at Cisco Systems, said he does not hire black hats because they do not appreciate or respect standard business processes and structures. "Somebody with questionable moral judgment isn't someone you want to have control of your networks," said Avi Rubin, a professor of computer science at Johns Hopkins University. A disgruntled hacker with inside knowledge of a company's networks could create a nightmare scenario, he said. Besides, white hats have closed the skill gap between themselves and gray and black hats, said Amit Yoran, president of Yoran Associates and former national cybersecurity director. What the white hats need to learn, he said, is how to sell IT security more persuasively to bureaucracies that still may not see the need for it. More important than the presence of hackers is emulating their skeptical attitude, Maiffret said. Most large organizations do not cultivate the maverick mind-set needed for quality hacking and computer security, he said. "Part of the hard thing in government is that you're not really meant to question how things work," he said, adding the same goes for large companies. "You're expected to take orders and do things...[but] that's what [hackers] are here for, to question." Organizations must encourage employees to question everything about the technology they use, he said. Putting lessons to work The guiding principle for government and commercial IT has been to increase productivity and decrease cost, without much thought about security, Proctor said. Savings are powering the federal government's insistence that contractors and integrators use commercial software. The drive "is like nothing I've ever seen in my life," said Michael Armistead, vice president of products at Fortify Software. Thornton warned that any commercial solution must account for the organization's risk profile, especially risks presented by black hats. Those responsible for implementing commercial products should audit them, line by line if necessary, to see if they provide adequate security. If they don't, the hackers will. Even with the security emphasis since the 2001 terrorist attacks, Thornton and other experts agree that government and industry are not changing fast enough to thwart evolving threats from black hats. But government and industry have attributes that, if used hacker-style, could potentially help them defeat malicious hackers. Government has the advantage of central coordination and the ability to quickly enforce best practices and standards enterprisewide, Ruiu said. It can also share information quickly and effectively ? faster, in fact, than industry and the balkanized hacker community. Industry has the advantages of being able to speedily implement changes and act pragmatically, Ruiu said. If it employs the hacker mind-set while developing products, it would produce software and hardware more resistant to attacks in the first place. Government and industry need research units to discover vulnerabilities, or they should work with someone who has them, Maiffret said. They need to dissect software to find every weakness, just like hackers worldwide do. Until such widespread changes occur, the public and private sectors can protect themselves the way hackers do, said Michael Cantey, a network systems administrator at the Florida Department of Law Enforcement's Computer Crime Center. He said they should learn as much as they can about what's on their systems, how those systems operate and how to fix as many flaws as possible. They can stay current on basic security measures and set up a multilayered defense that goes beyond the perimeter to inside essential systems. The only long-term way to effectively hinder or prevent hacker attacks is to show the same persistence, skepticism and vigilance that hackers do, Roesch said. After all, he said, "the million monkeys are working relentlessly, every day, all day." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Oct 4 01:49:29 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:55:56 2005 Subject: [ISN] WA should beef up security: report Message-ID: http://australianit.news.com.au/articles/0,7204,16769033%5E15319%5E%5Enbv%5E15306,00.html Heather Quinlan SEPTEMBER 30, 2005 WEST Australian government agencies have better control of their postage stamps than they do of confidential personal information stored in their computers, a report by the state's corruption watchdog shows. A Corruption and Crime Commission (CCC) study revealed personal data held on WA government computers was vulnerable to misuse and must be better protected through staff security screening, monitored access and beefed-up criminal laws. The Protecting Personal Data in the Public Sector report, tabled in parliament yesterday, found checks on inappropriate access and leakage of computer-held information were inadequate. CCC spokesman Glenn Ross said examples of data misuse ranged from looking up a friend's address on a work computer, to the murder of former police officer Don Hancock, which was made possible by information provided to an outlaw motorcycle gang by a public servant. Former transport department worker Karen Moore was charged and convicted after providing the name and address to match a car registration number supplied by a bikie associate. The following month, the same car - which belonged to Mr Hancock's friend Lou Lewis - was blown up, killing both men. A Gypsy Joker bike gang member was later convicted of the bombing murders. The CCC study examined the handling of personal data in six state and local government agencies, conducted surveys of 540 public sector staff and considered 17 submissions - 11 from members of the public. The state government, which is in the process of drafting new privacy legislation, said yesterday it would accept many of the CCC's recommendations. WA Treasurer Eric Ripper, commenting on behalf of Premier and Public Sector Management Minister Geoff Gallop, said the government must improve its practices. "Every citizen has the right to expect that confidential information that the government holds will not be used for unauthorised purposes," Mr Ripper told reporters. "Human nature being what is is, it is hard to offer guarantees but we need to do better in this area (of information security). "Many public sector managers feel there are deficiencies in our disciplinary framework and ... if they don't feel they've got the power to take action, then that is something government has to attend to." The report found state and local government agencies had better systems to control use of petty cash and postage stamps than the access to confidential information held on computers. The report, which also supported a privacy commissioner and privacy legislation, also recommended amending the criminal code to prohibit unauthorised access and disclosure of information. Other recommendations included the establishment of uniform definitions and criminal penalties, regular security checks of public sector staff, and the introduction of a public sector oath to maintain the confidentiality of information. AAP From isn at c4i.org Tue Oct 4 01:49:45 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:56:27 2005 Subject: [ISN] Data Scandal Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105065,00.html By Mary Brandel OCTOBER 03, 2005 COMPUTERWORLD A data scandal roll call would include big names in nearly every industry. Bank of America, LexisNexis, Time Warner, DSW Shoe Warehouse, T-Mobile and the University of California, Berkeley, to name a few, have recently experienced data security breaches. And some experts say that there are hundreds if not thousands of other, less-publicized cases in which sensitive personal data has been compromised. "There's the hospital that unwittingly exposes a couple of AIDS patients, or the bank that inadvertently discloses to a creditor someone's complete financial background," says Diana McKenzie, who chairs the IT group at Neal, Gerber & Eisenberg LLP, a Chicago law firm. "There are tons and tons of examples like that." For CIOs, this trend means two things: It may not be a case of whether your company will experience a data security breach but when it will experience such a breach. And, particularly if you're one of the unlucky 10% or less who find their stories blasted throughout the national news media, you'd better know beforehand how you're going to respond when a breach occurs. A New Reality "In days gone by, you could have thrown up your hands and said, 'Geez, this was an accident,'" says Scott Sobel, vice president at Levick Strategic Communications in Washington. "But now people are more familiar with IT processes, and they may believe that if controls weren't in place, someone was negligent or malicious." That's why your immediate response to a security breach is all-important. And it's not enough to lean on processes you've put in place to respond to more traditional threats such as viruses and hacker infiltration. Today, threats can emanate from sources as varied as fraudulent businesses or tape thieves. "The failures in the business processes that have occurred this year are causing organizations to redesign the way they respond to future incidents or anomalies," says Rich Baich, managing director at PricewaterhouseCoopers and former chief information security officer at ChoicePoint Inc. in Alpharetta, Ga. Earlier this year, it was revealed that ChoicePoint had released consumers' personal financial information to data thieves posing as legitimate businesses. One important change worth considering, Baich says, is to create and publicize a central mechanism for employees or the general public to report possible breaches, including incidents involving low-tech actions such as fraud or tape theft. There should be a response team that follows an established set of protocols, not unlike those of customer service hot lines, where a trained group follows a decision tree and escalates its response depending on the nature of the problem. The exact response protocol will be unique to each organization. Some may want to report directly to the general counsel, others to the CISO, and others to the president of the company. However you choose to do it, the escalation procedure should be defined and agreed upon in advance. "It needs to be something that says, 'During Christmas time, from this hour to this day, John Brown is head of the team, and he'll have access to this attorney and this PR person and this decision-maker and this representative of the union, instantly,'" Sobel says. Having a central point of contact would also help avoid the common problem of not taking incident reports seriously, McKenzie says. "If a busy executive gets a call from a person outside the company who doesn't sound sophisticated, or from someone lower in the organization who thinks something odd is happening, there's a tendency to dismiss it," she says. "I can't tell you the number of times I've had a person forget to get the phone number or even the name of the person who called." Teamwork The word team can't be overemphasized, McKenzie says. The days are gone when IT worked in isolation on security incidents. The public relations and legal departments need to be involved as soon as possible, even as you're still figuring out the depth and breadth of the problem. "While you're starting to fix, document and understand the problem, you want to start the lawyers mitigating risk and the PR folks preparing communications," McKenzie says. "The IT guy keeping it to himself is a really bad idea," she adds. Not only are there disclosure requirements, but your public relations people will also need some lead time to fully understand the problem and prepare a response. At Vanguard Managed Solutions LLC, IT works hand in hand with the legal and marketing departments during times of crisis. In the 300-employee managed services provider in Mansfield, Mass., security incidents are escalated to management-level employees in the network operations center, says Eric Welz, senior solutions architect. If the incident is determined to be severe enough, marketing, legal and IT work together to determine how it should be communicated to clients. Now more than ever, lawyers are crucial for correctly interpreting and responding to federal and state privacy laws. For example, California's Senate Bill 1386 requires organizations to disclose security breaches that involve private information about California residents. California Assembly Bill 1950 requires "reasonable security" controls for California residents' data. The Washington state government also recently enacted several bills addressing security breaches, and other states may soon follow. Your legal department might decide to involve local law enforcement, which could affect whether your company is allowed to disclose any information about the breach. If the police ask you to keep mum because they've determined that public disclosure would inhibit the investigation, be sure to get a letter documenting that request to avoid conflicts later, Baich says. Some experts suggest that companies develop boilerplate language to enable a faster response. "Disclosures are sometimes required to happen quickly, and that's not the time to start with a blank piece of paper," says Peter Gregory, chief security strategist at VantagePoint Security LLC in Bellevue, Wash. Deliberate Speed But don't rush. "You don't want to wait two days, but you can wait 20 minutes," says Gregory. "You need to follow the emergency procedures so that when the PR person is in front of the microphone, the information has flowed properly from the point of discovery, through IT management and sideways to PR and legal." Or, as McKenzie puts it, "respond with cautious speed. On the one hand, a delay in responding can be fatal, but on the other, you need to have a reasoned response, because this could be broadcast all over the country." To avoid accusations that you didn't work quickly enough to solve a problem, McKenzie suggests calling in an IT forensics consultant -- even if you think your IT staff is talented enough to analyze Web logs and other records effectively. "It shows you're taking it seriously: 'We hired this gunslinger to help solve the problem expeditiously,'" she says. "If someone sues you for damages, it looks good from a PR standpoint that you hired someone immediately." You should keep a fact-finding log to record any actions that the security team takes and any people it contacts, and that log should include the precise timing of every action. "When that's all logged, it's easier when someone asks what happened," Baich says. Finally, when it comes time to communicate with customers or the general public, "be understanding and reassuring," says McKenzie. "There's a tendency for people harmed by these incidents to sense a lack of empathy for their situation." A kind and caring attitude on your part may lessen the chance of lawsuits and other litigious behavior, she says. "A security disaster will cause many to doubt the company's ability to continue operating," Gregory says, "so you need to respond with well-thought-out statements that give the media and customers confidence that you're in control and are dealing with it." Brandel is a Computerworld contributing writer in Newton, Mass. Contact her at marybrandel at verizon.net. From isn at c4i.org Tue Oct 4 01:49:57 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:56:47 2005 Subject: [ISN] Flaw found in Kaspersky antivirus Message-ID: http://beta.news.com.com/Flaw+found+in+Kaspersky+antivirus/2100-1002_3-5887857.html By Joris Evers Staff Writer, CNET News.com October 3, 2005 A "critical" flaw in Kaspersky Lab's antivirus software could let an attacker commandeer systems that use the products, a security researcher warned Monday. The problem lies in Kaspersky's antivirus library, security researcher Alex Wheeler wrote in an advisory (download PDF of advisory here) [1]. The vulnerability likely affects multiple Kaspersky products on various platforms because the library is used throughout the company's consumer and corporate software, he said. Additionally, third-party products that use Kaspersky's antivirus technology could also be vulnerable, Wheeler said. A remote attacker could exploit the heap overflow flaw by sending a malformed CAB file--a compression file--to a vulnerable system, the French Security Incident Response Team said in an advisory. The CAB file could be sent in an e-mail, for example, and once the Kaspersky antivirus scanner had accepted it, the malicious code would be in the system. No user interaction is required, Wheeler said. FrSirt describes the issue as "critical," its highest rating. A representative for Kaspersky in Moscow could not immediately comment on the issue and said that the Russian company would need to investigate. Antivirus software is like low-hanging fruit to hackers, Yankee Group analysts wrote in a research paper released earlier this year. As the pool of easily exploitable security bugs in Microsoft Windows dries up, attackers are looking to security software for holes to get into systems, the analysts said. At the Black Hat Briefings security conference this summer, researchers at Internet Security Systems outlined vulnerabilities in antivirus products. ISS has discovered bugs in products from security software makers including Symantec, McAfee, Trend Micro and F-Secure. Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. [1] http://www.rem0te.com/public/images/kaspersky.pdf From isn at c4i.org Tue Oct 4 01:49:01 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:57:20 2005 Subject: [ISN] Q&A With 'Wormologist' Vern Paxson Message-ID: http://www.informationweek.com/showArticle.jhtml?articleID=171202582 By Kelly Jackson Higgins Secure Enterprise Oct. 1, 2005 Vern Paxson Senior scientist at the International Computer Science Institute, University of California-Berkeley, and staff scientist at Lawrence Berkeley National Laboratory Paxson, one of the industry's foremost worm experts, developed the open-source intrusion-detection tool Bro and has conducted studies on the genesis and propagation of worms and other malware. He was recently named to the advisory board of start-up ConSentry Networks, which has developed a next-generation, hardware-based IDS. How did you become a renowned 'wormologist'? In part, it was luck. When Code Red came out in 2001, it was fascinating to observe it from the Bro tool, and [the International Computer Science Institute] had forensic logs from it at Lawrence Berkeley National Laboratory. We knew every single probe from the worm, and that allowed me to study its progress. We got Code Red 2 just a couple of weeks later, and then Nimda six weeks later, and it was fascinating seeing all the worms interacting. We had this very rich data ... including an estimate of the total size of the worm, with upward of 300,000 infected [machines]. How have worms evolved since the first one, written in 1988 by Robert T. Morris? It's easier to create them now because there are more toolkits. But the evolution of worms has been surprisingly slow. Slammer in 2003 was different, though--the entire worm fit into a single packet and was connectionless, so it could go fast. It wasn't anything anyone had predicted. Aside from its historical precedent, what was so special about the Morris worm? That worm was brilliantly built and remains the best-designed one ever. It had multiple modes, which we later saw with Nimda are very effective. And it had topological scanning ... It went through the information on the locally infected machine to try to find other machines. The Morris worm also came with its own built-in password cracker. Where do worms go from here? A big threat is the commercialization of malware. The lay of the land is changing, from the equivalent of vandals doing their work to people who will commoditize malware and use it to make money. The rise of this commercially motivated attacker is very disturbing, and inevitable. There's a paper in the research world that talks about how you can specialize in just doing the worm technology without being involved in the exploitation of it. There's going to be some sort of black market where criminals hook up with people with worm access. Also on [the horizon] are blended threats, where a malware writer puts together viruses and botnets and uses a botnet to propagate the keylogger that then feeds into your encrypted point-to-point network and extracts all the goodies. Are there worms against which we can't defend? We published a paper for DARPA [Defense Advanced Research Projects Agency] on the worst-case scenario of a worm. We sketched how it's not implausible that a worm could get 10 million to 15 million desktops in a day. But we could not resolve the question of how much damage this type of worm would really inflict. Still, we're racing against the clock. If I see tomorrow that some huge worm has hit, it won't surprise me. What scares you most about worms? The worms that don't randomly scan--topological worms, which get their target information separate from scanning. And detection-scanning worms--in particular, the ones that can go after Windows or Cisco vulnerabilities. The recent brouhaha over executable code on Cisco routers gave a lot of people pause. If we had a Cisco exploit, it could really do damage. Also in the back of my mind is cyberwarfare. You'd be a fool if you were in the modern military and not planning for cyberattacks and working on defenses to it. What about viruses? Viruses seem like old news today because there's still a huge class of them that don't show much innovation. They're just variants. But I would expect viruses to be a key part of blended attacks, where a virus would be used to cross a firewall, for example. What's the danger of going overboard with security? There's going to be a huge struggle over control of the Internet, which is driven by concerns about security, intellectual property and politics. This could unfold in a lot of ways that wouldn't be pretty. The key question is, can we have an architecture so we get security control without losing the infrastructure and its real power? Regulating that traffic must terminate at a proxy that must be able to see your traffic in clear text to see if the text is allowable, for instance. Now you've created an incredible point of control that has obvious uses for going after criminals, but it also [breeds] political repression and commercial gain, good or bad. There's a new National Science Foundation initiative to rethink Internet architectural notions. [The International Computer Science Institute] and other institutions are thinking about how to get funded to look at new security architectures that provide these controls that are needed, but in a way that doesn't throw out the baby with the bathwater. From isn at c4i.org Tue Oct 4 01:49:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:57:55 2005 Subject: [ISN] ASEAN cyber terrorism experts open forum in Cebu Message-ID: http://www.tempo.com.ph/news.php?aid=16816 By MARS W. MOSQUEDA JR. October 04, 2005 CEBU CITY - Media practitioners were barred from entering the function room where diplomats, cyber security and terrorism experts and policy level officials from 25 nations converged to begin the three-day "2nd ASEAN Regional Forum Seminar on Cyber-terrorism." Aside from Asean countries, representatives from the United States, Australia Japan New Zealand are also present in the forum as observers. Behind closed doors, participants openly discussed and shared information and ideas on national policies on cyber terrorism and encouraged ARF participating countries to continuously cooperate and collaborate with each other in effectively addressing diverse cyber related threats and cyber terrorism. A source said that aside from the recommendations on anti-cyberterror and e-counter terrorism, each participating ARF country were asked to come up with a program that will be submitted to the ARF Ministers, it is hoped that a network of contacts will be developed, enlarged, and continuously updated. The three-day seminar aims to build and nurture a level of trust and confidence that will enable continued information sharing and related communications long after the seminar is over. The ARF network on the other hand, can be used as an important conduit for the flow of information that can be used in our daily flight against terror and actual cyber-terrorism-induced crisis situations. The 1st ARF seminar on cyber terrorism was held in Jeju Island, Korea on November 13-15 last year that was co-chaired by the Republic of Korea and the Philippines. The forthcoming second ARF seminar is a follow up forum that will take off from the discussions and recommendations put forward during the first seminar on cyber-terrorism. The ARF ministers during the 11th ASEAN Regional Forum Ministerial Meeting in Jakarta on July 2 last year highlighted the need for a greater regional cooperation to counter terrorism particularly in the area of law enforcement and intelligence sharing and to address the emotional and psychological reasons behind extremism and terrorism. One of the measures approved by the ARF ministers is a series of ARF seminars and workshops on counter-terrorism. From isn at c4i.org Tue Oct 4 01:50:07 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:58:40 2005 Subject: [ISN] Symantec buys BindView Development for $209 million Message-ID: http://www.networkworld.com/news/2005/100305-symantec-bindview.html By Peter Sayer IDG News Service 10/03/05 Symantec Monday anounced it plans to buy security compliance software vendor BindView Development for $209 million in cash. The deal will close in the first quarter of 2006, subject to approval from regulators and shareholders, Symantec said. The two companies provide software that may help businesses and government organizations comply with regulatory requirements such as the Sarbanes-Oxley Act and the Federal Information Security Management Act in the U.S., or the Basel II financial regulations in Europe. Symantec's security systems use software agents to ensure compliance with security policies, while BindView's approach is agentless, Symantec said. The two approaches are complementary, it said. The agent-based approach is more suited to complex, mixed IT environments, while the agent-less model requires fewer staff to manage and is suited to companies with large numbers of similar systems spread across many sites, it said. Last month, Symantec announced its intention to buy WholeSecurity , a company in Austin, Texas, that develops software for detecting new viruses based on their behavior, rather than their code. In August, it bid for another security compliance software developer, Sygate Technologies of Fremont, Calif. From isn at c4i.org Tue Oct 4 01:50:21 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:59:17 2005 Subject: [ISN] IT security requirements now part of the FAR Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37162-1.html By Jason Miller GCN Staff 09/30/05 One of the final pieces to improving agency IT security across the government finally is in place: Starting today, contracting officers must include cybersecurity requirements in acquisition planning. The Federal Acquisition Regulations Council issued an interim rule [1] today outlining five new steps acquisition workers must take to ensure IT security is incorporated into all purchases. As an interim rule taking effect now, the FAR Council will accept comments until Nov. 29. This rule has been in the works for some time. The E-Government Act of 2002, which included the Federal Information Security Management Act of 2002, called for increased security in all phases of the system's lifecycle. And the FAR Council has been writing this rule since 2003 [2]. "The intent of adding specific guidance in the FAR is to provide clear, consistent guidance to acquisition officials and program managers," the rule said, "and to encourage and strengthen communication with IT security officials, CIOs and other affected parties." The rule: * Requires acquisition professionals to seek the advice of IT security specialists * Defines information security * Incorporates security requirements in acquisition planning and when describing agency needs * Requires contracting officers to adhere to Federal Information Processing Standards * Requires contracting officers to include appropriate agency security policy and requirements in IT acquisitions. "The Councils recognize that IT security standards will continue to evolve and that agency-specific policy and implementation will evolve differently across the spectrum of federal agencies," the rule said. "Agencies will customize IT security policies and implementations to meet mission need[s]." [1] http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-19468.htm [2] http://www.gcn.com/21_25/news/19772-1.html From isn at c4i.org Wed Oct 5 00:43:09 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:50:26 2005 Subject: [ISN] AusCERT2006 - Call for Presentations and Tutorials Message-ID: Forwarded from: auscert@auscert.org.au Greetings, This is a call for papers and tutorials for AusCERT2006, the AusCERT Asia Pacific Information Technology Security Conference. The conference will take place from 21st - 25th May 2006 at Royal Pines Resort, Gold Coast, Australia. Accepted presentations will be included in the business, technical or tutorial streams. The theme for AusCERT2006 is - IT Security: It's everyone's business. For details on how to submit your presentation please refer to: http://conference.auscert.org.au/conf2006/cfp2006.html Note that this is not an academic refereed call for papers. A separate refereed stream for research and development is available for this purpose. For further details about the academic stream please refer to: http://www.isi.qut.edu.au/events/auscert2006/ We look forward to receiving your submissions. Regards, The AusCERT2006 Conference Programme Committee =========================================================================== AusCERT (The Australian Computer Emergency Response Team) The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== From isn at c4i.org Wed Oct 5 00:43:22 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:50:53 2005 Subject: [ISN] Government creates network to fight hackers Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39225753,00.htm Kablenet October 03, 2005 The Office of the Deputy Prime Minister has approved the creation of nine regional IT security information sharing networks to cover all English councils, officials said on 29 September, 2005. The networks, which are likened to a virtual neighbourhood-watch service, enable council IT security specialists to share information on hackers, software vulnerabilities and online threats. Known as Warning Advice and Reporting Points (Warps) they are to be initiated by the nine regional government offices, although it is hoped that the networks will eventually spring up "organically" among groups of local authorities. The Warps concept has been under development for some time in Whitehall but is now set to be promoted across the wider public sector and small businesses as well as councils. Speaking to Government Computing News, Peter Burnett, head of information sharing and international strategy at the National Infrastructure Security Co-ordination Centre (NISCC) said that the new networks go beyond the capabilities of the existing warning service. Until now, authorities across the public sector have had to rely upon the Unified Incident Reporting and Alert Scheme (Uniras) to get updates on Internet threats. "The reason we conceived the Warps was because Uniras was asked to look at local authorities, but that is not really its area of expertise," he said. "We had the choice of allocating more staff to Uniras, but we felt that it was trying to do too many things for too many people. Having these local communities run by and for the people who need the information would be the best way." Burnett said that the aim was not to replace Uniras, but that the local Warps would supplement the central service. "The approach is to find the right champion in each region. We need leading local authorities to take this forward ? we've already got Birmingham on board for example." The scheme is being rolled out following extensive piloting involving the London Connects e-government organisation and local authorities in Kent. Each region is to get ?50,000 to set up the network, which is being matched by local funds. NISCC is also in initial talks with the NHS to set up similar IT security communities, and is looking to extend the service to police forces via the Police IT Organisation (Pito). A Pito Warp is already in place, as is one covering emergency services in the north-west. Burnett had earlier promoted the service at an event organised by Kable on behalf of the Cabinet Office Central Sponsor for Information Assurance. He told delegates that he hopes people would use the network to share information on IT security and build trust. "Once one person takes the risk and donates something to others it will hopefully start a whole process of sharing," he said. "The whole idea is that its relevant to local needs, it allows a community to deliver notifications in any format so that its relevant and easily understandable. "We want them to become endemic, to just pop up all over the place and to help protect the critical national infrastructure and everyone else," he said. Burnett was speaking at the first of a series of three road shows - the two other events are at Leeds on 25 October and Cardiff on 31 October. Copyright ? 2005 CNET Networks, Inc. All Rights Reserved. From isn at c4i.org Wed Oct 5 00:43:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:51:16 2005 Subject: [ISN] Gurgaon cops get NASSCOM cyber crime tips Message-ID: http://cities.expressindia.com/fullstory.php?newsid=151629 Express News Service October 05, 2005 Gurgaon, October 4: Faced with increasing incidents of cyber crime coupled with criticism over the lack of ability of it's officials to effectively deal with such cases, Haryana Police have finally decided to get help from NASSCOM which is holding a seven-day Special Training programme train the policemen from Gurgaon Range. The programme, which began today at Dronacharya Engineering College will train a total of 30 police official from districts Gurgaon, Faridadad, Rewari and Narnaul in the fields of Computer Basics, storage devices, computer communications, internet and intranet, email, mobile phone forensics, Electronic Environment and legal issues. Along with NASSCOM experts, several CBI officers will also interact with the trainees. The first major case of alleged cyber-crime that rocked Gurgaon was after an expose by a British tabloid claiming that it's reporter had managed to buy confidential information like credit card and health details of British nationals from a computer software worker employed with a web-designing company. Following a furore over the matter, Haryana Chief Minister Bhupinder Singh Hooda ordered an inquiry into the matter, the results of which are still not known. Ill-equipped to investigate the case, Gurgaon Police apparently pushed the case into cold-storage. Of late, Gurgaon has witnessed two cyber-crime cases, that of data theft and hacking and misuse of e-mail ID. From isn at c4i.org Wed Oct 5 00:42:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:52:00 2005 Subject: [ISN] Hack attack linked to annular eclipse Message-ID: http://www.theregister.co.uk/2005/10/04/hacker_eclipse/ By John Leyden 4th October 2005 Are hackers affected by lunar cycles? The question arises after we were sent a screenshot [1] of the defacement of space.com yesterday morning. The attack happened hours before an annular eclipse [2] reached Europe. Coincidence? We think not. There's a lot of talk about zombie bots (PC infected by malware and under the control of hackers) but what of werewolves? Admittedly the defacement of space.com made no mention of lycanthropy but security vendors are always fond of talking about "silver bullet solutions" to hacker threats. There's even been a werewolf virus. This might all sound a bit thin but if college profs can get financing to do studies on gay cows then surely the links between malicious hackers and shape shifting merit closer inspection. And while they're at it the putative study might also want to consider why the major virus outbreaks of the year (Nimda, Blaster, Zotob etc.) always hit in August. We suspect virus writers getting bored during their summer holidays from school or college might be behind this one. ? [1] http://www.theregister.co.uk/2005/10/04/space_hack.jpg [2] http://sunearth.gsfc.nasa.gov/eclipse/SEmono/ASE2005/ASE2005tab/ASE2005-Tab14.html From isn at c4i.org Wed Oct 5 00:42:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:52:45 2005 Subject: [ISN] "Teach them a healthy dose of fear" Message-ID: http://news.ft.com/cms/s/8dfd0dfa-34ed-11da-9e12-00000e2511c8.html By Kevin Allison October 4 2005 Browsing through the array of personal security services available to top executives and other wealthy people can feel a bit like watching a James Bond film. Small arms training and evasive driving lessons may sound over the top to the average observer. However, for the very wealthy, and especially for those whose wealth brings notoriety, risks to personal security can be very real. Earlier this year, a former painter at David Letterman's Montana ranch was arrested after he bragged to an acquiaintance about a plot to kidnap the talk show host's son and nanny and demand $5m in ransom. Thanks to the would-be kidnapper's big mouth, Mr Letterman and his family were spared a terrible ordeal, and the man was sentenced to 10 years in prison. Other cases have ended in tragedy. In a notorious indicent in 1992, Sidney Reso, a wealthy Exxon executive, was kidnapped at gunpoint in his driveway by a disgruntled former employee. Mr Reso, who was wounded during his abduction, was kept bound in a tiny storage locker for days before he died of a heart attack. But don't pick up the phone and order that kevlar-reinforced panic room and team of bodyguards just yet. Although kidnapping remains an issue for those who travel to global hot spots, experts say most security threats are more mundane. "Bodyguards are one layer of protection, but we like to suggest to our clients to pre-empt and avoid problems." says Gary Noesner, senior vice president of crisis and security management at Control Risks Group, a risk consultancy. Improving personal security starts with a basic risk assessment. These can cost a wealthy client anywhere between $12,000 and $24,000, according to security experts. Consultants performing a risk assessment evaluate factors ranging from the physical security of a client's primary and secondary homes, to their personal habits and the frequency of their international travel to get a feel for potential vulnerabilities. Some risks are no-brainers. "The flamboyant risk-taker that's out clubbing every night is probably at the greatest risk," says Mr Noesner. "Notoriety is a big issue. You don't want to be marked as someone who has wealth." This especially applies to children who may not realise that their family wealth may make them a target. "You want to teach them a healthy dose of fear," Mr Noesner says. "They may not understand that they may be subject to special interest because of how wealthy their father is. They have to realise that not everybody who asks questions about that is a good person." One of the most basic mistakes high net worth people make is not paying enough attention to who they allow to come into close contact with their family, whether they are friends of toubled relatives or improperly vetted domestic help. "Everybody has something in their closet, whether it's a crazy nephew or something like that, that can create problem for them," says Donald Henne, a senior director at Kroll, the risk consultants. Moreover, "a lot of these high net worth individuals have personal confidants that know everything about them. There are risks there on the financial side and on the personal side." Simple precautions can go a long way toward lowering these risks. A routine background check on Kelly Frank, the painter behind the Letterman kidnapping plot, would have revealed that he had been placed under police supervision after a run-in with the law in 1999. For risk-taking entrepreneurs unaccustomed to the attention their new-found fortune can bring, such insights may not come naturally. The rise of the internet and other electronic technologies has opened the floodgates to new security threats from tech-savvy thieves and fraudsters. Although identity theft is a problem at all levels of the economic ladder, the wealthy make particularly tempting targets. Chubb Group, the insurance company, says that one in five Americans has reported an indicent of identity theft, but "we believe that there are potentially twice as many victims as have been reported." Most identity theft is confined to a few unauthorized credit card purchases. But in extreme cases, a fraudster who stumbles onto the right information can assume another person's identity and travel, sign contracts or commit other fraud in their name. Chubb says its identity theft insurance policy, which covers up to $25,000 in expenses related to an indicent of identity theft, such as the cost of restoring one's credit rating, has been a hit among wealthy customers. Security consultants can analyse how clients handle sensitive information to help prevent such things happening in the first place. "A lot of clients, when you talk to them about shredding, they think there's no chance that anyone is going to get ahold of their bank account statements or stock statments," says Mr Odom at the Ackerman Group. "We tell clients not to give away information about themselves gratuitously when travelling and about the advantages of using cash instead of credit when travelling overseas." And what about kidnappings? People who travel to Latin America and, increasingly, the Middle East, have the most to worry about in that department. Mr Noesner at CRG says that the threat posed by kidnappers is directly linked to the efficiency of a country's police services. Thus, in the US, kidnapping for ransom is almost non-existent. Most kidnappings in the US involve sexual motives instead. "If it's in Mexico City, it's about ransom. If it's in the US, it's about rape, and if it's in Iraq, it's about political theatre and execution," Mr Noesner says. When traveling abroad, the key to mitigating kidnapping risk is what the professionals call "situational awareness" - a good understanding of where you are and what is happening around you. Wealthy executives who travel abroad should perform due diligence to make sure they are aware of customs regulations, local laws and security arrangements. An array of services exists to ensure that at-risk travellers have access to good medical care and, if necessary, a quick way out of trouble. In extreme cases, a client may require "close protection" - industry slang for bodyguards. But for most, a quiet investigation into the handyman's poker habit and a review of methods for disposing of bank reciepts will have to do. From isn at c4i.org Wed Oct 5 00:42:52 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:53:34 2005 Subject: [ISN] October Named National Cyber Security Awareness Month Message-ID: http://www.govtech.net/magazine/channel_story.php/96846 By Corey McKenna Oct. 03, 2005 Sunday marked the first day of October and the start of National Cyber Security Awareness Month with state, local and federal government officials joining industry groups and computer security companies to highlight efforts that will be taken this month to educate consumers in how to stay safe online. New York State, the University of North Carolina and the city of Charlotte, N.C., are joining the Department of Homeland Security, the National Cyber Security Alliance and numerous companies from the computer security industry to promote educational initiatives and free software giveaways to encourage the adoption of good cyber security practices in small businesses and citizens' homes. New York Governor George Pataki is one of the first governors to accept an invitation by the National Cyber Security Alliance to sign a proclamation setting aside this month in recognition of the importance of cyber security. On its Web site, the New York Office of Cyber Security and Critical Infrastructure Coordination offers a link to a calendar of cyber security awareness events for the month. One of those events is a two-day cyber security summit in the state capital of Albany hosted by Government Technology Conference and the State of New York on October 19th and 20th. The summit includes sessions focused on teaching children to stay safe online and how state and local government officials can improve the state of cyber security in the agencies they manage. The mayor of Charlotte, N.C., Pat McCrory has joined Pataki in issuing a proclamation recognizing October as National Cyber Security Awareness Month. In addition, University of North Carolina at Charlotte graduate students will conduct free public workshops at Charlotte-Mecklenburg County Public Library branches the week of Oct. 3-9. Workshops are scheduled for 6 p.m., Oct. 3, at the Main Library, 310 North Tryon St.; 6 p.m., Oct. 4 at the Beatties Ford Road Branch Library, 2412 Beatties Ford Road; 2 p.m., Oct. 6 at the South County Regional Library, 5801 Rea Road; and 3 p.m., Oct. 9 at the North County Regional Library, 16500 Holly Crest Lane in Huntersville. In addition, the annual 2005 Fall Computer Security Symposium for computer security professionals will be held Wednesday Oct. 12, at UNC Charlotte's University Cone Center. The conference is open to cyber security professionals, including business continuity professionals, IT managers, software developers, systems administrators, information security professionals and policy makers. Speakers will include Pulitzer Prize finalist Robert O'Harrow, author of "No Place to Hide," as well as industry leaders, the Department of Homeland Security, and the FBI. San Diego State University has also planned cyber security-related educational activities for the month of October. The National Cyber Security Alliance and the Department of Homeland Security will be airing a public service announcement titled "Stop, Think, Click" to encourage consumers to protect their personal information through safe Internet browsing practices. NCSA and DHS will also be sponsoring a variety of regional events such as small business workshops and cyber security bootcamps as well as student assemblies, Web casts and events at college campuses to raise awareness of cyber security among the academic community. "Cyber Security Awareness Month is an opportunity to raise awareness of the importance of cyber security and empower all Americans to protect themselves online and ensure that their computers are not used to attack others," said Andy Purdy, acting director of the National Cyber Security Division at the Department of Homeland Security. "We share a common goal with Homeland Security and our industry partners, to provide Americans with the tools and information they need to practice safe online behaviors during National Cyber Security Awareness Month and throughout the year," said Ron Teixeira, Executive Director of the National Cyber Security Alliance. McAfee and RSA Security are among the companies participating in National Cyber Security Awareness Month. Recognition of the importance of cyber security during the month of October isn't limited to the United States. The conference, "Cyber Security: Dimensions of Critical Infrastructure Protection" is taking place in Munich, Germany October 25-28 where over 150 information security experts and government officials will meet to discuss the challenges of cyber security and the protection of critical information infrastructure. This year, public officials have been pushing hard on promoting Internet safety and cyber security. Earlier this year, the U.S. Senate passed a resolution recognizing June as National Internet Safety Month, which led to a series of educational events aimed at keeping kids and teens safe online. From isn at c4i.org Wed Oct 5 00:43:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:54:15 2005 Subject: [ISN] Text Hackers Could Jam Cellphones, a Paper Says Message-ID: http://www.nytimes.com/2005/10/05/technology/05phone.html By JOHN SCHWARTZ October 5, 2005 Malicious hackers could take down cellular networks in large cities by inundating their popular text-messaging services with the equivalent of spam, said computer security researchers, who will announce the findings of their research today. Such an attack is possible, the researchers say, because cellphone companies provide the text-messaging service to their networks in a way that could allow an attacker who jams the message system to disable the voice network as well. And because the message services are accessible through the Internet, cellular networks are open to the denial-of-service attacks that occur regularly online, in which computers send so many messages or commands to a target that the rogue data blocks other machines from connecting. By pushing 165 messages a second into the network, said Patrick D. McDaniel, a professor of computer science and engineering at Pennsylvania State University and the lead researcher on the paper, "you can congest all of Manhattan." Professor McDaniel and the other faculty author, Thomas F. La Porta, have extensive experience in computer security, including work in the telecommunications industry. The findings are expected to be released today at Penn State, and as a formal research paper at a computer security conference next month. Cellular companies acknowledge that such attacks are possible, but say that they have developed systems to prevent effective ones. "If you're not prepared, that could happen," said Brian Scott, senior manager for wireless messaging operations at Sprint. "If you are prepared and you have means in place to identify, detect and mitigate that, it's not as much of a concern." Other specialists said such systems would face many of the same obstacles as those that try to block denial-of-service attacks, one of the thorniest problems in countering hackers. "The solutions don't tend to be very elegant" in the Internet world, said Gary McGraw, chief technical officer of Cigital, a security consultant to the computing and telecommunications industries. "And I believe it will be the same thing on cellphones." In their research, the authors concluded that all major cellular networks were vulnerable, and that a single computer with a cable modem could do the job. The researchers do not appear to believe that anyone has deliberately disrupted cellphone networks in this way, although it appears to have occurred by accident in other nations. The text-messaging system, called S.M.S. for short messaging service, is an increasingly important part of the cellular network. Aside from its popularity with users, especially teenagers, it has gained prominence as a way to communicate when voice networks fail, as in emergencies like the terrorist attacks on Sept. 11, 2001. The system works even when cellular calls do not because text messages are small packets of data that are easy to send, and because the companies transmit them on the high-priority channel whose main purpose is to set up cellphone calls. But therein lies part of the vulnerability, Professor McDaniel said. The control channel cannot handle large amounts of data, he said, so by flooding the channel with messages, it is possible to prevent voice calls from going through. "This is a traffic-jam problem," he said. "You're sending too many cars down a two-lane road." Specialists not connected with the study said that weak link, combined with computers' ability to automatically repeat Internet processes at blinding speed, added up to a serious threat. "Any time a vulnerability in the physical world exists that can be exploited via computer programs running on the Internet, we have a recipe for disaster," said Aviel D. Rubin, technical director of the Information Security Institute at Johns Hopkins. "It is as though those who wish to harm us have a magic switch that can turn off the cellular network." The Penn State researchers said that once they began exploring the vulnerabilities of the network, they proved their concepts on a small scale by using their own cellphones. "We were very, very careful," Professor McDaniel said. "We never sent more traffic than was necessary." Their research proved that blocking networks was possible, a conclusion they later verified in private conversations with telephone company engineers and government regulators, he said. One challenge for would-be attackers, according to the paper, is pulling together a list of working cellphones in a specific geographical area. But that, too, is made simpler via the Internet; the authors describe a process using Google and some search tricks that allowed them to collect 7,308 cellular numbers in New York City and 6,184 from Washington "with minimal time and effort." Though the vulnerability is serious, Professor McDaniel said, it is still the kind of thing that could only be carried out by skilled attackers, at least for now. "It seems to me unlikely that a small number of unsophisticated users would be able to mount this attack effectively," he said. The paper, to be posted online at www.smsanalysis.org, also offers suggestions for heading off the problem. The most direct solution, simply disconnecting the short messaging services from the Internet gateways, is not practical, Professor McDaniel said. But technologies to limit the messages being inserted into the network could provide some protection. Among the other recommendations is separating the voice and data in the next generation of cellphone technology so data jams cannot affect voice calls. Cellular companies said they were moving forward on this and other security issues. A spokesman for Cingular, Mark Siegel, said his company "constantly and aggressively monitors potential threats to the integrity and security of its network," but added, "As a rule, we don't comment on the defensive measures we have put in place or may put in place." Dave Oberholzer, a marketing manager for information at Verizon WirelessVerizon Communications, said the company was well protected against this kind of attack because of software the company had put in place to insulate users from cellphone message spam. "We have fairly robust spam filters on those gateways," he said. "All of that is pretty much automated at this point." Mr. McGraw, the chief technical officer of Cigital, said the goal of research like the Penn State paper was not to help hackers scale new heights, but to alert companies to problems before someone exploited them. Getting the word out "has to be done very responsibly and very carefully," he said. "You don't want people to panic, but you do want them to sit up take notice and do something about it." From isn at c4i.org Thu Oct 6 00:07:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:18:19 2005 Subject: [ISN] Espionage Case Breaches the White House Message-ID: Forwarded from: William Knowles http://abcnews.go.com/WNT/story?id=1187030&page=1 By BRIAN ROSS and RICHARD ESPOSITO ABCNews Oct. 5, 2005 Both the FBI and CIA are calling it the first case of espionage in the White House in modern history. Officials tell ABC News the alleged spy worked undetected at the White House for almost three years. Leandro Aragoncillo, 46, was a U.S. Marine most recently assigned to the staff of Vice President Dick Cheney. "I don't know of a case where the vetting broke down before and resulted in a spy being in the White House," said Richard Clarke, a former White House advisor who is now an ABC News consultant. Federal investigators say Aragoncillo, a naturalized citizen from the Philippines, used his top secret clearance to steal classified intelligence documents from White House computers. In 2000, Aragoncillo worked on the staff of then-Vice President Al Gore. When interviewed by Philippine television, he remarked how valued Philippine employees were at the White House. "I think what they like most is our integrity and loyalty," Aragoncillo said. Classified Material Transferred by E-Mail Officials say the classified material, which Aragoncillo stole from the vice president's office, included damaging dossiers on the president of the Philippines. He then passed those on to opposition politicians planning a coup in the Pacific nation. "Even though it's not for the Russians or some other government, the fact that it occurred at the White House is a matter of great concern," said John Martin, who was the government's lead espionage prosecutor for 26 years. Last year, after leaving the Marines, Aragoncillo was caught by the FBI while he worked for the Bureau at an intelligence center at Fort Monmouth, N.J. According to a criminal complaint, Aragoncillo was arrested last month and accused of downloading more than 100 classified documents from FBI computers. "The information was transferred mostly by e-mails," said U.S. Attorney Christopher J. Christie at the time of Aragoncillo's arrest. Since that arrest, officials say Aragoncillo has started to cooperate. He has admitted to spying while working on the staff of Vice President Cheney's office. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Oct 6 00:07:32 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:18:45 2005 Subject: [ISN] Bug spotted in Symantec antivirus Message-ID: http://news.com.com/Bug+spotted+in+Symantec+antivirus/2100-1002_3-5889518.html By Joris Evers Staff Writer, CNET News.com October 5, 2005 A serious security flaw in part of Symantec's antivirus products puts enterprise systems running the software at risk of intrusion. A buffer overflow flaw in the Symantec AntiVirus Scan Engine could let remote attackers run code on vulnerable machines, Symantec said in an advisory Tuesday. The problem affects various versions of the engine, which is the part of the security software that actually scans for threats. Security patches are available to correct the problem, which Symantec rates "high" on its risk impact scale. "Symantec strongly recommends all customers immediately apply the latest updates for their supported product versions to protect against these types of threats," the company said in its alert. No attacks that use the flaw have been reported, Symantec said. The security hole lies in the Web-based administrative interface of the Symantec Antivirus Scan Engine, the company said. This interface is part of several of the company's corporate antivirus products. An attacker could exploit it by sending a malformed request to the interface, security intelligence company iDefense said in an advisory. iDefense reported the flaw to Symantec. Symantec advises people to check their installation. The administrative interface should be accessible only via a secure segment of the network and should never be open outside a company's network, Symantec said. Disclosure of the Symantec issue is further evidence that researchers are increasingly looking for holes in security products. Protective technology is commonly installed on PCs, servers, network gateways and mobile devices. As it becomes more widespread, the more attractive a target security software becomes to cybercriminals, experts have said. Earlier this week a serious flaw in Kaspersky's antivirus products was disclosed. Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. From isn at c4i.org Thu Oct 6 00:06:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:20:03 2005 Subject: [ISN] Security UPDATE -- More Flexible Security Control in IIS 7.0 -- October 5, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free Webcast from Postini: Risks of Unmanaged IM http://list.windowsitpro.com/t?ctl=15605:4FB69 Panda Software http://list.windowsitpro.com/t?ctl=155F8:4FB69 ==================== 1. In Focus: More Flexible Security Control in IIS 7.0 2. Security News and Features - Recent Security Vulnerabilities - Latest Office Updates Improve Outlook Security - Symantec to Acquire WholeSecurity 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - A Security Partner ==================== ==== Sponsor: Postini ==== Free Webcast from Postini: Risks of Unmanaged IM Join noted electronic messaging expert and author Michael Osterman on Thursday, October 20, 2005 as he explores the growing threats associated with Instant Messaging (IM) in your enterprise and what to do about them. In one short hour you'll learn how to find out where your enterprise is vulnerable ... protect against IM-borne threats ... and ensure regulatory compliance within IM. Register today and learn why IM is the "next frontier" for hackers, spammers, and phishers ... what IM means to your compliance initiatives ... why you can't stop IM threats with typical network safeguards ... and how an integrated message management strategy provides IM threat prevention and compliance. Free white paper and technology overview when you attend. Register now. http://list.windowsitpro.com/t?ctl=15605:4FB69 ==================== ==== 1. In Focus: More Flexible Security Control in IIS 7.0 by Mark Joseph Edwards, News Editor, mark at ntsecurity / net At the recent Microsoft Professional Developers Conference (PDC 2005), IIS Program Manager Chris Adams talked about upcoming features of IIS 7.0, some of which are security related. IIS 7.0 is built on the IIS 6.0 platform, which is far more secure than previous versions of IIS. Adams said that IIS developers learned over time, particularly because of worms such as Code Red and Nimda, how to improve the Web server's security. Adams said that no security vulnerabilities have been discovered in what he calls the "IIS critical core" since the release of IIS 6.0. Therefore IIS 6.0 serves as a good base to build on. IIS 7.0 brings new security features such as delegation of authority, which is a significant improvement. This means that people can perform delegated tasks without having administrator-level authority. So for example, in the course of developing a new Web page, a Web developer might want to use a new file extension type. Traditionally, an administrator would need to add that type to the server. But the new delegation features let an administrator delegate that authority to the developer. This capability will improve security administration and increase productivity. If you've spent a lot of time developing secure applications that run on IIS 6.0, you won't have to spend much time moving them to IIS 7.0. Adams said Microsoft has made sure that IIS 7.0 will support "legacy applications." Unlike Windows XP, which includes IIS 5.1, and Windows Server 2003, which includes IIS 6.0, Windows Vista and Longhorn Server will ship with IIS 7.0. The different IIS versions on XP and Windows 2003 posed some developmental and security problems; Microsoft is aiming to avoid those problems in the new Windows client and server OSs. With previous versions of IIS, developers typically used Internet Server API (ISAPI) and Common Gateway Interface (CGI) to develop custom functionality. But IIS 7.0 will be more modular, which brings at least two benefits: Administrators will be able to deploy IIS 7.0 with only the modules that they require, and developers will be able to replace functionality that they might not like. For example, if you want to use an authentication method other than connecting to the SAM database, you can write a replacement for IIS 7.0's authentication module. The ability to replace this module means that developers can not only create their own means of authenticating users but developers can also more easily integrate support for other OSs such as Linux, BSD, and Mac OS X. IIS 7.0 also has a new UI that exposes more of the central configuration (metabase) properties, possibly including some security properties. In previous versions, administrators had to modify some aspects of the metabase by using command-line tools or by manually editing configuration files with Notepad or the Microsoft MetaEdit tool. That's a brief summary of what you can expect. Development tools and additional information for IIS 7.0 should be available on Microsoft Developer Network (MSDN) by the end of the year. In addition, Paul Thurrott will provide a more extensive review of IIS 7.0 on our Web site sometime in the near future. ==================== ==== Sponsor: Panda Software ==== Stopping Crimeware and Malware Computer users can no longer wait for a new vaccine every time a new security threat appears. How do you defend your network in a world of smarter, faster, Internet-borne zero-day attacks? Find out about Intrusion Prevention that can detect and destroy unknown malware with virtually zero false positives. http://list.windowsitpro.com/t?ctl=155F8:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=155FC:4FB69 Latest Office Updates Improve Outlook Security Microsoft released Office 2003 Service Pack 2 (SP2) and junk email filter updates for Office Outlook 2003. Together they can help protect against phishing attacks. Read more about the updates in this news story on our Web site. http://list.windowsitpro.com/t?ctl=15602:4FB69 Symantec to Acquire WholeSecurity Symantec announced that it entered into an agreement to acquire privately held WholeSecurity. The deal is scheduled to close in October. WholeSecurity offers behavior-based security solutions and antiphishing technology. http://list.windowsitpro.com/t?ctl=15604:4FB69 ==================== ==== Resources and Events ==== Get Ready for the SQL Server 2005 Roadshow in Europe Back By Popular Demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now. http://list.windowsitpro.com/t?ctl=155F7:4FB69 Windows Connections 2005 Conference--October 31 - November 3, 2005 At the Manchester Grand Hyatt in San Diego, Microsoft and Windows experts present more than 40 in-depth sessions with real-world solutions you can take back and apply today. Register now and attend two conferences for the price on one! http://list.windowsitpro.com/t?ctl=1560B:4FB69 Discover SQL Server 2005 for the Enterprise. Are you prepared? In this free half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical enterprise database applications and make your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today! http://list.windowsitpro.com/t?ctl=155F9:4FB69 Deploy VoIP and FoIP Technologies Voice over Internet Protocol (VoIP) is the future of telecommunications, and many companies are already enjoying the benefits of transporting voice over IP networks to significantly reduce telephone and facsimile costs. Join industry expert David Chernicoff for this free Web seminar to learn the "ins and outs" of boardless fax in IP environments, tips for rolling out fax and integrating fax with telephony technologies, and more! http://list.windowsitpro.com/t?ctl=155FB:4FB69 Microsoft IT Forum 2005 November 15-17, Barcelona, Spain Microsoft's European conference for IT professionals on planning, deploying, and managing the secure connected enterprise. Three days of learning, one year of solutions. With a choice of 325+ Technical Learning Sessions, increase your productivity and support your business with new opportunities and ideas. See the Web site for registration information http://list.windowsitpro.com/t?ctl=15608:4FB69 ==================== ==== Featured White Paper ==== Build a Superior Windows File Serving Environment In this free white paper, get the tools you need to provide a scalable, highly available CIFS file service using inexpensive, industry-standard servers that you can add to incrementally as demands require, while retaining the management simplicity of a single server and a single pool of exported file systems. http://list.windowsitpro.com/t?ctl=155F6:4FB69 ==================== ==== Hot Release ==== Maximizing Network Security Against Spyware and Other Threats Spyware installation usually exploits an underlying security vulnerability in the OS. You can remove spyware, but if you don't also patch the underlying vulnerability, you don't solve the real problem. By leaving your systems open to reinfestation, you risk surging bandwidth consumption, system instability, overwhelmed Help desks, lost user productivity, and other consequences. Unauthorized applications can even result in noncompliance with regulatory requirements. This free white paper addresses the need to manage both the threats and vulnerabilities from one console as a comprehensive security solution. http://list.windowsitpro.com/t?ctl=155FA:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Synopsis of MS Security Bulletin Creation by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=15607:4FB69 Ever wonder what goes on during the creation of a Microsoft security bulletin? Read this blog article to get a synopsis. http://list.windowsitpro.com/t?ctl=15603:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=15606:4FB69 Q: Can I change the type of logging that Active Directory (AD) uses? Find the answer at http://list.windowsitpro.com/t?ctl=15601:4FB69 Security Forum Featured Thread: Too Many Security Log Entries A forum participant writes that he needs to identify user logon and logoff events. However he needs to know only logon and logoff times and wants to log the minimum number of related events. He wants to know what policies to adjust to make that happen. Join the discussion at http://list.windowsitpro.com/t?ctl=155F5:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Become a VIP Subscriber! Get inside access to ALL the articles, tools, and helpful resources published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security-- that's more than 26,000 articles at your fingertips. Your VIP subscription also includes a valuable one-year print subscription to Windows IT Pro and two VIP CDs (includes the entire article database on CD). Sign up now: http://list.windowsitpro.com/t?ctl=155FF:4FB69 Windows IT Pro Has Answers You won't want to miss any of the fall issues! Subscribe now and discover the best ways to plan for Longhorn, what you need to know about VBScript, ways to make sense of SQL Server, the 10 Security Tools You Can't Live Without, and much more. You'll also gain exclusive access to the entire Windows IT Pro online article database (more than 9000 articles) and you'll SAVE 44% off the cover price. Click here: http://list.windowsitpro.com/t?ctl=155FE:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com A Security Partner Integralis announced Secure Watch, a co-managed security service in two levels: Level 1 for small businesses and Level 2 for large businesses. Secure Watch lets customers work with Integralis Security professionals to protect their corporate networks. For Secure Watch Level 2, Integralis uses its Security Service Appliance (SSA) to monitor customer networks for thousands of unique problems. When it finds a problem, it alerts the customer's security team, which can then solve the problem or consult with Integralis professionals. Secure Watch Level 1 monitors system health and availability without the need for customer-premises equipment. For more information, go to http://list.windowsitpro.com/t?ctl=1560C:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Admins rush to install BLOG servers How to run your own blog server. Free 5-user license. http://list.windowsitpro.com/t?ctl=1560A:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=15609:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=15600:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 6 00:07:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:20:29 2005 Subject: [ISN] Nematodes: The Making of 'Beneficial' Network Worms Message-ID: http://www.eweek.com/article2/0,1895,1867317,00.asp By Ryan Naraine October 5, 2005 Convinced that businesses will use nonmalicious worms to cut down on network security costs, a high-profile security researcher is pushing ahead with a new framework for creating a "controlled worm" that can be used for beneficial purposes. Dave Aitel, vulnerability researcher at New York-based Immunity Inc., unveiled a research-level demo [1] of the "Nematode" framework at the Hack In The Box confab in Kuala Lumpur, Malaysia, insisting that good worms will become an important part of an organization's security strategy. "We're trying to change the way people think," Aitel said in an interview with Ziff Davis Internet News. "We don't want people to think this is impossible. It's entirely possible to create and use beneficial worms and it's something businesses will be deploying in the future." For years, security experts have debated the concept of using good worms to seek and destroy malicious worms. Some believe that it's time to use the worms' tactics against them [2] and build good worms that fix problems but the chaos and confusion associated with self-propelled replicating programs have left others unconvinced. Aitel is among those who believe it is "inevitable" that worm technology can significantly reduce the cost of disinfecting and maintaining a corporate network. "We already have a proof-of-concept that can take a very simple exploit, go through a few steps and, in a matter of minutes, create a working nematode," Aitel said. He took the name for the concept from the pointy-ended worm used to control pests in crops. "We can generate a nematode any way we want. You can make one that strictly controls, programmatically, what the worm does," Aitel explains. Aitel, who did a six-year stint as a computer scientist at the NSA (National Security Agency) before moving on to work as a code-breaker for research outfit @Stake Inc., is adamant that nematodes can provide the answer for lowering security costs. He sees a world where "strictly controlled" nematodes are used by ISPs, government organizations and large companies to show significant cost savings. During his Hack In The Box presentation, Aitel outlines the reasons for creating nematodes and displayed strict protocols that can be used to control the beneficial worms. He said nematodes can be automatically created from available vulnerability information and even showed off a new programming language to create the worms. Aitel acknowledged potential problems with the concept, noting that worms are very hard to write and use large amounts of network bandwidth. Because worms are harder to target and control, he noted that IT administrators live in constant fear. The concept includes the use of "Nematokens," servers that are programmed to only respond to requests from networks cleared for attacks and the NIL (Nematode Intermediate Language) that can be used as a specialized and simplified "assembly for worms." The NIL can be used to convert exploits into nematodes quickly and easily. In some cases, Aitel believes that exploits can be written to NIL directly to simplify the process even more. This will be part of your security team's toolkit," Aitel argues, noting that his company's work is "research-level proof of concept" that details the theory and theology of using beneficial worms. "If you look at the security cost of maintaining a large network, most CIOs agree its way above what they want to pay. With this [nematode] concept, you can take advantage of automating technologies to get protection for pennies on the dollar. That's the drive behind developing a lot of these new forward-looking technologies," Aitel said. "Nematodes are a step beyond the next step. We're two stages away from using this," he added. "The goal has always been to build the network that protects itself automatically with automated technologies. We're certainly not more than five years away from this sort of technology becoming something that you can buy." "We already have an engine that takes exploits and turns them into worms and does it in a way that allows you to inject control mechanisms into that. That's something that will appeal to businesses. [1] http://www.immunityinc.com/downloads/nematodes.pdf [2] http://www.eweek.com/article2/0,1895,1037004,00.asp From isn at c4i.org Thu Oct 6 00:08:04 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:20:49 2005 Subject: [ISN] 'DEC hacking' trial opens Message-ID: http://www.theregister.co.uk/2005/10/05/dec_case/ By John Oates 5th October 2005 Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December. Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty. Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee. Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a ?30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site. The case continues tomorrow. ? From isn at c4i.org Thu Oct 6 00:08:16 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:21:11 2005 Subject: [ISN] Audit follows attack on FSU computers Message-ID: http://www.tallahassee.com/mld/tallahassee/news/local/12819487.htm By Rocky Scott DEMOCRAT STAFF WRITER Oct. 05, 2005 A campuswide audit of computers at Florida State University will start this month after hackers gained access to two servers on the campus but did no apparent damage, FSU officials said Tuesday. "We have not had a single person indicate they have had a problem," said Browning Brooks, an FSU spokeswoman, after hackers found their way into computer servers belonging to the FSU Foundation and an internal financial-management server. Larry Conrad, associate vice president and FSU's chief information officer , said the attacks came from off campus and that FSU police were investigating the incidents. No suspects have been identified, Conrad said. Joe Lazor, director of university computer systems, said the intrusion into the financial-management server was found in mid-July, and illegal access to the foundation computer was discovered in the second week of August. Both intrusions were discovered during routine monitoring procedures, Conrad said. Brooks said about 27,000 names of young FSU alumni were in the foundation computer and may have been exposed to the hackers. She said the exposed files were not the entire alumni data base, which contains about 450,000 names. Conrad said the names involved were heavily encrypted, and there was no indication the names had been tampered with or accessed. "We sent a letter to all the young alumni telling them their files had been exposed" to an attack by a hacker, Browning said. Conrad said it could not be determined whether any data were gleaned from the financial management server. He said both servers were replaced, the data were reinstalled, and newer firewalls and other forms of protection were installed on the new servers. Lazor said it appeared in both instances the hackers were using FSU computers to store large files, the most common reason for most hacker attacks. College campus computers generally have a lot of room to send large files over the Internet, making them attractive targets, Conrad said. Hackers generally find a way to gain access to a large computer by stealing someone's password or identity, then installing a "kit" in the system that provides entry for the hacker but remains invisible to people using the server. "They put big files on our computers," Conrad said, "and we don't see them until they (open) the file." He said attacks on the FSU computer system - there are more than 20,000 computers on campus - have become more common and more complex in the past five or six years. The latest attacks have "Joe and I fundamentally rethinking computer security for the entire campus," Conrad said. "We are rethinking our approach," he said. From isn at c4i.org Thu Oct 6 00:06:05 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:21:34 2005 Subject: [ISN] DHS site offers security tools, tips for software developers Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37218-1.html By Patience Wait GCN Staff 10/05/05 The Homeland Security Department has launched a secure portal to provide best practices, tools and other resources for creating more reliable and secure software for developers and security professionals. The new Web site, Build Security In [1], was developed in conjunction with the Carnegie Mellon Software Engineering Institute. It was unveiled at a software assurance forum this week co-hosted by DHS and the Defense Department. The site takes a building-block approach, with content areas separated into different phases of the software development life cycle such as architecture and design, systems analysis and testing, and implementation. Within each area, articles are compiled discussing best practices for that particular aspect of software development. Andy Purdy, acting director of DHS' National Cyber Security Division, told forum participants that improving the security and reliability of software is a critical element in protecting the nation's infrastructure. Software assurance efforts have to "shift the paradigm from patch management to true software assurance," Purdy said. "Our objectives are to raise the awareness on software quality and security by improving software development and acquisition processes and practices." [1] http://buildsecurityin.us-cert.gov/ From isn at c4i.org Mon Oct 10 00:09:15 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:21:05 2005 Subject: [ISN] Nessus security tool closes its source Message-ID: http://news.com.com/Nessus+security+tool+closes+its+source/2100-7344_3-5890093.html By Renai LeMay Special to CNET News.com October 6, 2005 The source code of one of the world's most popular free security tools will no longer be available to all, its creator has announced, saying the software's open-source license was fueling competition. Renaud Deraison, the primary author of the Nessus vulnerability scanner, broke the news in a message to the software's e-mail list Wednesday. "Nessus 3 will be available free of charge...but will not be released under the GPL," or General Public License, Deraison wrote. Nessus, which Deraison says is used by 75,000 organizations worldwide, scans networks for vulnerabilities. The developer, who has been working on the product since at least 1998, said commercial pressures facing Tenable Network Security, the company he started in 2002 around Nessus, was forcing him to stop making the software's source code available. "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL," he wrote in a later e-mail, justifying his decision. "So in that regard, we have been fueling our competition, and we want to put an end to that. Nessus 3 contains an improved engine, and we don't want our competition to claim to have improved 'their' scanner." The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license. "Virtually nobody has ever contributed anything to improve the scanning engine over the last six years," he wrote, noting that there had been minor exceptions. Deraison said the existing version 2 of Nessus would continue to be available under the GPL license and receive bug fixes and regular updates. The large library of plug-ins to the software would also continue to distributed in a way that would allow parties to examine their source code. Tenable will also cut down the number of system architectures that version 3 of Nessus will support, and one core part of Nessus--its graphical user interface will be split off into a separate, open-source project, Deraison added. The developer's decision attracted immediate criticism, notably from the security expert known only as Fyodor. The programmer is the author of Nmap, a complementary network-scanning tool to Nessus, which is widely used among security professionals. "Tenable argues that this move is necessary to further improve Nessus and/or make more money. Perhaps so, but the Nmap project has no plans to follow suit," Fyodor wrote in an e-mail, alerting his software's user base of the license change. "Nmap has been GPL since its creation more than eight years ago, and I am happy with that license," he continued. Another critic posted concerns to the Nessus mailing list that Tenable would eventually get tired of supporting the open-source version 2 of the software and simply forget about it. He raised the possibility that the community could "fork" version 2 of the software--that is, start developing a divergent version of Nessus from the one officially supported by Tenable. New kid on the block Deraison said version 3 of Nessus would contain several noteworthy improvements but be broadly backwards-compatible with version 2. The two will be able to share most of the plug-ins that are crucial to the software's operation. "Nessus 3 is much faster than Nessus 2 and less resource-intensive," the developer wrote. "Your mileage may vary, but when scanning a local network, Nessus 3 is, on average, twice as fast as Nessus 2, with spikes going as high as five times faster when scanning desktop Windows systems." "Nessus 3 also contains a lot of built-in features and checks to debug crashes and misbehaving plug-ins more easily, and to catch inconsistencies earlier," he wrote. Renai LeMay of ZDNet Australia reported from Sydney. Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. From isn at c4i.org Mon Oct 10 00:09:54 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:21:27 2005 Subject: [ISN] Glitch forces fix to cockpit doors Message-ID: http://seattletimes.nwsource.com/html/businesstechnology/2002542572_cockpit06.html By Dominic Gates Seattle Times aerospace reporter October 6, 2005 For more than two years, U.S. airplane passengers have flown more securely because high-tech cockpit doors created a barrier to prevent a repeat of 9/11, when terrorists entered the cockpit and commandeered four planes. But, the doors were not foolproof. In December 2003, a Northwest Airlines maintenance mechanic inside an Airbus A330 jet on the ground in Minneapolis pushed the microphone button to talk into his handheld radio. Though he hadn't touched the cockpit door, he heard the sound of its lock operating. Radio interference from his walkie-talkie had scrambled the electronics inside the door's locking mechanism. The discovery sparked a secretive and expensive engineering effort that started with Airbus and eventually hit Boeing, and is only now nearing completion. The security glitch affected all A330 and A340 jets - about 400 - that had installed an Airbus-designed fortified door. In May 2004, Boeing learned from three airline customers that it, too, had the same problem, affecting some 1,700 jets. All Boeing wide-bodies with fortified cockpit doors designed by the jet maker were vulnerable. Boeing and Airbus insist there was no immediate danger. The mechanic had to be standing in precise spots with a particular walkie-talkie tuned to a specific frequency and with a certain signal strength. "It's an extraordinarily limited issue," said Airbus spokeswoman Mary Anne Greczyn. Federal Aviation Administration spokeswoman Laura Brown said the agency was unable to replicate the problem on airplanes in flight. Regardless, top experts at both airplane manufacturers have spent nearly two years working quietly with the FAA to redesign the door lock. Boeing completed fixing the latches on all its affected jets last month. The FAA this week is expected to issue an airworthiness directive, a formal, after-the-fact order to all U.S. registered airlines with Boeing jets that they must install a fix designed by Boeing. All affected Airbus jets registered in the United States, about 20 airplanes, were fixed by September 2004. "All the foreign carriers that fly [into the U.S.] are fixed, too," said Brown. She said the FAA did not issue an airworthiness directive for Airbus because so few jets in the U.S. were affected. Airbus' Greczyn said last week the fix is now "nearly completed" on all affected jets worldwide. Four months after 9/11, the FAA mandated that cockpit doors on all jets flying in the U.S. be strengthened. The design demands were extraordinarily tricky. The doors had to be strong enough to withstand bullets, yet engineered to burst open to avoid a catastrophic twisting of the airframe in the event of a sudden loss of cabin pressure. The airlines had just 15 months to change the doors on about 7,000 U.S.-operated aircraft and some 2,000 foreign-owned. Boeing and Airbus each developed designs using door-locking mechanisms from a California supplier. In both cases, the cockpit door is secured by aluminum rods that slide into the lock or unlock positions when activated by an electronic signal. Rapid decompression would also unlock the door. A technical expert familiar with the intricacies of radio frequency, or RF, agreed to discuss the interference issue on condition he not be identified. He works for the government and believes he could lose his job for speaking publicly about a sensitive security topic, even in general terms. The expert said it is difficult to build any electronic product that's protected from radio interference in a wide range of frequency bands. He said a door controller is typically activated via a numeric code, which produces an electronic signal to unlock the door. A strong-enough external signal of the right frequency flooding the circuit could fool the mechanism into thinking it was the "unlock the door" signal. "The world is filled with RF signals, and lots of times signals mix. It's mathematically feasible to come up with a combination of frequencies that could mix just enough to be right on target," said the expert. "The world of RF is black magic." The expert expressed concern that if "an educated electrical engineer with a terrorist mind twist" could get hold of a door-lock controller, it might be possible to reverse-engineer the mechanism and find the frequency that would unlock it. "It wouldn't take long to break down an engineering formula," the expert said. "It could be done in 30 minutes." But the chief engineer who led Boeing's effort to fix the problem on its jets said the interference happens only in very narrow circumstances, and that even an electronics expert would have great difficulty exploiting this vulnerability. Boeing asked that the engineer not be named to ensure his personal safety. "I'd have to have equipment. I'd have to get it through security. I'd have to know the right channel," the chief engineer said. "I'd need to know quite a lot about where parts are installed on the airplane. I'd need to do a lot of things I couldn't actually do" on a commercial flight. When Boeing first learned of the issue last year, the FAA issued a secret security-sensitive airworthiness directive alerting airlines. After initially coming up with a quick fix, Boeing decided to go for a longer-term, more-robust solution developed in cooperation with a top FAA specialist based in Seattle. Team worked in secrecy A team of about five engineers secretly worked on the problem for more than a year. "We deliberately kept the wraps on it within Boeing," the chief engineer said. "If people didn't need to know, they didn't know." Boeing did not provide an estimate of the costs. "Cost didn't come into it," said the chief engineer. "My concern was making sure we got a good technical solution." Originally, airlines paid $29,000 for each of the Airbus wide-body door kits and between $40,000 and $100,000 for the Boeing wide-body kits, depending on the plane's model and configuration. The government provided a $97 million subsidy to defray costs, about $13,000 per door. The FAA tested and certified both door designs; the tests failed to reveal the radio frequency interference issue. "We did testing for every scenario you can imagine," the FAA's Brown said. "You don't know what you don't know." Airbus supplied the majority of fortified doors in its own aircraft, and Boeing won 60 percent of the market to install the fortified doors in its jets. After the glitch was discovered, the FAA examined the doors made by third-party vendors and found no similar interference problem. Both Boeing and Airbus used the same supplier, Adams Rite Aerospace of Fullerton, Calif., for their in-house door control. Supplier passed tests Airbus' Greczyn and Boeing spokesman Jim Proulx both stressed the supplier had met certification requirements and passed the interference tests then in place. Executives at Adams Rite did not return repeated calls or respond to e-mail requests for comment. Following the scramble to fix the electronic locks, both plane makers are also providing a backup option. Boeing already had provided a manual bolt lock as a backup. A pilot could use it in case of a perceived threat. Airbus does not install a mechanical backup lock as standard. But as a result of the locking incident, Greczyn said "a mechanical backup ... has been designed and certified and is available to customers to apply at their discretion." Copyright ? 2005 The Seattle Times Company From isn at c4i.org Mon Oct 10 00:10:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:21:46 2005 Subject: [ISN] Linux Advisory Watch - October 7th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 7th, 2005 Volume 6, Number 41a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gtkdiskfree, util-linux, ClamAV, loop-aes, helix-player, backupninja, squid, mysql, ntlmaps, mysql-dfsg, gopher, prozilla, cfengine, mozilla-firefox, apachetop, drupal, mailutils, egroupware, arc, mod-auth-shadow, mason, slocate, vixie-cron, net-snmp, kernel, openssh, binutils, perl, and gdb. The distributors include Debian, Gentoo, and Red Hat. --- Denial of Service Attacks By: Dave Wreski A "Denial of Service" (DoS) attack is one where the attacker tries to make some resource too busy to answer legitimate requests, or to deny legitimate users access to your machine. Denial of service attacks have increased greatly in recent years. Some of the more popular and recent ones are listed below. Note that new ones show up all the time, so this is just a few examples. Read the Linux security lists and the bugtraq list and archives for more current information. * SYN Flooding - SYN flooding is a network denial of service attack. It takes advantage of a "loophole" in the way TCP connections are created. The newer Linux kernels (2.0.30 and up) have several configurable options to prevent SYN flood attacks from denying people access to your machine or services. See Section 7 for proper kernel protection options. * Ping Flooding - Ping flooding is a simple brute-force denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack, called "smurfing", sends ICMP packets to a host with your machine's return IP, allowing them to flood you less detectably. * Ping o' Death - The Ping o' Death attack sends ICMP ECHO REQUEST packets that are too large to fit in the kernel data structures intended to store them. Because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the "Ping o' Death." This one has long been fixed, and is no longer anything to worry about. * Teardrop / New Tear - One of the most recent exploits involves a bug present in the IP fragmentation code on Linux and Windows platforms. It is fixed in kernel version 2.0.33, and does not require selecting any kernel compile-time options to utilize the fix. Linux is apparently not vulnerable to the "newtear" exploit. Read more from the Linux Security Howto: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gtkdiskfree packages fix insecure temporary file 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120472 * Debian: New util-linux packages fix privilege escalation 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120473 * Debian: New ClamAV packages fix denial of service 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120477 * Debian: New loop-aes-utils packages fix privilege escalation 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120478 * Debian: New helix-player packages fix multiple vulnerabilities 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120479 * Debian: New backupninja packages fix insecure temporary file 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120480 * Debian: New squid packages fix denial of service 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120482 * Debian: New squid packages fix denial of service 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120483 * Debian: New mysql packages fix arbitrary code execution 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120484 * Debian: New ntlmaps packages fix information leak 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120485 * Debian: New mysql-dfsg packages fix arbitrary code execution 30th, September, 2005 Update package. http://www.linuxsecurity.com/content/view/120490 * Debian: New gopher packages fix several buffer overflows 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120492 * Debian: New mysql-dfsg-4.1 packages fix arbitrary code execution 1st, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120494 * Debian: New prozilla packages fix arbitrary code execution 1st, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120495 * Debian: New cfengine packages fix arbitrary file overwriting 1st, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120496 * Debian: New cfengine2 packages fix arbitrary file overwriting 1st, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120497 * Debian: New Mozilla Firefox packages fix denial of service 2nd, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120498 * Debian: New mozilla-firefox packages fox multiple vulnerabilities 2nd, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120500 * Debian: New apachetop packages fix insecure temporary file 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120507 * Debian: New drupal packages fix remote command execution 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120508 * Debian: New mailutils packages fix arbitrary code execution 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120514 * Debian: New egroupware packages fix arbitrary code execution 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120515 * Debian: New mysql-dfsg-4.1 package fixes arbitrary code execution 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120518 * Debian: New arc packages fix insecure temporary files 5th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120520 * Debian: New mod-auth-shadow packages fix authentication bypass 5th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120521 * Debian: New mason packages fix missing init script 6th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120537 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: AbiWord RTF import stack-based buffer overflow 30th, September, 2005 AbiWord is vulnerable to a stack-based buffer overflow during RTF import, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120486 * Gentoo: Hylafax Insecure temporary file creation in xferfaxstats 30th, September, 2005 Hylafax is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120491 * Gentoo: Mozilla Suite, Mozilla Firefox Multiple 30th, September, 2005 This advisory was originally released to fix the heap overflow in IDN headers. However, the official fixed release included several other security fixes as well. http://www.linuxsecurity.com/content/view/120493 * Gentoo: gtkdiskfree Insecure temporary file creation 3rd, October, 2005 gtkdiskfree is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120505 * Gentoo: Berkeley MPEG Tools Multiple insecure temporary 3rd, October, 2005 The Berkeley MPEG Tools use temporary files in various insecure ways, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120506 * Gentoo: Uim Privilege escalation vulnerability 4th, October, 2005 Under certain conditions, applications linked against Uim suffer from a privilege escalation vulnerability. http://www.linuxsecurity.com/content/view/120517 * Gentoo: Texinfo Insecure temporary file creation 5th, October, 2005 Texinfo is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120524 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: slocate security update 5th, October, 2005 An updated slocate package that fixes a denial of service and various bugs is available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120528 * RedHat: Low: vixie-cron security update 5th, October, 2005 An updated vixie-cron package that fixes various bugs and a security issue is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120529 * RedHat: Low: net-snmp security update 5th, October, 2005 Updated net-snmp packages that fix two security issues and various bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120530 * RedHat: Updated kernel packages available for Red Hat 5th, October, 2005 Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version. http://www.linuxsecurity.com/content/view/120531 * RedHat: Moderate: openssh security update 5th, October, 2005 Updated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. http://www.linuxsecurity.com/content/view/120532 * RedHat: Low: binutils security update 5th, October, 2005 An updated binutils package that fixes several bugs and minor security issues is now available. http://www.linuxsecurity.com/content/view/120533 * RedHat: Low: perl security update 5th, October, 2005 Updated Perl packages that fix security issues and contain several bug fixes are now available for Red Hat Enterprise Linux. http://www.linuxsecurity.com/content/view/120534 * RedHat: Low: mysql security update 5th, October, 2005 Updated mysql packages that fix a temporary file flaw and a number of bugs are now available http://www.linuxsecurity.com/content/view/120535 * RedHat: Low: gdb security update 5th, October, 2005 An updated gdb package that fixes several bugs and minor security issues is now available. http://www.linuxsecurity.com/content/view/120536 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Oct 10 00:06:05 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:22:16 2005 Subject: [ISN] The Zombie Hunters: On the trail of cyberextortionists Message-ID: Forwarded from: Brian Reilly http://www.newyorker.com/fact/content/articles/051010fa_fact by EVAN RATLIFF The New Yorker October 10, 2005 One afternoon this spring, a half-dozen young computer engineers sat in the headquarters of Prolexic, an Internet-security company in Hollywood, Florida, puzzling over an attack on one of the company's clients, a penile enhancement business called MensNiche.com. The engineers, gathered in the company's network operations center, or noc, on the fourth floor of a new office building, were monitoring Internet traffic on fifty-inch wall-mounted screens. Anna Claiborne, one of the company's senior network engineers, wandered into the noc in jeans and a T-shirt. The MensNiche attacker had launched an assault on the company's Web site at 4 a.m., and Claiborne had spent the night in the office fending it off. "Hence," she said, "I look like hell today." MensNiche's problems had begun a week earlier, with a flood of fake data requests?what is known as a distributed denial-of-service attack?from computers around the world. Although few, if any, of those computers' owners knew it, their machines had been hijacked by hackers; they had become what programmers call "zombies," and had been set loose on MensNiche. The result was akin to what occurs when callers jam the phone lines during a television contest: with so many computers trying to connect, almost none could get through, and the company was losing business. The first wave of the attack was easily filtered by Prolexic's automated system. The assailant then disguised his zombies as legitimate Web users, fooling the filters so well that Claiborne refused to tell me how it was done, for fear that others would adopt the same tactic. She spent the night examining the requests one by one as they scrolled by?interrogating each zombie, trying to find a key to the attacker's strategy. "He's clever, and he's been trying everything," Claiborne said. "If we ever find out who it is, seriously, I'd be willing to buy a plane ticket, fly over, and punch him in the face." Prolexic, which was founded in 2003 by a twenty-seven-year-old college dropout named Barrett Lyon, is a twenty-four-hour, seven-days-a-week operation. An engineer is posted in the noc at all times, to monitor Prolexic's four data hubs, which are in Phoenix, Vancouver, Miami, and London. The hubs contain powerful computers designed to absorb the brunt of data floods and are, essentially, massive holding pens for zombies. Any data travelling to Prolexic's clients pass through this hardware. The company, which had revenues of four million dollars in its first year, now has more than eighty customers. Lyon's main business is protecting his clients from cyberextortionists, who demand payments from companies in return for leaving them alone. Although Lyon is based in Florida, the attackers he deals with might be in Kazakhstan or China, and they usually don't work alone. "It's an insanely stressful job," Claiborne told me. "You are the middleman between people who are losing thousands or millions of dollars and somebody who really wants to make that person lose thousands or millions of dollars." When the monitors' graphs begin to spike, indicating that an attack is under way, she said, "it's like looking at the ocean and seeing a wall of water three hundred feet high coming toward you." Only a few years ago, online malfeasance was largely the province of either technically adept hackers (or "crackers," as ill-intentioned hackers are known), who were in it for the thrill or for bragging rights, or novices (called "script kiddies"), who unleashed viruses as pranks. But as the Web's reach has expanded real-world criminals have discovered its potential. Mobsters and con men, from Africa to Eastern Europe, have gone online. Increasingly, cyberextortionists are tied to gangs that operate in several countries and hide within a labyrinth of anonymous accounts. "When the attack starts, the ticker starts for that company," Lyon said. "It's a mental game that you've been playing, and if you make a mistake it causes the whole thing to go down. You are terrified." Lyon, as usual, was wearing shorts and flip-flops. He has blond hair and a trim build, with narrow hazel eyes that were framed by dark circles of fatigue. A poster for the 1983 movie "WarGames"?a major influence?hung above his desk, on which were four computer monitors: one for writing program code, one for watching data traffic, one for surfing the Web, and one for chatting with customers. Lyon leaned over and showed me a program that he had created to identify the zombies attacking MensNiche. When he ran it, a list of countries scrolled up the screen: the United States, China, Cambodia, Haiti, even Iraq. Examining the list of zombie addresses, Lyon picked one and ran a command called a "traceroute." The program followed the zombie's path from MensNiche back to a computer called NOCC.ior.navy.mil?part of the United States Navy's Network Operations Center for the Indian Ocean Region. "Well, that's great," he said, laughing. Lyon's next traceroute found that another zombie was on the Department of Defense's Military Sealift Command network. The network forces of the United States military had been conscripted in an attack on a Web site for penis enlargement. Michael Alculumbre's first communication from the extortionists arrived on a Thursday evening in August, 2004. An e-mail message was sent to him just after 8 p.m. at Protx, an online-payment processing company based in London, where he is the chief executive officer. The subject line read, simply, "Contact us," and the return address?commerce_protection@yahoo.com?offered no clues to the message's origin. The note was cordial and succinct, written in stilted English. "Hello," it began. "We attack your servers for some time. If you want save your business, you should pay 10.000$ bank wire to our bank account. When we receive money, we stop attack immediately. If we will not receive money, we will attack your business 1 month." The note said that ten thousand dollars would buy Protx a year's worth of protection. "Think about how much money you lose, while your servers are down. Thanks John Martino." Alculumbre had never heard of John Martino. He decided to ignore the demand. Two months later, Alculumbre's network technician called him at home. He said that customers were complaining that the system was off-line. By the time Alculumbre arrived at the office, the source of the disruption was clear. Thousands of computers were inundating Protx's Web site with fake data requests. Many of Protx's legitimate customers received the Internet equivalent of a busy signal?a message saying that the company's servers weren't responding. Every minute that the Web site remained off-line, Protx's business suffered. As the company's engineers struggled to contain the attack, another ten-thousand-dollar e-mail demand arrived, this time signed "Tony Martino." Again, Alculumbre ignored it. He had received a call from an agent of the British National Hi-Tech Crime Unit, which had been monitoring the attack. The agent let him know that paying Martino wasn't an option; the extortionist would only return. Beyond that advice, there wasn't much that the N.H.T.C.U. could do to help. By the time Alculumbre's engineers were able to get the site running, it had been disabled for almost two days. Alculumbre heard from Tony Martino again the following April, when he received a message offering a thousand-dollar-a-month protection-money payment plan. Before he could respond, an army of up to seventy thousand zombies ripped through Protx's defenses and knocked its Web site off-line. This time, it took Protx's engineers three days to fight off the attack. The company now spends roughly five hundred thousand dollars a year to protect itself?fifty times what Martino had asked for. This includes a hundred-thousand-dollar-a-year security contract with Prolexic. Martino, it turned out, had been targeting Lyon's clients for months before he hit Protx. "This is very similar to the pubs and clubs in London forty years ago that used to pay money to not have their premises smashed up," Mick Deats, the deputy head of the N.H.T.C.U., told me. "It's just a straight, old-fashioned protection racket, with a completely new method." The cyberextortionists also make use of an elaborate money-laundering system, Deats said. "They have companies registered all over the place, passing the money through them." "I started prosecuting network-attack cases in 1992, and back then it was more the sort of lone hackers," said Christopher Painter, the deputy chief of the Computer Crime and Intellectual Property Section at the Department of Justice. Today, he says, "you have organized criminal groups that are adopting technical sophistication." The most potent weapon for Web gangsters is the botnet. A bot, broadly speaking, is a remote-controlled software program that is installed on a computer without the owner's knowledge. Hackers use viruses, worms, or automated programs to scan the Internet in search of potential zombies. One recent study found that a new P.C., attached to the Internet without protective software, will on average be infected in about twenty minutes. In the most common scenario, the bots surreptitiously connect hundreds, or thousands, of zombies to a channel in a chat room. The process is called "herding," and a herd of zombies is called a botnet. The herder then issues orders to the zombies, telling them to send unsolicited e-mail, steal personal information, or launch attacks. Herders also trade, rent, and sell their zombies. "The botnet is the little engine that makes the evil of the Internet work," Chris Morrow, a senior network-security engineer at M.C.I., said. "It makes spam work. It makes identity fraud work. It makes extortion, in this case, work." Less than five years ago, experts considered a several-thousand-zombie botnet extraordinary. Lyon now regularly faces botnets of fifty thousand zombies or more. According to one study, fifteen per cent of new zombies are from China. A British Internet-security firm, Clearswift, recently predicted that "botnets will, unless matters change dramatically, proliferate to the point where much of the Internet . . . comes to resemble a mosaic of botnets." Meanwhile, the resources of law enforcement are limited?the N.H.T.C.U., for example, has sixty agents handling everything from child pornography to identity theft. Extortionists often prefer to target online industries, such as pornography and gambling, that occupy a gray area, and may be reluctant to seek help from law enforcement. Such businesses account for most of Prolexic's clients. I asked Lyon how he felt about the companies he defended. "Everybody makes a living somehow," he said. "It's not my job to worry about how they do it." I asked whether that applied to extortionists as well. After a pause, he said, "I guess I'm partial to dot-commers." Several weeks later, he called me to say that he'd reconsidered his answer. "The Internet is all about connecting things, communicating and sharing information, bits, pieces of data," he said. "A denial-of-service attack is the exact opposite of that. It is taking one person's will and imposing it on a bunch of others." In any case, Lyon added, his clients now included mainstream businesses?a Japanese game company, foreign-exchange traders, and a multibillion-dollar corporation that wanted to have additional security in the days before its I.P.O. Lyon first gained a measure of online fame in 2003, with a project called Opte, in which he created a visual map of the entire Internet?its backbone, transfer points, major servers. After reading that a similar project had taken several months to complete, he bet a friend that he could do it in a day, and won. (A gorgeously rendered print of the map?which Lyon licenses free of charge?appeared in a travelling exhibition on the future of design.) Lyon's obsessive interest in computer networks began early. In the third grade at a Sacramento, California, private school for learning-disabled children?Prolexic's name derives from Lyon's pride in overcoming severe dyslexia?he and a friend hacked a simple computer game. In junior high school, Lyon discovered the Internet, and with a friend, Peter Avalos, he soon founded a company called TheShell.com, which provided accounts to chat-room users. But his grades suffered, and, after high school, he failed a year's worth of classes at California State University at Chico. When a friend he met online, Robert Brown, offered Lyon a job at his computer-security company, Network Presence, he quit school and took it. Brown sent him off to secure the network of a large insurance company in the Midwest. Lyon was nineteen and, he said, "I looked thirteen. So I wore a suit every day, and I worked my ass off for those guys." He burned out after two years?"I didn't know you had to meter yourself"?and returned to school, this time at California State University at Sacramento. There, Lyon signed up for philosophy classes, dumped his computers in a closet, and joined the rowing team. But he couldn't get away from computers entirely; he still took assignments from his old employer, and he and Avalos (who graduated from the United States Naval Academy and has recently returned from flying P-3s in Iraq) continued to operate TheShell.com. The company's clients tended to be advanced Internet users, and this had the effect of bringing the site to the attention of hackers. At one point, Lyon was fighting off several zombie attacks a day. In August, 2002, Dana Corbo, the C.E.O. of Don Best Sports, called Network Presence for help. Don Best, which is based in Las Vegas, is a kind of Bloomberg for the gambling world, providing betting lines for both real-world and online casinos. The company had ignored an e-mailed extortion demand for two hundred thousand dollars, and it was under attack. Network Presence sent Lyon. The next day, Lyon and another engineer flew to Las Vegas and helped Don Best's engineers set up powerful new servers. Lyon's strategy worked: the attackers gave up. Corbo treated them to a night out in Vegas, with dinner in front of the Bellagio fountains. (He also paid Network Presence a fee.) Lyon still wanted to find out who was behind the attacks. He and Brown scanned the traffic data, found a zombie, and, thanks to an opening in Microsoft Windows, were able to see what other computers it had been connected to. This led them to a chat server in Kazakhstan; when they connected to it, they saw more attacks in progress. They notified the F.B.I. and the Secret Service, but, Brown said, "they sort of threw up their arms, because it was in Kazakhstan." To Lyon, however, the lesson was clear: with clever techniques and a little luck, any attacker could be found. In the late spring of 2003, Mickey Richardson, the general manager of Betcris, a Costa Rican-based gambling firm, received an extortion e-mail. (Online bookmaking, which is illegal in the United States, has flourished in Costa Rica and the Caribbean since the mid-nineteen-nineties.) The letter requested five hundred dollars in eGold?an online currency?and was followed by an attack that crippled Betcris's Web site, its main source of revenue. Richardson couldn't afford to have the site disabled. He paid the five hundred dollars. The extortionists began hitting other offshore bookmakers. One firm after another paid up, anywhere from three thousand to thirty-five thousand dollars, which they wired to addresses in Russia and Latvia. Richardson expected that he, too, would be hit again. He heard about Don Best's successful defense and called Lyon. But Lyon was back in school, and reluctant to take the job. Instead, he told Richardson to buy a server that was specially designed to filter out attacks. "The box," as Richardson called it, cost about twenty thousand dollars. Over the phone, Lyon helped Richardson's information-technology manager, Glenn Lebumfacil, configure it. A few months later, Richardson got another e-mail from the extortionists. It arrived just before Thanksgiving, one of the busiest betting periods of the year, and it asked for forty thousand dollars. The e-mail said: If you choose not to pay for our help, then you will probably not be in business much longer, as you will be under attack each weekend for the next 20 weeks, or until you close your doors. Richardson believed that he had "everything in place to protect the store," and he refused to pay. When the attack came, it took less than twenty minutes to overwhelm the box. The data flood brought down both Betcris and its Internet service provider. After a few days of trying in vain to make the box work, Lebumfacil called Lyon in a panic. "Hey, man, remember that thing you set up for us?" he said. "It just got blown away." Lyon saw a business opportunity. He quit school again and started a company, with Betcris as his first customer. He knew that he couldn't just add capacity to Betcris's system to capture the zombies, as he had with Don Best, because Costa Rica wasn't wired for that sort of system?there wasn't enough capacity in the entire country. So he decided to build his own network in the United States and use it to draw the attackers away from Betcris. The extortionists would think they were attacking a relatively defenseless system in Central America but would find themselves up against Lyon's machines instead. Richardson, meanwhile, was stalling for time with the extortionists, claiming a medical emergency. "I guess you did not take my warning seriously," came the reply. "The excuse that you were in the hospital does not matter to me." The correspondence became increasingly belligerent. "Sorry moron but I am just having so much fun fucking with you," one e-mail said, raising the price to sixty thousand dollars. Richardson responded by offering the extortionists jobs in Betcris's I.T. department. "I appreciate the offer to do work for you, but we are completely booked until the football season is over," one of them replied. As Lyon brought his system online, the confrontation turned into a chess match. "Every time Barrett would change something, these guys would change something else," Brian Green, the C.E.O. of Digital Solutions, Betcris's Internet service provider, said. "They threw wrenches, they threw everything they could at Betcris." Finally, after three weeks, the attacker gave up. "I bet you feel real stupid that you did not keep your word," he wrote. "I figure by now you have lost 5 times what we asked and by the end of the year your decision will cost you more than 20 times what we asked." Richardson says that those numbers may not have been far off. By then, everyone in the insular gaming world seemed to have heard that Lyon could stop zombie attacks, and he was getting calls from Jamaica, Costa Rica, and Panama. "It was kind of like stumbling into this strange little community in the middle of nowhere, where everybody worships a weird stone," Lyon said. "They all had superstitions about when they were going to be attacked." Lyon decided, once again, to trace the source of the attack. He and Dayton Turner, a goateed twenty-four-year-old engineer he had hired, allowed one of their own machines to become a zombie and watched as it was drawn into the botnet; by early January they had found the chat channel that controlled the zombies. Logging on as "hardcore," Turner pretended to be a bot herder who had been out of the game for a while. "i want to get back into it," he wrote. "i ha[v]e a small group of zombies so far which is why i came back looking." Turner had spent years in chat rooms, and communicated easily in the emoticon-heavy shorthand common to hackers. He gradually ingratiated himself with a Russian who called himself eXe and often logged in from a server that he'd named "exe.is.wanted.by.the.FBI.gov." Other members were not so welcoming; when Turner wrote, "i wanna help," one of them, uhdfed, replied, "we don't need ur HELP," and set his zombies on him. But Lyon and Turner kept returning, establishing their technical credibility and becoming a part of the scene. They continued the ruse for weeks, occasionally with an F.B.I. agent on the phone helping to direct the conversation. As bait, Turner described a program he had written that would help eXe to collect zombies, which he promised to give him as soon as he could rewrite it in a different programming language. "It was a matter of simply befriending the guy and making him think that he could trust us," Lyon said. Piece by piece, eXe revealed himself: hardcore: its pretty cold here right now, what's russia like? hehe eXe: i'm good eXe: something hot eXe: =) eXe: Russia is like the Russian Vodka=) hardcore: hehehe eXe: u give me code? At one point, during an exchange about the number of computers each had infected, eXe asked Turner how old he was. Turner replied that he was twenty-three, and added, "How about you? :)." eXe told him that he was a twenty-one-year-old Russian student named Ivan. Turner said that his name was Matt and he lived in Canada. Then, trying to provoke a confession, he told Ivan that he made money from extortion: "They always pay because they want their business back and they don't want to admit they have a weakness . . . stupid Americans." Turner then asked Ivan about a specific attack: "I figured it would be you since you have so many bots :P." "Good idea . . . hehe," Ivan replied. Before they signed off, Ivan wrote, "Bye friend." In February, 2004, Lyon and Turner submitted a thirty-six-page report to the F.B.I. and the N.H.T.C.U., outlining their profile of Ivan and their correspondence with his crew. At this point, they were operating as DigiDefense International, which Lyon had founded, hiring Turner and Lebumfacil as his first employees. At the company's temporary headquarters, in an office building in Costa Rica, paranoia about reprisals from Russian mobsters reigned, even though there were armed guards in the lobby. Meanwhile, Lyon and Turner kept chatting with Ivan. A few weeks later, on a Saturday in March, Ivan slipped up: he logged in to the chat room without disguising his home Internet address. The same day, Turner happened to be online, and decided to look up eXe's registration information. To his astonishment, he found what appeared to be a real name, address, and phone number: Ivan Maksakov, of Saratov, Russia. Lyon dashed off an e-mail to the authorities with the subject line "eXe made a HUGE mistake!" A few months later, the Russian police, accompanied by agents from the N.H.T.C.U., swept into Maksakov's home, where they found him sitting at his computer. In television footage of the arrest, Maksakov looks like a clean-cut kid, with brown hair and a teenager's face. He sits glumly on his bed in shorts and a T-shirt as the police rummage through his room and carry out his equipment. The video shows the officers walking him to the local station and slamming the door shut on his cell. In simultaneous raids in St. Petersburg and Stavropol, the police picked up four other Russians whom the N.H.T.C.U. had traced by setting up a sting at a bank in Riga, Latvia, where a British company that was co?perating with the authorities had been directed to send its payment. "We were waiting for people to come pick the money up," Mick Deats, of the N.H.T.C.U., told me. "But that didn't happen immediately. What did happen was that the bad guys we were watching picked up lots of different payments?not ours. We were seeing them pick up Australian dollars, U.S. dollars, and denominations from all over the world. And we're thinking, Whose money is that?" The N.H.T.C.U. has never explicitly credited Prolexic's engineers with Maksakov's arrest. "The identification of the offenders in this came about through a number of lines of inquiry," Deats said. "Prolexic's was one of them, but not the only one." In retrospect, Lyon said, "The N.H.T.C.U. and the F.B.I. were kind of using us. The agents aren't allowed to do an Nmap, a port scan"?techniques that he and Dayton Turner had used to find Ivan's zombies. "It's not illegal; it's just a little intrusive. And then we had to yank the zombie software off a computer, and the F.B.I. turned a blind eye to that. They kind of said, 'We can't tell you to do that?we can't even suggest it. But if that data were to come to us we wouldn't complain.' We could do things outside of their jurisdiction." He added that although his company still maintained relationships with law-enforcement agencies, they had grown more cautious about accepting help. When the authorities picked up Ivan Maksakov, he was one semester away from graduation at a technical college in Saratov. He spent five months in prison before being released on bail, and now awaits trial. According to the authorities, he was a lower-level operative in the gang, which paid him about two thousand dollars a month for his services. A source close to the investigation told me that Maksakov, who faces fifteen years in jail, is co?perating with the Russian police. One afternoon in Prolexic's offices, I asked Turner if he had felt a sense of justice when Ivan was arrested. "I suppose," he said halfheartedly. "It was a difficult situation for me when I saw his picture, because I kind of felt for the kid. He wasn't necessarily a bad kid." Perhaps, Turner told me, Ivan had "just said, 'Let's see if it works. Hey, it works, and people pay me for it.' " Lyon, too, was one semester from graduation when he dropped out of college to start his company. He was, in his own way, unable to resist the challenge, and he, too, had discovered that people would pay him for what he did. I asked him if he'd ever done anything illegal on the Net. He thought for a minute, and then told me that once, as a teen-ager, he had poked around and discovered a vulnerability at Network Solutions, the company that at the time registered all the Web's addresses. "I went in and manipulated some domain names," he said. "A month later, I got a call from somebody with a badge," who had traced the intrusion back to Lyon's computer. In the end, Lyon said, the authorities let it go. Those were simpler times. "I was scared shitless, but I learned my lesson," he said. "If something like that happened now, I can't imagine what would happen to me." From isn at c4i.org Mon Oct 10 00:06:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:22:38 2005 Subject: [ISN] Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Message-ID: Forwarded from: security curmudgeon ---------- Forwarded message ---------- From: David Litchfield To: bugtraq@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com Date: Thu, 6 Jan 2005 16:01:26 -0000 Subject: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Dear security community and Oracle users, Many of my customers run Oracle. Much of the U.K. Critical National Infrastructure relies on Oracle; indeed this is true for many other countries as well. I know that there's a lot of private information about me stored in Oracle databases out there. I have good reason, like most of us, to be concerned about Oracle security; I want Oracle to be secure because, in a very real way, it helps maintain my own personal security. As such, I am writing this open letter Extract from interview between Mary Ann Davidson and IDG http://www.infoworld.com/article/05/05/24/HNoraclesecurityhed_1.html IDGNS: "What other advice do you have for customers on security?" Davidson: "Push your vendor to tell you how they build their software and ask them if they train people on secure coding practices. " Now some context has been put in place I can continue. On the 31st of August 2004, Oracle released a security update (Alert 68 [ http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf ]) to address a large number of major security flaws in their database server product. The patches had been a long time in coming [ http://www.eweek.com/article2/0,1759,1637213,00.asp ] and we fully expected that these patches would actually fix the problems but, unfortunately this is not the case. To date, these flaws are still not fixed and are still fully exploitable. I reported this to Oracle a long time ago. The real problem with this is not that the flaws Alert 68 supposedly fixed are still exploitable, but rather the approach Oracle took in attempting to fix these issues. One would expect that, given the length of time they took to deliver, these security "fixes" would be well considered and robust; fixes that actually resolve the security holes. The truth of the matter though is that this is not the case. Some of Oracle's "fixes" simply attempt to stop the example exploits I sent them for reprodcution purposes. In other words the actual flaw was not addressed and with a slight modification to the exploit it works again. This shows a slapdash approach with no real consideration for fixing the actual problem itself. As an example of this, Alert 68 attempts to fix some security holes in some triggers; the flaws could allow a low privileged user to gain SYS privileges - in other words gain full control of the database server. The example exploit I sent to Oracle contained a space in it. Oracle's fix was to ignore the user's request if the input had a space. What Oracle somehow failed to see or grasp was that no space is needed in the exploit. This fix suggests no more than a few minutes of thought was given to the matter. Why did it take 8 months for this? Further, how on earth did this get through QA? More, why are we still waiting for a proper fix for this? Here is another class of thoughtless "fix" implemented by Oracle in Alert 68. Some Oracle PL/SQL procedures take an arbitrary SQL statement as a parameter which is then executed. This can present a security risk. Rather than securing these procedures properly Oracle chose a security through obscurity mechanism. To be able to send the SQL query and have it executed one needs to know a passphrase. This passphrase is hardcoded in the procedure and can be extracted with ease. So all an attacker needs to do now is send the passphrase and their arbitrary SQL will still be executed. In other cases Oracle have simply dropped the old procedures and added new ones - with the same vulnerable code! I ask again, why does it take two years to write fixes like this? Perhaps the fixes take this long because Oracle pore through their code looking for similar flaws? Does the evidence bear this out. No - it doesn't. In those cases where a flaw was fixed properly, we find the same flaw a few lines further down in the code. The DRILOAD package "fixed" in Alert 68 is an example of this; and this is not an isolated case. This is systemic. Code for objects in the SYS, MDSYS, CTXSYS and WKSYS schemas all have flaws within close range of "fixed" problems. These should have been spotted and fixed at the time. I reported these broken fixes to Oracle in February 2005. It is now October 2005 and there is still no word of when the "real" fixes are going to be delivered. In all of this time Oracle database servers have been easy to crack - a fact Oracle are surely aware of. What about the patches since Alert 68 - the quarterly Critical Patch Updates? Unfortunately it is the same story. Bugs that should have been spotted left in the code, brand new bugs being introduced and old ones reappearing. This is simply NOT GOOD ENOUGH. As I stated at the beginning of this letter, I'm concerned about Oracle security because it impinges upon me and my own personal security. What is apparent is that Oracle has no decent bug discovery/fix/response process; no QA, no understanding of the threats; no proactive program of finding and fixing flaws. Is anyone in control over at Oracle HQ? A good CSO needs to more than just a mouthpiece. They need to be able to deliver and execute an effective security strategy that actually deals with problems rather than sweeping them under the carpet or waste time by blaming others for their own failings. Oracle's CSO has had five years to make improvements to the security of their products and their security response but in this time I have seen none. It is my belief that the CSO has categorically failed. Oracle security has stagnated under her leadership and it's time for change. I urge Oracle customers to get on the phone, send a email, demand a better security response; demand to see an improvement in quality. It's important that Oracle get it right. Our national security depends on it; our companies depend on it; and we all, as individuals depend on it. Cheers, David Litchfield From isn at c4i.org Mon Oct 10 00:08:14 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:23:03 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-40 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-09-29 - 2005-10-06 This week : 67 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: During the last week 3 antivirus vendors Symantec, Kaspersky, and Bitdefender suffered vulnerabilities, which potentially can be exploited by malicious people to gain system access on a vulnerable system. Additional details can be found in the referenced Secunia advisories below. References: http://secunia.com/SA17049 http://secunia.com/SA17024 http://secunia.com/SA16991 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection 2. [SA16901] Thunderbird Command Line URL Shell Command Injection 3. [SA16869] Firefox Command Line URL Shell Command Injection 4. [SA14789] Gentoo update for limewire 5. [SA16911] Firefox Multiple Vulnerabilities 6. [SA16766] Netscape IDN URL Domain Name Buffer Overflow 7. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 8. [SA14896] Microsoft Jet Database Engine Database File Parsing Vulnerability 9. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 10. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17024] Kaspersky Anti-Virus CAB Archive Handling Buffer Overflow [SA17010] MailEnable W3C Logging Buffer Overflow Vulnerability [SA17046] IceWarp Web Mail Multiple Vulnerabilities [SA17032] Citrix Metaframe Presentation Server Policy Filtering Bypass [SA17049] Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow UNIX/Linux: [SA17042] Fedora update for thunderbird [SA17066] Debian update for egroupware [SA17057] HP-UX Mozilla Multiple Vulnerabilities [SA17053] Debian update for drupal [SA17027] SUSE Updates for Multiple Packages [SA17026] Debian update for mozilla-firefox [SA17014] SUSE update for mozilla/MozillaFirefox [SA17065] IBM Tivoli Monitoring Web Health Console HTTP Server Vulnerabilities [SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability [SA17059] Ubuntu update for dia-common [SA17054] CVS zlib Vulnerabilities [SA17052] Fedora update for abiword [SA17050] Ubuntu update for squid [SA17047] Dia SVG File Import Arbitrary Code Execution Vulnerability [SA17035] Debian update for prozilla [SA17034] Virtools Web Player Buffer Overflow and Directory Traversal Vulnerabilities [SA17021] ProZilla "ftpsearch" Buffer Overflow Vulnerability [SA17020] Debian update for mailutils [SA17016] Debian update for gopher [SA17015] Debian update for squid [SA17012] Gentoo update for abiword [SA17039] OpenView Event Correlation Services Unspecified Privileged Access Vulnerability [SA17077] Red Hat update for openssh [SA17073] Red Hat update for kernel [SA17069] Avaya Products "ls" Denial of Service Vulnerabilities [SA17067] Debian update for mod-auth-shadow [SA17060] Apache mod_auth_shadow Module "require group" Incorrect Authentication [SA17030] Bugzilla Two Information Disclosure Security Issues [SA17029] AIX tcpdump BGP Denial of Service Vulnerability [SA17003] 4D WebSTAR IMAP Access Potential Denial of Service [SA17028] Weex "log_flush()" Format String Vulnerability [SA17007] Ubuntu update for net-snmp [SA17080] Red Hat update for mysql [SA17079] Red Hat update for perl [SA17072] Red Hat update for gdb [SA17070] Gentoo update for texinfo [SA17068] Debian update for arc [SA17063] Avaya Products cpio Insecure File Creation Vulnerability [SA17058] Gentoo update for uim [SA17056] Gentoo update for gtkdiskfree [SA17051] Gentoo update for mpeg-tools [SA17044] Sun Java Desktop System XFree86 Pixmap Creation Integer Overflow [SA17043] uim Environment Variable Privilege Escalation Vulnerability [SA17040] Debian update for cfengine2 [SA17038] Debian update for cfengine [SA17037] Cfengine Insecure Temporary File Creation Vulnerabilities [SA17025] storeBackup Insecure Temporary File Creation and Insecure Backup Root Permissions [SA17022] Gentoo update for hylafax [SA17018] Debian update for backupninja [SA17017] Debian update for ntlmaps [SA17009] Macromedia Breeze Password Reset Security Issue [SA17008] Berkeley MPEG Tools Multiple Insecure Temporary File Creation [SA17005] Debian update for gtkdiskfree [SA17045] Trustix update for unzip [SA17023] GNOME libzvt "gnome-pty-helper" Hostname Spoofing [SA17006] Ubuntu update for unzip [SA17004] Debian update for util-linux Other: [SA17033] NetFORCE NAS Information Disclosure Security Issue Cross Platform: [SA17048] PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities [SA17019] Hitachi Cosminexus Request Body Disclosure of Personal Information [SA17013] Blender Command Line Buffer Overflow Vulnerability [SA17011] Serendipity Cross-Site Request Forgery Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17024] Kaspersky Anti-Virus CAB Archive Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-04 Alex Wheeler has reported a vulnerability in Kaspersky Anti-Virus, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17024/ -- [SA17010] MailEnable W3C Logging Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-04 A vulnerability has been reported in MailEnable, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17010/ -- [SA17046] IceWarp Web Mail Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-10-03 ShineShadow has discovered some vulnerabilities in IceWarp Web Mail, which can be exploited by malicious people to conduct cross-site scripting attacks, delete arbitrary files, and disclose system and sensitive information. Full Advisory: http://secunia.com/advisories/17046/ -- [SA17032] Citrix Metaframe Presentation Server Policy Filtering Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-03 Gustavo Gurmandi has reported a vulnerability in Citrix MetaFrame Presentation Server, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17032/ -- [SA17049] Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-10-05 A vulnerability has been reported in Symantec AntiVirus Scan Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17049/ UNIX/Linux:-- [SA17042] Fedora update for thunderbird Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-03 Fedora has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17042/ -- [SA17066] Debian update for egroupware Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-05 Debian has issued an update for egroupware. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17066/ -- [SA17057] HP-UX Mozilla Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, DoS, System access Released: 2005-10-05 HP has acknowledged multiple vulnerabilities in Mozilla for HP-UX, which can be exploited by malicious people to bypass certain security restrictions, conduct spoofing and cross-site scripting attacks, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17057/ -- [SA17053] Debian update for drupal Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-04 Debian has issued an update for drupal. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17053/ -- [SA17027] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-09-30 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which potentially can be exploited by malicious, local users to gain access to sensitive information or perform certain actions on a vulnerable system with escalated privileges, or by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/17027/ -- [SA17026] Debian update for mozilla-firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-03 Debian has issued an update for mozilla-firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17026/ -- [SA17014] SUSE update for mozilla/MozillaFirefox Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-30 SUSE has issued updates for mozilla and MozillaFirefox. These fix some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17014/ -- [SA17065] IBM Tivoli Monitoring Web Health Console HTTP Server Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-05 IBM has acknowledged some vulnerabilities in IBM Tivoli Monitoring, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17065/ -- [SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-05 infamous41md has reported a vulnerability in UW-imapd, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17062/ -- [SA17059] Ubuntu update for dia-common Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-04 Ubuntu has issued an update for dia-common. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17059/ -- [SA17054] CVS zlib Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-04 Two vulnerabilities have been reported in CVS, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17054/ -- [SA17052] Fedora update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-03 Fedora has issued an update for abiword. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17052/ -- [SA17050] Ubuntu update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-03 Ubuntu has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17050/ -- [SA17047] Dia SVG File Import Arbitrary Code Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-03 Joxean Koret has reported a vulnerability in Dia, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17047/ -- [SA17035] Debian update for prozilla Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-03 Debian has issued an update for prozilla. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17035/ -- [SA17034] Virtools Web Player Buffer Overflow and Directory Traversal Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2005-10-03 Luigi Auriemma has reported two vulnerabilities in Virtools Web Player, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17034/ -- [SA17021] ProZilla "ftpsearch" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-03 Tavis Ormandy has reported a vulnerability in ProZilla, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17021/ -- [SA17020] Debian update for mailutils Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-05 Debian has issued an update for mailutils. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17020/ -- [SA17016] Debian update for gopher Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-30 Debian has issued an update for gopher. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17016/ -- [SA17015] Debian update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-30 Debian has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17015/ -- [SA17012] Gentoo update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-30 Gentoo has issued an update for abiword. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17012/ -- [SA17039] OpenView Event Correlation Services Unspecified Privileged Access Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-05 A vulnerability has been reported in OpenView Event Correlation Services, which can be exploited by malicious people to gain access with escalated privileges. Full Advisory: http://secunia.com/advisories/17039/ -- [SA17077] Red Hat update for openssh Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-10-05 Red Hat has issued an update for openssh. This fixes a security issue, which can be exploited malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17077/ -- [SA17073] Red Hat update for kernel Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-10-05 Red Hat has issued an update for the kernel. This fixes some vulnerabilities which can be exploited by malicious, local users to disclose certain sensitive information, cause a DoS (Denial of Service) and gain escalated privileges, or by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/17073/ -- [SA17069] Avaya Products "ls" Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-05 Avaya has acknowledged some vulnerabilities in the "ls" program included in some products, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17069/ -- [SA17067] Debian update for mod-auth-shadow Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-05 Debian has issued an update for mod-auth-shadow. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17067/ -- [SA17060] Apache mod_auth_shadow Module "require group" Incorrect Authentication Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-05 David Herselman has reported a security issue in the mod_auth_shadow module for Apache, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17060/ -- [SA17030] Bugzilla Two Information Disclosure Security Issues Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-10-03 Two security issues have been reported in Bugzilla, which can be exploited by malicious people to disclose system and potentially sensitive information. Full Advisory: http://secunia.com/advisories/17030/ -- [SA17029] AIX tcpdump BGP Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-03 A vulnerability has been reported in AIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17029/ -- [SA17003] 4D WebSTAR IMAP Access Potential Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-09-30 A vulnerability has been reported in 4D WebSTAR, which potentially can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17003/ -- [SA17028] Weex "log_flush()" Format String Vulnerability Critical: Less critical Where: From local network Impact: DoS, System access Released: 2005-10-03 Emanuel Haupt has reported a vulnerability in Weex, which potentially can be exploited by malicious users to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17028/ -- [SA17007] Ubuntu update for net-snmp Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-30 Ubuntu has issued an update for net-snmp. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17007/ -- [SA17080] Red Hat update for mysql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Red Hat has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious, local users to conduct various actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17080/ -- [SA17079] Red Hat update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Red Hat has issued an update for perl. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17079/ -- [SA17072] Red Hat update for gdb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Red Hat has issued an update for gdb. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17072/ -- [SA17070] Gentoo update for texinfo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Gentoo has issued an update for texinfo. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17070/ -- [SA17068] Debian update for arc Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-10-05 Debian has issued an update for arc. This fixes a security issue and a vulnerability, which can be exploited by malicious, local users to gain access to sensitive information and perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17068/ -- [SA17063] Avaya Products cpio Insecure File Creation Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-10-05 Avaya has acknowledged a vulnerability in cpio included in some products, which can be exploited by malicious, local users to disclose and manipulate information. Full Advisory: http://secunia.com/advisories/17063/ -- [SA17058] Gentoo update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Gentoo has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17058/ -- [SA17056] Gentoo update for gtkdiskfree Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Gentoo has issued an update for gtkdiskfree. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17056/ -- [SA17051] Gentoo update for mpeg-tools Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Gentoo has issued an update for mpeg-tools. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17051/ -- [SA17044] Sun Java Desktop System XFree86 Pixmap Creation Integer Overflow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Sun Microsystems has acknowledged a vulnerability in Sun JDS (Java Desktop System), which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17044/ -- [SA17043] uim Environment Variable Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Masanari Yamamoto has reported a vulnerability in uim, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17043/ -- [SA17040] Debian update for cfengine2 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-03 Debian has issued an update for cfengine2. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17040/ -- [SA17038] Debian update for cfengine Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-03 Debian has issued an update for cfengine. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17038/ -- [SA17037] Cfengine Insecure Temporary File Creation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-03 Javier Fernandez-Sanguino Pena has reported some vulnerabilities in Cfengine, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17037/ -- [SA17025] storeBackup Insecure Temporary File Creation and Insecure Backup Root Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-09-30 A vulnerability and a security issue have been reported in storeBackup, which potentially can be exploited by malicious, local users to gain access to sensitive information or perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17025/ -- [SA17022] Gentoo update for hylafax Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-30 Gentoo has issued an update for hylafax. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17022/ -- [SA17018] Debian update for backupninja Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-30 Debian has issued an update for backupninja. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17018/ -- [SA17017] Debian update for ntlmaps Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-09-30 Debian has issued an update for ntlmaps. This fixes a security issue, which can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17017/ -- [SA17009] Macromedia Breeze Password Reset Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-09-30 A security issue has been reported in Macromedia Breeze, which can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17009/ -- [SA17008] Berkeley MPEG Tools Multiple Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Mike Frysinger has reported some vulnerabilities in Berkeley MPEG Tools, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17008/ -- [SA17005] Debian update for gtkdiskfree Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-29 Debian has issued an update for gtkdiskfree. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17005/ -- [SA17045] Trustix update for unzip Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-10-03 Trustix has issued an update for unzip. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17045/ -- [SA17023] GNOME libzvt "gnome-pty-helper" Hostname Spoofing Critical: Not critical Where: Local system Impact: Spoofing Released: 2005-10-03 Paul Szabo has reported a security issue in GNOME libzvt, which can be exploited by malicious, local users to spoof the hostname that is recorded into "utmp". Full Advisory: http://secunia.com/advisories/17023/ -- [SA17006] Ubuntu update for unzip Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-30 Ubuntu has issued an update for unzip. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17006/ -- [SA17004] Debian update for util-linux Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-29 Debian has issued an update for util-linux. This fixes a security issue, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17004/ Other:-- [SA17033] NetFORCE NAS Information Disclosure Security Issue Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-03 bambenek has reported a security issue in NetFORCE NAS (Network Attached Storage), which potentially can be exploited by malicious people to gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/17033/ Cross Platform:-- [SA17048] PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-10-04 Critical Security has discovered two vulnerabilities in PHP-Fusion, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17048/ -- [SA17019] Hitachi Cosminexus Request Body Disclosure of Personal Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-03 A vulnerability has been reported in Hitachi Cosminexus, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17019/ -- [SA17013] Blender Command Line Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-30 Qnix has reported a vulnerability in Blender, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17013/ -- [SA17011] Serendipity Cross-Site Request Forgery Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2005-09-30 Nenad Jovanovic has reported a vulnerability in Serendipity, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/17011/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Oct 10 00:08:27 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:23:31 2005 Subject: [ISN] Banks step up security plans Message-ID: http://www.vnunet.com/computing/news/2143320/banks-step-security-plans James Watson Computing 06 Oct 2005 SEVERAL UK high-street banks are expected to announce plans to authenticate online transactions with some form of physical security device before the end of the year. But any such move will come in advance of publication of an industry standard, which banking industry body Apacs had planned to release in May, and has now pushed back to the end of the year. Lloyds TSB will this month start trials of a "revolutionary new line of defence in the fight against online fraud", with customers testing a new way to log on to internet banking. In May HSBC started a one-year rollout of security devices for its 870,000 Hong Kong customers, which industry sources regard as a prelude to rollouts in other countries. And earlier this year Barclaycard completed a six-month trial of a security device (Computing, 17 March). Any progress with so-called two-factor authentication from individual banks will not necessarily be based on the industry-wide standard. But Martha Bennett, research director at Forrester Research, says the industry realises that security needs to be tightened, and some banks feel they cannot afford to wait for the standard to arrive. "Many of the banks are working on a two-track strategy: what's happening with Apacs, and what they can do immediately," she said. Bennett says several banks were set to launch products earlier this year, but stopped when Apacs started work on a standard. "Now they're realising that the risk is growing, and action needs to be taken," she said. Apacs says if its standard does not make the first phase of a particular bank's project, it is confident it will be included in the second phase. "The aim is not just to secure online banking, but also about securing other online transactions," said a spokeswoman. But not all banks are willing to go ahead without a standard: Barclaycard will wait to ensure interoperability between banks. "We're looking at how to use it in the real world, in a number of banking applications," said a spokesman for the bank. Some 600,000 of the UK's 15 million internet banking users have stopped banking online because of security fears, says Forrester. From isn at c4i.org Mon Oct 10 00:08:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:23:51 2005 Subject: [ISN] Tsunami hacker convicted Message-ID: http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ By John Oates 6th October 2005 Daniel James Cuthbert was convicted today of breaking Section 1 of the Computer Misuse Act of 1990 by hacking into a tsunami appeal website last New Year's Eve. District Judge Mr Quentin Purdy said: "For whatever reason Mr Cuthbert intended to secure access, in an unauthorised way, to that computer...it is with some considerable regret...I find the case proved against Mr Cuthbert." He was fined ?400 for the offence and must pay a further ?600 in costs. Cutbert, 28, of Whitechapel, London, told Horseferry Road Magistrates Court yesterday that he had made a donation on the site, but when he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check its security. This action set off an Intruder Detection System in a BT server room and the telco contacted the police. The prosecution made an application for costs but declined to seize Cuthbert's Apple notebook on which the offences were committed. They made no further claim for compensation. The defence asked for some sort of discharge because the case came close to "strict liability" - it was his responsibility but not his "fault". Mr Harding, for the defence, said: "His reasoning was not reprehensible. He was convicted because of the widely-drafted legislation that could catch so many." Mr Purdy, speaking to Cuthbert in the dock, said: "I appreciate the consequences of this conviction for you are considerably graver than any I can impose. But you crossed an inappropriate line, time and expense was expended and anxiety caused. That aside, the price may be a heavy one for you to pay." Cuthbert lost his job as security consultant at ABN Amro as a result of his arrest and has only recently been able to find work. DC Robert Burls of the Met's Computer Crime Unit said afterwards: "We welcome today's verdict in a case which fully tested the computer crime legislation and hope it sends a reassuring message to the general public that in this particular case the appropriate security measures were in place thus enabling donations to be made securely to the Tsunami Appeal via the DEC website." Peter Sommer, who was an expert witness for the defence, said he thought the judge had a good understanding of the issues involved but "took a very strict view of the wording of the legislation." Sommer added that he thought the policing of minor offences should "not involve taking people to court but rather talking, warning and slapping wrists." Asked if he thought the verdict would make it harder for the police to get help and cooperation from security professionals Sommer said: "It will certainly make them more wary." Speaking after the verdict an upset Daniel Cuthbert told the Reg: "They've now set the bar so high that there should be thousands of convictions for people doing things like these. There will be lot of anger from security professionals and the police will find it harder to get help in future." Cuthbert is considering a career outside the IT industry. For the full text of Section 1 of the Act click here [1]. ? [1] http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm#mdiv1 From isn at c4i.org Mon Oct 10 00:08:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:24:15 2005 Subject: [ISN] Sun to pull plug on Trusted Solaris Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37225-1.html By Joab Jackson GCN Staff 10/06/05 Sun Microsystems Inc. plans to phase out its Trusted Solaris secure operating system and replace it with security extension software that can be used with its Open Solaris operating system, said Mark Thacker, product line manager of Solaris security. Open Solaris and the Solaris Trusted Extensions software will provide the full functionality of Trusted Solaris, according to Thacker. "This product will simply layer on top of Solaris 10. It will run on top of any piece of hardware that Solaris 10 runs on," Thacker said. Trusted Extensions should be available by mid-2006. Long used by agencies with classified and sensitive data networks, the current version of Trusted Solaris, version 8, has been certified to Common Criteria Level 4+ Evaluation Assurance for three different protection profiles. Recently, Sun submitted its Solaris 10 operating system for Common Criteria Evaluation for two of those profiles. The Solaris Trusted Extensions will cover the third profile and will also undergo Common Criteria evaluation starting later this year, Thacker said. The reason behind the rearrangement is to consolidate the code base for Solaris, according to Thacker. Trusted Solaris has a different operating system kernel than the more widely used Solaris 10, though the two are similar. When Sun upgraded Solaris to version 10, it incorporated about 85 percent of the security features in Trusted Solaris. "We took some of the concepts in Trusted Solaris, like process rights management, user rights profiles, [and] process containments and built them into Solaris," Thacker said. The major missing component was a feature called labeled security, which applies a tag identifying the appropriate security level to each data file. Although this feature is not widely used, it is valued by intelligence agencies, Thacker said. It has a set of labels that map directly to sensitivity levels from agencies such as the National Security Agency and the Central Intelligence Agency. The labels allow the operating system to handle the data with appropriate controls. "Because of that classification and their relationships with one another, I can express how data can flow up and down the chain of command," Thacker said. The feature allows computers to handle data from networks with differing security levels. It eliminates the need to keep multiple computers, each for a different security level, for each user's desk. Trusted Extensions will include this labeled security feature. Government users who would have purchased Trusted Solaris will instead purchase Solaris 10 and the Solaris Trusted Extensions software. The National Information Assurance Partnership's Common Criteria Evaluation and Validation Scheme is a collection of Protection Profiles and Evaluation Assurance Levels. A Protection Profile is a list of specifications of what a system should do in a given area. Solaris 10 is currently being evaluated against the Controlled Access Protection Profile and the Role Based Access Control Protection Profile, at Evaluation Assurance Level 4+. CGI Information Systems and Management Consultants Inc. of Ottawa will conduct the evaluations. Last Week, Red Hat Inc. of Raleigh, N.C., announced its Red Hat Enterprise Linux was undergoing Evaluation Assurance Level 4 evaluation for IBM servers. That evaluation will include the Labeled Security Protection Profile, the Controlled Access Protection Profile and Role-Based Access Control Protection Profile. The combination of Solaris 10 and the Trusted Extensions will be available for all the platforms that Sun supports, including its own SPARC line of processors and x86 line of AMD and Intel processors as well, Thacker said. From isn at c4i.org Mon Oct 10 00:09:03 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:24:27 2005 Subject: [ISN] Sourcefire Sold to Israeli Company Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/10/06/AR2005100601857.html By Ellen McCarthy Washington Post Staff Writer October 7, 2005 Sourcefire Inc., a Columbia software firm that began as a pet project of computer-coding hobbyists, is being bought by Israeli security giant Check Point Software Technologies Ltd. for $225 million, marking one of the area's most prominent recent start-up successes and a victory for the open-source software movement. Check Point, which sells firewall software to nearly 80,000 customers worldwide, will pay cash. Sourcefire's roots go back to 1998, when software programmer Martin Roesch sat in his Carroll County apartment and wrote a few lines of code he thought might help detect a computer virus or hacking attempt. Over the years, Roesch's online friends and fans added to the code -- which he has kept out in the open on the Internet for all to see -- to create an advanced network security system that has been downloaded by more than 2 million people. "This was a little weekend and rainy day project that kind of ran amok," said Roesch, 35, who will work for Check Point after the acquisition. "It's incredible." The technology, called Snort, has developed a following of loyalists who watch for new versions and spend hours discussing how to advance the software. Like most intrusion detection systems, Snort patrols computer networks looking for worms, viruses and other potential threats, and alerts security personnel when it finds one. The basic version of Snort remains free, but Sourcefire has attracted about 800 paying customers by packaging it into a more user-friendly product that includes reporting capabilities, analysis technology and customer support features. Sourcefire executives compare the arrangement to giving away an engine, but offering a whole car for sale. That and similar methods of marketing around open source software are changing the dynamics of an industry that traditionally guarded its trade secrets closely, lowering prices and increasing competition in a way that has forced even technology giants like Microsoft to pay attention. "It is probably the biggest movement and impact on software since what happened with the Internet in the 1990s," said Gary Hein, a senior analyst at the Burton Group who has studied the open-source movement. Companies such as International Business Machines Corp., Apple Computer Inc. and Hewlett-Packard Co. have developed strategies to adopt open-source technologies. Microsoft Corp., long seen as the chief rival of the open source community, has established a lab at its Redmond, Wash., headquarters to study Linux, the most widely used open-source operating system. By 2008 the impact of open-source technologies -- including sales of open-source-based products and money lost by traditional vendors -- will exceed $5 billion, according to Garner Inc., and analysts say that is just the beginning. Roesch turned Snort from a hobby into a company in 2001. At the time, he recalled, he had "heard of business models, but never seen one." With $100,000 in angel funding, Sourcefire began selling a more polished version of Snort that came with service guarantees and help with installation. After Sourcefire landed some major clients it was able to raise $33.65 million in three rounds of venture funding. Its investors include Greylock Partners of San Mateo, Calif.; Sierra Ventures of Menlo Park, Calif.; and New Enterprise Associates of Baltimore. Wayne Jackson, a seasoned technology entrepreneur, joined Sourcefire in 2002 to steer the company toward fast growth. "When I first heard it I thought it was a crazy idea," said Jackson, the chief executive. "The notion of taking something that was otherwise free and commercializing it wasn't intuitive." Licenses for Sourcefire's products, some of which have been developed on a proprietary basis, start around $4,000 and go as high as $120,000, depending on the complexity of the product. Check Point's chief executive, Gil Shwed, said Sourcefire's technology will eventually be embedded in all its products. The Israeli firm's firewall systems work to block the same attacks that Sourcefire's software detects. The market for computer security systems has boomed in recent years. But analysts caution that the market for firewalls is now largely saturated, forcing Check Point to branch into new lines of business. In 2004, Check Point earned $248.4 million, up only slightly from the $243.9 million profit it recorded the previous year. "The firewall market isn't going anywhere," said William R. Becklean, an analyst with Oppenheimer & Co. The Sourcefire purchase is a way for Check Point "to try and maintain the growth of the company," Becklean said. Some investors balked at the price of the acquisition, sending shares of Check Point down $2.20, to $21.50. Under the terms of the deal, which is expected to close in the first quarter of next year, Check Point will also assume Sourcefire's stock option plan. No layoffs are expected among Sourcefire's 150 employees. ? 2005 The Washington Post Company From isn at c4i.org Mon Oct 10 00:09:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:24:55 2005 Subject: [ISN] A Real Remedy for Phishers Message-ID: http://www.wired.com/news/politics/0,1283,69076,00.html By Bruce Schneier Oct. 06, 2005 Last week California became the first state to enact a law specifically addressing phishing. Phishing, for those of you who have been away from the internet for the past few years, is when an attacker sends you an e-mail falsely claiming to be a legitimate business in order to trick you into giving away your account info -- passwords, mostly. When this is done by hacking DNS, it's called pharming. Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers -- they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers' assets. Unfortunately, the California law does nothing to address this. The new legislation was enacted because phishing is a new crime. But the law won't help, because phishing is just a tactic. Criminals phish in order to get your passwords, so they can make fraudulent transactions in your name. The real crime is an ancient one: financial fraud. These attacks prey on the gullibility of people. This distinguishes them from worms and viruses, which exploit vulnerabilities in computer code. In the past, I've called these attacks examples of "semantic attacks" because they exploit human meaning rather than computer logic. The victims are people who get e-mails and visit websites, and generally believe that these e-mails and websites are legitimate. These attacks take advantage of the inherent unverifiability of the internet. Phishing and pharming are easy because authenticating businesses on the internet is hard. While it might be possible for a criminal to build a fake bricks-and-mortar bank in order to scam people out of their signatures and bank details, it's much easier for the same criminal to build a fake website or send a fake e-mail. And while it might be technically possible to build a security infrastructure to verify both websites and e-mail, both the cost and user unfriendliness means that it'd only be a solution for the geekiest of internet users. These attacks also leverage the inherent scalability of computer systems. Scamming someone in person takes work. With e-mail, you can try to scam millions of people per hour. And a one-in-a-million success rate might be good enough for a viable criminal enterprise. In general, two internet trends affect all forms of identity theft. The widespread availability of personal information has made it easier for a thief to get his hands on it. At the same time, the rise of electronic authentication and online transactions -- you don't have to walk into a bank, or even use a bank card, in order to withdraw money now -- has made that personal information much more valuable. The problem of phishing cannot be solved solely by focusing on the first trend: the availability of personal information. Criminals are clever people, and if you defend against a particular tactic such as phishing, they'll find another. In the space of just a few years, we've seen phishing attacks get more sophisticated. The newest variant, called "spear phishing," involves individually targeted and personalized e-mail messages that are even harder to detect. And there are other sorts of electronic fraud that aren't technically phishing. The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names. The institutions make a lot of money because it's easy to make a transaction, open an account, get a credit card and so on. For years I've written about how economic considerations affect security problems. They can put security countermeasures in place to prevent fraud, detect it quickly and allow victims to clear themselves. But all of that's expensive. And it's not worth it to them. It's not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress and hassle are entirely borne by the victims. And in one in four cases, the victims have not been able to completely restore their good name. In economics, this is known as an externality: It's an effect of a business decision that is not borne by the person or organization making the decision. Financial institutions have no incentive to reduce those costs of identity theft because they don't bear them. Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses. If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses -- they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work. From isn at c4i.org Tue Oct 11 00:00:50 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:10:23 2005 Subject: [ISN] Microsoft Details Antivirus And Anti-Spyware Timetable Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=171204119 By Larry Greenemeier and Aaron Ricadela InformationWeek Oct. 10, 2005 Microsoft is stepping up efforts to become part of the solution to businesses' computer-security woes and overcome a reputation for being part of the problem. The company will begin offering a test version of a new anti-spyware product to businesses by the end of the year and will test new antivirus and anti-spam software next year, CEO Steve Ballmer said at a news conference in Munich, Germany, last week. Ballmer appeared at the event in the technology-heavy German city with corporate VP Mike Nash, who heads Microsoft's security unit. The software vendor is developing what it calls Client Protection technology that can guard desktops, laptops, and file servers against spyware, malware, and tools used by hackers to break into operating systems and applications. It's testing an anti-spyware product for home PC users, but Client Protection, which includes technology it acquired from GeCAD Software Srl. and Giant Company Software Inc., will offer management features for IT departments and integration with Windows Active Directory. Microsoft is working out details such as pricing and whether it will make the software available via the Web or CD. The new antivirus and anti-spam security software, called Antigen, will run on messaging and collaboration servers, including Microsoft Exchange. Antigen is based on technology from Sybari Software Inc., which Microsoft acquired in June. Microsoft also plans to form an industry group called the Secure IT Alliance with Symantec, Trend Micro, VeriSign, and other companies. The group will build a development lab to design computer-security technology, according to Microsoft. Michael Cherry, an analyst at technology consulting company Directions on Microsoft, says that Microsoft has an incentive to help its business customers avoid computer-security problems since they deplete resources that could otherwise go toward new technology. "IT departments have fixed budgets," Cherry says. "If, out of the blue, they have to spend three unbudgeted weeks fixing security problems, that's 1,000 man-hours lost from other projects. That has to be paid for with real money." Microsoft has faced criticism in the past over the number of bugs in its software that cause rampant security problems for its customers. Nearly four years ago, in an effort to overhaul its development processes, the company halted development on Windows and other products to give its programmers remedial training on writing secure code. It also has established policies to close off avenues of attack in subsequent products. But Microsoft must build its credibility in security products before it can challenge established players McAfee Inc. and Symantec for big business clients, says John Pescatore, Gartner's VP for Internet security. The Client Protection anti-spyware software is likely to have a more immediate impact on small and midsize businesses, particularly those that haven't yet invested in this type of security, he says. Still, Microsoft's announced entry into the market for antivirus and anti-spyware software already is having an impact on competitors. Symantec has been diversifying its business and last week completed its acquisition of anti-phishing software maker WholeSecurity Inc. "A big giant is throwing a rock in the pond and creating innovation and pricing pressure," Pescatore says. "For years, the laws of competition and pricing didn't apply to the antivirus market; the companies were getting fat and slow." Just don't expect customers to jump on the first version of Client Protection or Antigen. Says Pescatore, "Most enterprises will wait 18 months at least after Microsoft announces a product so they can judge the quality." Copyright ? 2005 CMP Media LLC From isn at c4i.org Tue Oct 11 00:01:13 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:10:54 2005 Subject: [ISN] Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Message-ID: Forwarded from: security curmudgeon There have been two good responses to this, both supporting David Litchfield's stance and citing more examples. : ---------- Forwarded message ---------- : From: David Litchfield : To: bugtraq@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com : Date: Thu, 6 Jan 2005 16:01:26 -0000 : Subject: Opinion: Complete failure of Oracle security response and utter neglect : of their responsibility to their customers : : Dear security community and Oracle users, : : Many of my customers run Oracle. Much of the U.K. Critical National : Infrastructure relies on Oracle; indeed this is true for many other : countries as well. I know that there's a lot of private information : about me stored in Oracle databases out there. I have good reason, like : most of us, to be concerned about Oracle security; I want Oracle to be : secure because, in a very real way, it helps maintain my own personal : security. As such, I am writing this open letter http://archives.neohapsis.com/archives/bugtraq/2005-10/0060.html From: Cesar (cesarc56 @yahoo.com) To: David Litchfield (davidl@ngssoftware.com), bugtraq@securityfocus.com, tbugtraq@listserv.ntbugtraq.com Date: Thu, 6 Oct 2005 11:41:33 -0700 (PDT) Subject: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers I support David 100% and I would like to add a few comments (I cant avoid doing this :)): I remember reading an article where Larry Ellison said that Oracle database server were used by FBI, CIA, USSR goverment, etc. he referenced that as saying our software is the most secure, top goverment agencies from the most powerful nations use it. If you hear or read that it sounds great and if you were looking for a database server at that moment maybe you would run to buy Oracle software, the same when you hear and read Oracle Unbreakable everywhere. What Larry Ellison says it is very easy to say but it is also very difficult to prove. It seems that this kind of statements have been useful for Oracle since the company continues doing the same, just talking. I can say that we at Argeniss break Oracle database server all the time, we are tired of breaking Oracle, its so easy, Oracle software is full of security vulnerabilities and this is nothing new, most security researchers know about this and also the bad guys who are actively exploiting the vulnerabilities. But I can say this and I can also prove it, we have found more than a hundred vulnerabilities and we can show them to people. I wonder if Larry Ellison can prove all the statements he says or Oracle people say. [..] http://archives.neohapsis.com/archives/bugtraq/2005-10/0079.html From: ak@red-database-security.com To: bugtraq@securityfocus.com Date: 7 Oct 2005 20:13:13 -0000 Subject: Re: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers I agree with Davids and Cesars opinion. Here are 3 examples how Oracle is dealing with security: [..] From isn at c4i.org Tue Oct 11 00:01:38 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:11:12 2005 Subject: [ISN] Linux Security Week - October 10th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 10th, 2005 Volume 6, Number 42n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Details from the Anti-Phishing Act of 2005," "Nessus security tool closes its source," and "A legal shield for pen-test results." --- ## EnGarde Secure Linux 3.0 - Download Now! ## * Linux 2.6 kernel featuring SELinux Mandatory Access Control * Guardian Digital Secure Network features free access to all system and security updates (to be available shortly through an updated release) * Support for new hardware, including 64-bit AMD architecture * Web-based management of all functions, including the ability to build a complete web presence with FTP, DNS, HTTP, SMTP and more. * Apache v2.0, BIND v9.3, MySQL v5.0(beta) * Completely new WebTool, featuring easier navigation and greater ability to manage the complete system * Integrated firewall with ability to manage individual firewall rules, control port forwarding, and creation of IP blacklists * Built-in UPS configuration provides ability to manage an entire network of battery-backup devices * RSS feed provides ability to display current news and immediate access to system and security updates * Real-time access to system and service log information LEARN MORE: http://www.guardiandigital.com/products/software/community/esl.html --- LINUX ADVISORY WATCH This week, advisories were released for gtkdiskfree, util-linux, ClamAV, loop-aes, helix-player, backupninja, squid, mysql, ntlmaps, mysql-dfsg, gopher, prozilla, cfengine, mozilla-firefox, apachetop, drupal, mailutils, egroupware, arc, mod-auth-shadow, mason, slocate, vixie-cron, net-snmp, kernel, openssh, binutils, perl, and gdb. The distributors include Debian, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120542/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * 2005 Semi-Annual Web Security Trends Report 3rd, October, 2005 Websense released the 2005 Semi-Annual Web Security Trends Report issued by Websense Security Labs. The new report summarizes findings for the first half of 2005 and presents projections for the upcoming year. http://www.linuxsecurity.com/content/view/120504 * Details from the Anti-Phishing Act of 2005 5th, October, 2005 California is the first US state to pass anti phishing laws. Finally someone went a step further into, at least, trying to create a more secure cyberspace are some of the most important snippets from the act. http://www.linuxsecurity.com/content/view/120525 * Common Malware Enumeration Initiative 6th, October, 2005 The Common Malware Enumeration Initiative was just announced. Headed by the United States Computer Emergency Readiness Team US-CERT and supported by an editorial board of anti-virus vendors and related organizations it should provide a neutral, shared identification method for malware outbreaks. http://www.linuxsecurity.com/content/view/120526 * Check Point to Acquire Makers of Snort 6th, October, 2005 Check Point Software Technologies Ltd. and Sourcefire, Inc., developers of Snort, today announced that they have signed a definitive agreement for Check Point to acquire privately held Sourcefire for a total consideration of approximately $225 million. http://www.linuxsecurity.com/content/view/120538 * What is the most challenging Sarbanes-Oxley issue facing Enterprises today? 7th, October, 2005 Companies are now finding that log management is a cornerstone best practice in their compliance efforts. Sarbanes-Oxley 404 Internal IT Control requirements infer rigorous end-to-end Log Management and Archival. Net Report helps companies face this issue. http://www.linuxsecurity.com/content/view/120527 * But Wait, There's More 4th, October, 2005 The ink is barely dry on all of the Red Hat Enterprise Linux 4 materials, and the company is already gearing up for the launch of RHEL 5. While Red Hat is not being terribly specific about what is in RHEL 5 just yet, the company did announce last week that it is working with server maker IBM and security expert Trusted Computer Solutions to begin the Common Criteria security certification for the forthcoming RHEL 5, which is due in late 2006. http://www.linuxsecurity.com/content/view/120509 * Pass on Passwords with scp 7th, October, 2005 In this article, I show you how to use the scp (secure copy) command without needing to use passwords. I then show you how to use this command in two scripts. One script lets you copy a file to multiple Linux boxes on your network, and the other allows you to back up all of your Linux boxes easily. http://www.linuxsecurity.com/content/view/120543 * Firefox 1.5 gets the sniff test 3rd, October, 2005 First came all the praise about Firefox 1.0 being more secure than Internet Explorer (IE). Then came headlines about mega-downloads chipping away at Microsoft's market share. Then came months of uncovered flaws and security updates that now has Firefox up to version 1.0.7. http://www.linuxsecurity.com/content/view/120503 * RealNetworks Fixes Linux RealPlayer Flaw 4th, October, 2005 RealNetworks has patched the Linux media players that were susceptible to a zero-day attack for much of last week. http://www.linuxsecurity.com/content/view/120513 * SanDisk embeds DRM engine in Flash cards 5th, October, 2005 Flash memory pioneer SanDisk has embedded DRM and copy protection functions into several flash card form factors. "TrustedFlash" will allow users to buy music, movies, and games on flash cards for use interchangeably in mobile phones, PDAs, laptops, and other devices, according to the company. http://www.linuxsecurity.com/content/view/120522 * Nessus security tool closes its source 7th, October, 2005 The source code of one of the world's most popular free security tools will no longer be available to all, its creator has announced, saying the software's open-source license was fueling competition. http://www.linuxsecurity.com/content/view/120546 * The Open Source Highway 4th, October, 2005 Open source is the foundation for the future. By definition, open source is code accessible to all. The free re-distribution of code allows anyone to download code and take advantage of it. The community of open source contributors depicts a truely collaborative environment. Developers around the globe donate to the code repository resulting in accelerated advancement and cleanliness of the available code. The Internet encouraged this open source movement by providing a breeding ground for collaboration. http://www.linuxsecurity.com/content/view/120511 * PortAuthority Updates Data-Fingerprinting Technology 5th, October, 2005 While no two fingerprints are alike for people, the same cannot be said for digital data. But new data-fingerprinting technologies have cropped up to take traditional watermarking strategies to the next level in preventing theft of intellectual property. PortAuthority 3.5 is one such technology. The newly updated data-fingerprinting software from PortAuthority Technologies examines the content of documents to give customers the ability to prevent information leaks and data theft. http://www.linuxsecurity.com/content/view/120523 * A legal shield for pen-test results 7th, October, 2005 Routine network penetration testing may shed light on exposures to external threats, but it can also put damning evidence in the hands of competitors and plaintiffs who sue your organization. Attorneys caution that pen tests generate lengthy reports of system inaccuracies and vulnerabilities that could be used in court against a company. http://www.linuxsecurity.com/content/view/120544 * Court Rules in Favor of Anonymous Blogger 7th, October, 2005 In a decision hailed by free-speech advocates, the Delaware Supreme Court on Wednesday reversed a lower court decision requiring an Internet service provider to disclose the identity of an anonymous blogger who targeted a local elected official. http://www.linuxsecurity.com/content/view/120545 * Learning To Hack Just Got Easier 4th, October, 2005 Now you can learn hacking in the comfort of your own home. Training company Learn Security Online (LSO) teaches hacking techniques online at a low cost. LSO teaches computer security with interactive simulators, hacking games, and security challenges that require students to break into real servers. http://www.linuxsecurity.com/content/view/12051 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Oct 11 00:01:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:11:43 2005 Subject: [ISN] Tsunami 'hacker' is innocent, say readers Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39228025,00.htm Colin Barker ZDNet UK October 10, 2005 Last Thursday's conviction of a computer security consultant for illegally accessing a Web site set up to aid victims of the Boxing Day Asian tsunami prompted a wide range of opinions from readers of ZDNet UK. While many sympathised with a man who, even the judge agreed, had done "no real harm", others argued that a computer professional who knowingly accessed a Web site he had no permission to enter should have been aware of the possible consequences. Daniel Cuthbert from London was found guilty of breaching Section One of the Computer Misuse Act (1990), which makes it an offence for someone to secure unauthorised access to a computer when they know that they are not permitted to do so. Cuthbert, who at the time of his arrest was employed by ABN Amro to carry out security testing, pleaded not guilty to the charge. He was fined ?400 plus ?600 costs. An application for damages from the plaintiffs was thrown out by the judge on the grounds that by being found guilty, and already having lost his employment, Cuthbert had suffered enough. The vast majority of ZDNet UK readers believe that Cuthbert has been treated unfairly. We conducted an online poll and asked readers if they believe Cuthbert "should have been convicted of gaining unauthorised access" to a computer under the Act. Over 1,000 people took part, and 92 percent said the conviction handed out by district judge Mr Q. Purdy was wrong. While a vast majority of readers reckoned that Cuthbert was not guilty of a crime, there was a wide variety of opinion in the issue in our TalkBack pages. It's understood that Cuthbert added ../../../ to the URL, hoping to get access to higher directories in the hope of confirming whether or not the Web site was genuine. He argued in his case that when he set off an intruder alarm he was checking the site out as he feared that rather than actually donating he had been taken in by a phishing scam. "Breaking in is not a means of making that determination," argued an anonymous security consultant. "[Does that mean] if you cannot break in the site is legit, or is it legit if you CAN break in?" But another reader argued that Cuthbert's actions were like "walking around trying everyone's front doors and car doors to see which ones are locked...You wouldn't do that, would you?" But whether it is trying doorknobs or the front (or back) doors of systems, can computer professionals do their jobs if they are no longer allowed to test systems as they might like to? "I'm not sure how I could perform my duties as a security professional if it suddenly became unlawful to test security in a very passive manner," argued Shaun Walter, a Unix system administrator. "[Cuthbert] didn't seem to employ any brute-force attacks or elegant procedures to check security at this site." A US security consultant also felt the case could have serious consequences. "Pretty scary to think that only a government-authorised security company can legally test a site's security or integrity. You can bet I'll be accepting no more contracts to verify ANY corporate networks." But that wasn't everybody's view, and at least one correspondent believed that Cuthbert was not acting particularly professionally when he tried to crack the appeal site. . "Professional testers know better than to go out and attempt to crack Web sites out of curiosity," argued another anonymous security specialist. "They use their skills to break into systems only after signing lengthy contractual stipulations that allow them to do so without repercussion. The simple fact is that [Cuthbert] tried to gain unauthorised access into a system." Copyright ? 2005 CNET Networks, Inc. All Rights Reserved. From isn at c4i.org Tue Oct 11 00:02:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:12:11 2005 Subject: [ISN] Cops smash 100,000 node botnet Message-ID: http://www.vnunet.com/vnunet/news/2143475/dutch-police-foil-100-node Tom Sanders in California vnunet.com 10 Oct 2005 Dutch authorities arrested three individuals last week accused of running one of the largest ever hacker botnets comprising over 100,000 zombie PCs. The three men, aged 19, 22 and 27, were not named. Police confiscated computers, cash and a sports car during searches of the suspects' homes. A botnet is a collection of hacked computers at the disposal of a hacker without the owner's knowledge. Botnets are commonly used to launch distributed denial of service (DDoS) attacks or to send spam. With over 100,000 infected systems, the network is one of the largest ever detected, prosecutors claimed. The suspects will be charged with computer hacking, destructing automated networks, and installing adware and spyware. The trio used the W32.toxbot internet worm to recruit systems for their botnet army. The worm was first detected early this year and infected systems all over the world. Antivirus software to detect and remove the software is available, but the suspects kept changing their malware to avoid detection. The authorities are also investigating the group's involvement in a blackmail attempt on an unnamed enterprise in the US. It is common practice among online crime gangs to extort the owners of websites, forcing them to pay to prevent a DDoS attack on their networks. It is also suspected that the group was involved in crafting internet worms with keystroke logging software to gather login names to commit credit card fraud and identity theft. From isn at c4i.org Tue Oct 11 00:02:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:12:53 2005 Subject: [ISN] Justice IG report: Protect laptop data Message-ID: http://www.fcw.com/article91061-10-10-05-Web By Michael Arnone Oct. 10, 2005 Justice Department field agents and analysts are keeping classified information secure by using their wits and their training - and by carrying two laptop computers each. One is strictly for processing classified data. The other is for handling unclassified data and using unclassified applications, such as word processors and Web browsers. Justice employees use the decades-old setup to prevent the accidental shift of classified information to an unclassified environment or the Internet. It works, but it's bulky and inconvenient. Justice's Office of the Inspector General investigated how the department uses laptops to process classified information. At the suggestion of the department's information technology and security staff, the IG also evaluated governmentwide policy on IT security certification for all computer systems. Justice increasingly relies on laptops to process classified information. But the department's rules governing those resources do not encourage "innovative practices to improve the use of portable computers for processing classified information while adequately safeguarding classified information," the IG's office concluded in a July report. The report states that Justice's chief information officer should alter Standard 1.6, which dictates the departmentwide IT security management controls for all desktop and laptop computers that handle classified information. The IG said the rules should allow the creation of new, accredited computer configurations that permit the introduction of security-enhancing safeguards. Some of the recommendations the report suggests aren't new, such as encrypting data and limiting the data kept on classified hard drives. But others would be new for Justice, including the use of small removable hard drives. "The use of removable hard drives that can process both unclassified and classified information in the same computer shell is an area that the department should consider," the report states. Justice should consider authorizing the use of removable hard drives and developing appropriate security policies for them, it adds. Justice organizations are open to the idea of using removable hard drives, but some worry that employees might not always follow security procedures. IT security experts don't agree on whether the recommendations would help or damage the security of Justice's classified information. A pocket-sized solution The policy recommendation on removable hard drives is the IG's principal improvement to Justice's management of classified information on laptops. Measuring roughly 2 inches by 3 inches, each drive weighs about 2 ounces and fits into the Type II PC card slots found on most laptops. Justice's IG consulted the CIA, the National Security Agency, the Defense Department's National Reconnaissance Office and the Energy Department about their policies on removable hard drives. The first three agencies use laptops with two removable hard drives, one each for classified and unclassified information. NSA officials told the IG's office that a computer's shell does not retain data once users remove the hard drive, adding that no data remains in the computer's RAM when users turn the machine off. Thus, Standard 1.6 should state that the shell of the computer becomes unclassified when someone removes the classified hard drive, according to the report. In addition to halving the number of laptops that Justice employees must carry to handle classified information, removable hard drives would provide a number of benefits, the report states. For example, storing classified data would be easier. Justice policies require computers that handle classified data to be double-wrapped in paper to show tampering, the report states. Users must unhook all peripheral devices and place the computer in a specially designed, secure container when they are not using the computers. All devices that could possibly store classified information must have warning labels on them stating so. If the department used removable hard drives, only the drives would have to be double-wrapped instead of the whole laptop. That arrangement would improve security, the IG's office said, because the small drives are easier to secure and are less conspicuous than textbook-sized laptops. Removable hard drives would also save Justice money because the drives are cheaper than new computers, according to the report. The IG's office shopped for 5G drives and found at least two manufacturers that sell models for less than $200. The drives could hold a multiuser operating system, application software and 4.1G of memory. For roughly $400 per user, the report states, "this computer configuration would allow both unclassified and classified information processing on the same computer." Mixed opinions The IG office asked three Justice organizations ? the Drug Enforcement Administration, the FBI and the Executive Office for U.S. Attorneys (EOUSA) ? whether they authorize their employees to use separate hard drives, and if not, whether they would consider doing so. None of those agencies authorizes the use of removable hard drives, the report states. The FBI said the idea has merit, but it would have to evaluate the specifics through the certification and accreditation process. EOUSA expressed interest in pursuing the idea as long as employees understood the security requirements. The DEA had a mixed reaction, saying that the idea could save money, but the risk of failing to switch hard drives when necessary could outweigh those benefits. Paul Martin, Justice's deputy IG, said the report speaks for itself and declined to comment. IT security experts have mixed opinions about the IG's recommendations. Bruce Schneier, chief technology officer at Counterpane Internet Security, said the report was well-conceived. He liked the idea of removable hard drives and the suggestion to install tracking devices in laptops to help find lost and stolen computers. Peter Lindstrom, research director at Spire Security, had more reservations about the report's implications. "I don't see a clear positive or negative impact on security at all, but it seems to have a pretty positive impact on costs - and on [Justice employees'] shoulders as well because they only have to carry one laptop," he said. Schneier and Lindstrom said they were amazed that Justice had not already made such changes. Lindstrom said he was disappointed that Justice didn't think of the idea on its own. The department is starting to understand that its employees need to do both classified and unclassified work on their computers, Schneier said. But if those recommendations are an improvement, he added, "it must be an absolute mess out there." Frying pan to fire? Lindstrom and Schneier disagree on whether removable hard drives present a definite security improvement or add as many problems as they solve. Because it's so easy to make a mistake, "maintaining two sets of policies, switching back and forth, is a losing proposition over time," Lindstrom said. "I'm not sure that a user in the normal course of business would shift back and forth between their behavior around classified and unclassified information. You're better off configuring the system to force that behavior." Schneier disagreed, saying a hardware solution is the best solution because hardware is more reliably secure than software. That's why Justice's current system of securing and storing classified information has worked so well for decades, he said. "The best way to make sure classified information doesn't get taken out of the building is not to take it out of the building" and keep it locked in a safe when not in use, Schneier said. Schneier said running two removable hard drives with separate operating systems and applications on the same computer shell is a great idea, especially if Justice follows the IG's suggestion to bar access to unclassified information and the Internet while the classified drive is in use. "That's the best separation you can do," Schneier said. "You might as well share a screen, keyboard and CPU." Schneier said he wondered whether laptops enabled for such configurations are available and how much they cost. He could see Justice's proposed practices spreading to DOD and other countries. On the other hand, Lindstrom isn't sold on the idea of two hard drives. To make the system work, Justice would presumably have to buy laptops that don't have hard drives, he said. That would force users to use the security settings on each removable drive. But if the removable drives supplemented the laptop's drive, users could accidentally transfer classified information to the unprotected drive, he said. "As soon as you mount drives at the same time, the fact that they are physical devices doesn't matter anymore" because the two are logically connected, Lindstrom said. That gives attackers ways to crack the unclassified applications to access the classified drive. Logical security is the best way to protect data, Lindstrom said. Justice could encrypt all data and set up a host intrusion- prevention system and digital rights management system, he said. Instead of worrying about where to put data, the department should protect its data regardless of its location, Lindstrom said. By using only one hard drive with adequate security protections, Lindstrom said, Justice could potentially save even more money by not implementing the IG's recommendations. [1] http://www.usdoj.gov/oig/reports/plus/a0532/final.pdf -=- 8 ways to improve security The Justice Department's inspector general has suggested the following eight changes for improving the security of laptop PCs that process classified information. 1. Alter Standard 1.6 - the departmentwide security management controls for all desktop and laptop machines that store, process or transmit national security information - to allow the creation of new accredited computer configurations that permit the introduction of security-enhancing safeguards. 2. Consider using removable hard drives and define them as classifiable devices rather than the computer shell on which users process data. Justice should create appropriate security policies for them. 3. Modify user profiles to forbid access to unclassified hard drives and the Internet when using a classified drive. 4. Change Standard 1.6 to support mandatory encryption of classified data. 5. Keep only a minimal amount of classified data on hard drives, in accordance with National Security Agency practices. 6. Develop a warning system to alert systems administrators if a computer processing classified information connects to the Internet. 7. Install tracking devices in laptop PCs to more easily locate lost or stolen computers. 8. Create new labels for computers that process both classified and unclassified data. - Michael Arnone From isn at c4i.org Tue Oct 11 00:02:58 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:13:39 2005 Subject: [ISN] U.S. cybersecurity due for FEMA-like calamity? Message-ID: http://news.com.com/U.S.+cybersecurity+due+for+FEMA-like+calamity/2100-7348_3-5891219.html By Declan McCullagh and Anne Broache Staff Writer, CNET News.com October 10, 2005 In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster. Is the cybersecurity division next? Like FEMA, the U.S. government's cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago. Auditors had warned months before Hurricane Katrina that FEMA's internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies. "When you look at the events of Katrina, you kind of have to ask yourself the question, 'Are we ready?'" said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. "Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no." The department, not surprisingly, begs to differ. "Cybersecurity has been and continues to be one of the department's top priorities," said Homeland Security spokesman Kirk Whitworth. But more so than FEMA, the department's cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups. The department is charged with developing a "comprehensive" plan for securing key Internet functions and "providing crisis management in response to attacks"--but it's been more visible through press releases such as one proclaiming October to be "National Cyber Security Awareness Month." Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials. First there was Richard Clarke, a veteran of the Clinton and first Bush administrations who left his post with a lucrative book deal. Clarke was followed in quick succession by Howard Schmidt, known for testifying in favor of the Communications Decency Act, then Amit Yoran and Robert Liscouski. The top position has been vacant since Liscouski quit in January. In July, Homeland Security Secretary Michael Chertoff pledged to fill the post but has not named a successor. "I sure wouldn't take that job," said Avi Rubin, a professor specializing in cybersecurity at Johns Hopkins University. "It only has a downside." If an Internet meltdown happened--perhaps a present-day rendition of the 1988 worm created by Robert Morris, which forced administrators to disconnect their computers from the network to try to stop the worm from spreading--Homeland Security's cybersecurity official would wield little power yet shoulder all the blame, Rubin said. "The person who was cybersecurity czar would be out of a job and would be blamed, even though it might have been someone else not following a policy." Other top-level staff have been departing: The deputy director of Homeland Security's National Cyber Security Division, a top official at the Computer Emergency Response Team, the undersecretary for infrastructure protection and the assistant secretary responsible for information protection have all left in the past year. A promotion in the works Raising the profile of cybersecurity efforts inside Homeland Security has garnered some support in the U.S. House of Representatives. Earlier this year, Rep. Zoe Lofgren, a California Democrat, and Rep. Mac Thornberry, a Texas Republican, reintroduced legislation from the previous congressional session that would create an assistant secretary for cybersecurity. The much talked-about position would report directly to the Homeland Security secretary, on equal footing with posts that oversee the nation's physical infrastructure. Under current department structure, the top cybersecurity official is buried in a few levels of bureaucracy beneath the Homeland Security chief. "Creating an assistant secretary is far more than just an organizational change," Thornberry said when introducing the bill. "It is an essential move to assure that cybersecurity is not buried among the many homeland security challenges we face." The proposal was ultimately wrapped up in the broader Homeland Security Authorization Act for 2006 and has been approved by the House. But since May, it has been sitting in front of the Senate Homeland Security committee, which has not indicated when further action will occur. Outside observers are holding out hope for Chertoff's departmental reorganization announced in July. As part of the reshuffling, he hired Stewart Baker, former general counsel to the National Security Agency and a well-respected technology lawyer, to be assistant secretary for policy. Baker is waiting for Senate confirmation. "It's been a mess for over four years, and hopefully the new folks will fix this," said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "In the previous incarnation, DHS and the Homeland Security Council didn't really know what to do with cyber--it's been a deer-in-the-headlights experience for them," Lewis said. "It's not clear who's even in charge. When you look at all the different committees who assert they have a role in cybersecurity, it's about a dozen. Whenever you have 12 committees in charge, that means no one's in charge." The Sept. 11 switch The most likely reason for the federal government's lack of focus on cybersecurity is straightforward: the attacks of Sept. 11, 2001. While Internet and computer security may not have been a top priority before the attacks, the topic did draw a smattering of attention from the White House. In February 2000, President Clinton convened a meeting on cybersecurity with technology executives. He returned to the topic in a speech to the Coast Guard Academy a few months later, cautioning that "critical systems like power structures, nuclear plants, air traffic control, computer networks, they're all connected and run by computers." Then Sept. 11 shifted the Bush administration's attention from hypothetical threats of Internet saboteurs to military action, al-Qaida and the invasion of Iraq. "Cybersecurity clearly fell off the radar screen when they set up the department, and the department is trying to find its way," said Kurtz, president of the Cyber Security Industry Alliance, which counts as members companies such as Symantec, McAfee, RSA Security, PGP and Computer Associates. Even before Sept. 11, however, the federal government's cybersecurity efforts were being described as slipshod. In a blistering 108-page report released in early 2001, government auditors said the FBI's National Infrastructure Protection Center had become a bureaucratic backwater that was surprisingly ineffective in pursuing malicious hackers or devising a plan to shield the Internet from attacks. When Congress created Homeland Security two years later, the FBI's NIPC was unceremoniously mashed together with the Defense Department's National Communications System, the Commerce Department's Critical Infrastructure Assurance Office, an Energy Department analysis center and the Federal Computer Incident Response Center. The results have been mixed. A May 2005 report by the Government Accountability Office warned that bot networks, criminal gangs, foreign intelligence services, spammers, spyware authors and terrorists were all "emerging" threats that "have been identified by the U.S. intelligence community and others." Even though Homeland Security has 13 responsibilities in this area, it "has not fully addressed any," the GAO said. Other analyses have said the agency is plagued by incompatible computer systems, and another found that Homeland Security was woefully behind in terms of sharing computer security information with private companies. The department has argued that it has not been idle. Last year, it created the National Cyber Alert System, billed as a public-private, nationally coordinated method of dispensing information about Internet threats and vulnerabilities. Other plans include a staged cyberattack exercise scheduled for November. "Placing responsibility for cybersecurity within the Department of Homeland Security was a necessary move because it recognized how integrated cybersecurity is with other physical security, and to remove it from the department would hurt security in both," said Homeland Security's Whitworth. "An inappropriately small focus" But the right tools and funding have to be in place, too, said Ed Lazowska, a computer science professor at the University of Washington. He co-chaired the president's Information Technology Advisory Committee, which published a report in February that was critical of federal cybersecurity efforts. "DHS has an appropriately large focus on weapons of mass destruction but an inappropriately small focus on critical infrastructure protection, and particularly on cybersecurity," Lazowska said in an e-mail interview. The department is currently spending roughly $17 million of its $1.3 billion science-and-technology budget on cybersecurity, he said. His committee report calls for a $90 million increase in National Science Foundation funding for cybersecurity research and development. Until then, Lazowska said, "the nation is applying Band-Aids, rather than developing the inherently more secure information technology that our nation requires." From isn at c4i.org Tue Oct 11 00:00:37 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:14:38 2005 Subject: [ISN] State data systems upgraded after hack Message-ID: http://www.adn.com/news/alaska/story/7069608p-6974390c.html By SEAN COCKERHAM Anchorage Daily News October 10, 2005 JUNEAU -- The state is in the midst of a $7 million computer security upgrade as a result of a cyber-assault that sliced through the defenses of the state network. The Jan. 18 attack affected about 110 state computer servers and prompted an investigation by the FBI and a specialist unit of the U.S. Department of Homeland Security. The attack appeared to come from Brazil, state officials said. The hackers were "data mining" -- looking for information to steal -- according to Kevin Brooks, the deputy commissioner of the state Department of Administration. Brooks said no information was stolen. But, if it had been, the attack could have led to identity theft using personal information on the state network. "It was kind of a wake-up call," Brooks said. The state and federal governments will say little about the attack. What is known is that a Department of Health and Social Services server was found to be "defaced," meaning its security was breached. The state investigation then discovered about 110 other servers with similar signs of hacking. That's when the FBI and the Homeland Security Department's United States Computer Emergency Readiness Team got involved. State officials on Wednesday refused to release the report that resulted from the investigation, citing the federal Department of Homeland Security's demand that it remain confidential. State officials said they planned before the attack to ask the Legislature for money to upgrade the computer network. But the attack prompted them to speed it up. They drew up a proposal that would spend $41 million on upgrades over five years. Brooks said the state has $7 million to spend on immediate security work before the end of the fiscal year next June. Measures are now in place that should prevent the kind of attack that hit in January, he said. Brooks said part of the work is to replace technology. An analysis after the attack revealed some of the servers and switches on the network were outdated, he said. Thousands of state computers are getting Cisco security software installed, he said. The Department of Administration provided a statement about the ongoing work from Darrell Davis, the state's chief security officer. "It would be counterproductive to tell those involved in fraud and terrorism exactly what we are doing to make their criminal acts far more difficult," he said. "(It) includes replacing significant amounts of aging infrastructure, hardening of routers and servers, deploying firewalls, establishing security policies and other extra intrusion prevention measures." ? Copyright 2005, The Anchorage Daily News From isn at c4i.org Wed Oct 12 00:06:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:15:41 2005 Subject: [ISN] 3rd Annual High Technology Crime Investigation Association Seminar Presented by the Atlantic Canada Chapter HTCIA Message-ID: Forwarded from: Mark Bernard 3rd Annual High Technology Crime Investigation Association Seminar Presented by the Atlantic Canada Chapter HTCIA When: November 25th, 2005 Where: Howard Johnson Brunswick Plaza Hotel, 1005 Main St., Moncton N.B. Why: Fraud, telephone scams, phishing, identity theft, hacking... You see these terms daily in the media. With the presence of the Internet throughout Atlantic Canada, the danger of high technology crime impacting on your life, your family and business without warning is growing. This one day seminar will draw back the shadows and let you see the methods / techniques used to scam thousands of people each year. At the event we will show you how to detect, identify and counter these threats. John Weigelt, CISSP, CISM - Chief Security Advisor, Microsoft As the Chief Security Advisor and Privacy Compliance Officer for Microsoft Canada, John is responsible for the development and communication of Microsoft Canada's security and privacy strategies. Barry Elliott, PhoneBusters PhoneBusters is a national anti-fraud call centre jointly operated by the Ontario Provincial Police and the Royal Canadian Mounted Police. The Atlantic Canada HTCIA Seminar is the premier source of cyber-crime information for individuals, businesses and organizations in the region. As an unbiased source you will get the facts you need to protect yourself. For more details visit Atlantic Canada's - High Tech Crime Investigation Association at; http://atl-htcia.org/ From isn at c4i.org Wed Oct 12 00:07:22 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:16:19 2005 Subject: [ISN] Justice IG report: Protect laptop data Message-ID: Forwarded from: matthew patton wow, nobody mentioned using VMWARE? Granted it's less desirable and clean cut (think KISS) than 2 hard drives but the "classified" VM can be stripped of it's ability to cut/paste and share network/devices with the host OS. All files could be saved on an AES/3DES encrypted disk "image". Even better to require a fingerprint and/or say the CAC card to unlock the filesystem. Let's see, slim-line 80GB USB hard drives cost what, $160 from CompUSA et. al? USB hard drives are bootable now from moderately recent BIOS ROMs and even if they weren't, it would not be very hard to create one of those credit-card CDROM images that will bootstrap enough of a kernel to get access to the USB subsystem and then invoke the bootloader of the red or green disk that's plugged in. Along the lines of "specialized" hardware, there's the ol' KVM trick applied to hard drives. Say the onboard HD is UNCLASS and there is a little toggle switch that electrically activates the inside or slotted one. I think I've seen 2" HD slots in place of (or in addition to) PCMCIA slots in some laptops. Even if not, I'm sure at least one big player would jump at the opportunity to offer a product to the US Govt. The easiest circuit to turn on/off would be the power feed. So even if both HDs were plugged into their bays only one would have electricity. Pin them both "master" and there'd be no way for them to coexist even if both managed to get power. But the article makes a vital point throughout - it ALL depends on a userbase that doesn't screw it up. Something tells me not to ever underestimate the creativity of the stupid. From isn at c4i.org Wed Oct 12 00:08:06 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:16:54 2005 Subject: [ISN] CodeCon 2006 Call For Papers Message-ID: Forwarded from: Len Sassaman CodeCon 2006 February 10-12, 2006 San Francisco CA, USA www.codecon.org Call For Papers CodeCon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what's going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one of the active developers of the code in question. We emphasize that demonstrations be of *working* code. We hereby solicit papers and demonstrations. * Papers and proposals due: December 15, 2005 * Authors notified: January 1, 2006 Possible topics include, but are by no means restricted to: * community-based web sites - forums, weblogs, personals * development tools - languages, debuggers, version control * file sharing systems - swarming distribution, distributed search * security products - mail encryption, intrusion detection, firewalls Presentations will be 45 minutes long, with 15 minutes allocated for Q&A. Overruns will be truncated. Submission details: Submissions are being accepted immediately. Acceptance dates are November 15, and December 15. After the first acceptance date, submissions will be either accepted, rejected, or deferred to the second acceptance date. The conference language is English. Ideally, demonstrations should be usable by attendees with 802.11b connected devices either via a web interface, or locally on Windows, UNIX-like, or MacOS platforms. Cross-platform applications are most desirable. Our venue will be 21+. To submit, send mail to submissions-2006@codecon.org including the following information: * Project name * url of project home page * tagline - one sentence or less summing up what the project does * names of presenter(s) and urls of their home pages, if they have any * one-paragraph bios of presenters, optional, under 100 words each * project history, under 150 words * what will be done in the project demo, under 200 words * slides to be shown during the presentation, if applicable * future plans General Chair: Jonathan Moore Program Chair: Len Sassaman Program Committee: * Bram Cohen, BitTorrent, USA * Jered Floyd, Permabit, USA * Ian Goldberg, Zero-Knowledge Systems, CA * Dan Kaminsky, Avaya, USA * Ben Laurie, The Bunker Secure Hosting, UK * Nick Mathewson, The Free Haven Project, USA * David Molnar, University of California, Berkeley, USA * Jonathan Moore, Mosuki, USA * Meredith L. Patterson, University of Iowa, USA * Len Sassaman, Katholieke Universiteit Leuven, BE Sponsorship: If your organization is interested in sponsoring CodeCon, we would love to hear from you. In particular, we are looking for sponsors for social meals and parties on any of the three days of the conference, as well as sponsors of the conference as a whole and donors of door prizes. If you might be interested in sponsoring any of these aspects, please contact the conference organizers at codecon-admin@codecon.org. Press policy: CodeCon provides a limited number of passes to qualifying press. Complimentary press passes will be evaluated on request. Everyone is welcome to pay the low registration fee to attend without an official press credential. Questions: If you have questions about CodeCon, or would like to contact the organizers, please mail codecon-admin@codecon.org. Please note this address is only for questions and administrative requests, and not for workshop presentation submissions. From isn at c4i.org Wed Oct 12 00:08:29 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:17:33 2005 Subject: [ISN] The Four Most Dangerous Security Myths Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=172300043 By Matthew Friedman Networking Pipeline Oct. 10, 2005 Network security is all about nightmares. As organizations have become increasingly dependent on their networks and the Internet to provide that essential link of data, capital and business intelligence, they have also opened themselves up to potential risk - potentially immense risks. The litany of companies that have been burned by hackers, worms, viruses and simple human error has made organizations wary of the perils of the networked economy. There's so much out there in the digital ether that can jump up and bite you. On the other hand, says Justin Peltier, a senior security consultant with Peltier Associates and leader of Web hacking seminars for the Computer Security Institute, there are also a lot of myths out there. "Network security has a particularly affinity for myths," he says. "It's hard to change an opinion once it's made, and a lot of IT and security professionals have based their opinions on received wisdom. They've heard about security risks, but they haven't tried it for themselves. Some of these opinions might have been based on reality but are no longer valid, and some is just based on what we've been told." What they've been told is often only partly true, if at all, he says. It's often based on misconceptions and preconceptions. These myths can lull organizations into a false sense of security or distract them from the real business at hand. Either way, they are legion, though Peltier says that any organization serious about security can address the handful the biggest and most egregious myths through a combination of experience and common sense. "If you look at most other disciplines, you see facts and statistics to back things up," he says. "That's not always true about security. It's not enough to just hear about something, you have to check it out for yourself." To help you separate truth from fiction, here are four of the most dangerous security myths. 1. Patches always fix the security hole: Peltier is particularly troubled by the complacency he sees surrounding patching. "An awful lot of people think that, once you've applied a security patch, you'll be okay," he says. "That just isn't true. Sometimes it works, sometimes it moves the vulnerability somewhere else, and sometimes it creates a new hole." Above all, patches only address published exploits and just because the hole hasn't been published doesn?t mean it isn't there. The problem is that networking is based on technologies developed in an earlier, more innocent time, and many of the biggest vulnerabilities are inherent flaws in the architecture of TCP/IP. Network miscreants are probing networks right now, looking for weaknesses, and there is "almost inevitably" a lag between what they know and what vendors and security professionals know. "You need to find the holes before the bad guys do," he says. "Most people think defensively, but you have to think offensively. It's jujitsu." The bottom line is that the only thing that will improve the situation is a new architecture -- specifically IPv6. Peltier expects that wholesale migration to the new version of TCP/IP will be motivated by an inevitable wave of distributed denial of service attacks, "and that's a good thing. Organizations have to start to plan for migration now." 2. SSL is secure: Secure sockets layer (SSL) encryption has become so ubiquitous that the last thing anyone wants to hear is that it's fundamentally insecure, but Peltier says that our faith is unfounded. "No one is getting burned yet, but they will be," he says. "You see the lock icon, and you assume you're safe -- but you're not." The problem is that it's a negotiated security standard with two major flaws, both of which can be exploited by man-in-the-middle attacks. "The first thing is that SSL depends on a negotiated certificate, but when there is a problem in the negotiation, the only thing that happens is that an alert window pops up. SSL hijacking is so easy because of the implicit trust we have in the digital certificate." The other problem is that SSL still supports export-grade 40-bit encryption. The SSL transaction will negotiate down to the lowest common level, Peltier says. "That's a big problem," he says. "Security people don't get into SSL because they think it's a Web thing. But it can open up the network, so it's really a network thing." 3. Theoretical vulnerabilities don't pose a danger: There are, Peltier says, any number of vulnerabilities that are theoretically known, "but can't yet be proven through proof of concept code." The operative term, of course, is "yet," and even though door hasn't been pried open, doesn't mean it won't be. The problem is that you never know. "Vendors will often ignore theoretical vulnerabilities until they become a really high profile thing." Peltier says. "The best known one recently was the Windows password hashes vulnerability." Because it's impossible to say when a theoretical flaw will become an exploit, Peltier says that organizations can't wait for vendors to notify them of vulnerabilities. A complete security plan should include keeping tabs on what the hacker and security research community is talking about. "These things don't come out of left field," he says. "There's always a warning. There are always people jumping up and down saying 'there's a hole here, there's a hole here,' when someone discovers an exploit. If you don't stay on top of this stuff, you're going to take six times as long to fix the vulnerability because you won't know what part of your anatomy to cover with your hand." 4. Wireless networks are inherently insecure: Wireless networking gets a bad rap. The conventional wisdom holds that Wi-Fi is inherently less secure than wired networks because in its early days, Peltier concedes, the Wired Equivalency Privacy (WEP) protocol had more security holes than Swiss cheese. The point, however, is that wireless security has gone far beyond WEP; users just have to enable these security features. "Properly configures, wireless is actually much more secure than wired networking," he says. "Proper configuration is everything, of course, and you have to turn on WPA (Wi-Fi Protected Access) shared key security, but it's not exactly difficult. You just have to select the option from a drop-down menu." With the Institute of Electrical and Electronics Engineers (IEEE) 802.11i wireless security specification finalized and products already shipping, Peltier hopes that Wi-Fi's bad rap will be laid to rest. "So many people have been brainwashed to believe that wireless is insecure, though," he muses. From isn at c4i.org Wed Oct 12 00:08:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:17:52 2005 Subject: [ISN] Energy Department auditors cite cybersecurity flaws at FERC Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37284-1.html By Wilson P. Dizard III GCN Staff 10/11/05 The Energy Department's inspector general has found fault with cybersecurity procedures in the Federal Energy Regulatory Commission's unclassified cybersecurity program. In a report [1] issued today, the IG noted that FERC officials have continued to improve their cybersecurity program, and cited improvements since a previous review in 2002. However, the IG staff found several areas in which FERC was deficient, including: * Access controls had in some cases not been implemented via strong password management * Some software with known security flaws was not replaced, and some users were at times provided access at higher levels than their duties required * Not all cybersecurity weaknesses were traced and resolved. Auditors said FERC had overlooked the problems because officials had failed to complete compliance evaluations required by general federal requirements and agency-specific rules. The report, however, omitted information on specific vulnerabilities and how they might be fixed. FERC management said that it generally concurred with the IG's findings and recommendations. [1] http://www.ig.doe.gov/pdf/ig-0704.pdf From isn at c4i.org Wed Oct 12 00:04:16 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:18:15 2005 Subject: [ISN] Windows 2000 vulnerability could lead to new outbreak Message-ID: http://www.networkworld.com/news/2005/101105-windows-vulnerability.html By Robert McMillan IDG News Service 10/11/05 Microsoft has released nine security updates for vulnerabilities in its software products, including three critical fixes for Windows and Internet Explorer. Among the updates is a patch for bugs in two separate components of the Windows operating system that security researchers believe could be exploited in by attackers in much the same way that the Zotob family of worms were used two months ago. The software patches, called updates in Microsoft parlance, were released Tuesday as part of the company's monthly security software release. Two of the critical updates concern Internet Explorer and Microsoft's DirectShow media streaming software. A third update, described in Microsoft Security Bulletin MS05-051, concerns the COM+ services included with Windows as well as the Microsoft Distributed Transaction Coordinator (MSDTC), a component of the operating system that is commonly used by database software to help manage transactions. It is these last two vulnerabilities that have security researchers concerned because of their similarity to the Windows Plug and Play (PnP) system vulnerability reported last August. Within a week of its disclosure, that flaw was exploited by the authors of the Zotob worm. Variations of this attack eventually knocked hundreds of thousands of machines offline, primarily affecting Windows 2000 users. Microsoft has rated the MSDTC vulnerability as "critical" for users of Windows 2000, meaning the vulnerability could be used by attackers to seize control of any unpatched system. The COM+ bug is rated critical for Windows 2000 and Windows XP, Service Pack 1. Security researchers say that another Zotob-style worm outbreak is now a possibility. "The COM+ and MSDTC vulnerabilities have a very similar appearance to the PnP vulnerability that caused Zotob," said Mike Murray, director of vulnerability and exposure research for security vendor nCircle Network Security. Internet Security Systems' Neel Mehta, agreed that there were similarities between the PnP bug exploited by Zotob and MS05-051. "The scope of the affected platform is exactly the same and these services are run by default on Windows 2000," said Mehta, who is team leader of the company's X-Force research team. "In terms of ease of exploitation, they're not incredibly difficult to exploit, but they're not as easy as the Plug and Play vulnerability" Mehta is also concerned with the DirectShow bug. By tricking users into viewing malicious programs that appeared to be legitimate multimedia files, attackers could seize control of unpatched Windows systems, he said. "It requires user interaction of some sort, which takes it down a notch from MS05-051, but it is still a serious vulnerability." Microsoft has rated the DirectShow flaw "critical" for a wider range of Windows systems than the COM+ and MSDTC bugs. It has been rated critical for Windows XP, Windows 2000, Windows Server 2003, Windows 98 and Windows ME. Though the COM+ and MSDTC bugs will probably get a lot of attention, because they could be used in worm attacks, the DirectShow or IE flaws are also dangerous, and could be used by thieves as the basis of a targeted attack, said Marc Maiffret, chief hacking officer with eEye Digital Security. "The other vulnerabilities I think of as worse in a way because it's an easier way to target a specific corporate user," he said. The other security updates released Tuesday include "important" patches for Client Services for NetWare, the Windows Plug and Play system, Microsoft Collaboration Data Objects, and the Windows Shell. "Moderate" bugs have also been patched in the Windows FTP (File Transfer Protocol) client and the Network Connection manager. Tuesday's flurry of releases comes after a very quiet September for Microsoft's security team. Last month, Microsoft had planned to release only one security patch, but ended up scrapping the update at the last minute due to "quality issues." Though Microsoft executives were unavailable for additional comment on the October security updates, the company said that the critical Internet Explorer vulnerability, covered in Security Bulletin MS05-052, was the bug the company had planned to fix in September. Microsoft has been told that this IE bug is already being exploited by hackers, the company said in a statement attributed to Stephen Toulouse, security program manager with the Microsoft Security Response Center. More information on the October Security Bulletins can be found here [1]. [1] http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx From isn at c4i.org Thu Oct 13 00:03:18 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:09:45 2005 Subject: [ISN] Ten steps to secure networking Message-ID: http://www.techworld.com/security/features/index.cfm?FeatureID=1862 By Pamela Warren Nortel October 12, 2005 Secure networking ensures that the network is available to perform its appointed task by protecting it from attacks originating inside and outside the organisation. Traditional thinking equates this to a handful of specific requirements, including user authentication, user device protection and point solutions. However, the move to convergence, together with greater workforce mobility, exposes networks to new vulnerabilities, as any connected user can potentially attack the network. Application traffic must be securely delivered across the network, avoiding threats such as theft of intellectual property or private data. In addition, the underlying infrastructure must be protected against service disruption (in which the network is not available for its intended use) and service theft (in which an unauthorised user accesses network bandwidth, or an authorised user accesses unauthorised services). While most organisations focus on securing the application traffic, few put sufficient infrastructure focus beyond point solutions such as firewalls. To protect the total network, security must be incorporated in all layers and the complete networking lifecycle. Secure networking layers Secure networking involves securing the application traffic as it traverses the network. It should encompass these areas: Perimeter security protects the network applications from outside attack, through technologies such as firewall and intrusion detection. Communications security provides data confidentiality, integrity and non-repudiation, typically through the use of Secure Sockets Layer or IPsec virtual private networks (VPN). Secure networking extends this by protecting the underlying infrastructure from attack. Platform security ensures that each device is available to perform its intended function and doesn't become the network's single point of failure. The network security plan should include antivirus checking and host-based intrusion detection, along with endpoint compliance, to ensure that security policies check user devices for required security software. Access security ensures that each user has access to only those network elements and applications required to perform his job. Physical security protects the network from physical harm or modification, and underlies all security practices. The most obvious forms of physical security include locked doors and alarm systems. Secure networking lifecycle Providing a secure network is not a one-time event, but rather a lifecycle that must be continually reviewed, updated and communicated. There are three distinct stages to be considered: How can security breaches be prevented? Along with hardening of operating systems and antivirus software, prevention includes processes to regularly review the network's security posture, which is particularly important as new convergence and mobility solutions or new technologies and platforms are added to the network. How can security breaches be detected? Although some breaches are obvious, others are much more subtle. Detection techniques include product-level and network-wide intrusion-detection systems, system checks and logs for misconfigurations or other suspicious activity. What is the appropriate response to a security breach? A range of preparations must be made to respond to a successful breach, some of which may include the removal of infected devices or large-scale disaster recovery. Standards for secure networking To ensure a consistent set of requirements, lower training costs and speed the introduction of new security capabilities, IT managers should use these 10 security techniques across their networks. 1. Use a layered defence. Employ multiple complementary approaches to security enforcement at various points in the network, therefore removing single points of security failure. 2. Incorporate people and processes in network security planning. Employing effective processes, such as security policies, security awareness training and policy enforcement, makes your programme stronger. Having the people who use the network (employees, partners and even customers) understand and adhere to these security policies is critical. 3. Clearly define security zones and user roles. Use firewall, filter and access control capabilities to enforce network access policies between these zones using the least privileged concept. Require strong passwords to prevent guessing and/or machine cracking attacks, as well as other strong forms of authentication. 4. Maintain the integrity of your network, servers and clients. The operating system of every network device and element management system should be hardened against attack by disabling unused services. Patches should be applied as soon as they become available, and system software should be regularly tested for viruses, worms and spyware. 5. Control device network admission through endpoint compliance. Account for all user device types, wired and wireless. Don't forget devices such as smart phones and handhelds, which can store significant intellectual property and are easier for employees to misplace or have stolen. 6. Protect the network management information. Ensure that virtual LANs (VLAN) and other security mechanisms (IPsec, SNMPv3, SSH, TLS) are used to protect network devices and element management systems so only authorised personnel have access. Establish a backup process for device configurations, and implement a change management process for tracking. 7. Protect user information. WLAN/Wi-Fi or Wireless Mesh communications should use VPNs or 802.11i with Temporal Key Integrity Protocol for security purposes. VLANs should separate traffic between departments within the same network and separate regular users from guests. 8. Gain awareness of your network traffic, threats and vulnerabilities for each security zone, presuming both internal and external threats. Use antispoofing, bogon blocking and denial-of-service prevention capabilities at security zone perimeters to block invalid traffic. 9. Use security tools to protect from threats and guarantee performance of critical applications. Ensure firewalls support new multimedia applications and protocols, including SIP and H.323. 10. Log, correlate and manage security and audit event information. Aggregate and standardise security event information to provide a high-level consolidated view of security events on your network. This allows correlation of distributed attacks and a network-wide awareness of security status and threat activity. The International Telecommunication Union and Alliance for Telecommunications Industry Solutions provide standards that enterprises can use in their vendor selection process. However, no single set of technologies is appropriate for all organisations. Regardless of the size of the organisation or the depth of the capabilities required, secure networking must be an inherent capability, designed into the DNA of every product. By following the steps described above, companies will have the right approach for securing their increasingly mobile, converged networks. -=- Pamela Warren is a senior security solutions manager at Nortel, currently responsible for strategic security initiatives in the office of the chief technology officer. From isn at c4i.org Thu Oct 13 00:01:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:10:04 2005 Subject: [ISN] Nessus scanner code forked Message-ID: http://www.smh.com.au/news/breaking/nessus-scanner-code-forked/2005/10/11/1128796513799.html By Sam Varghese October 11, 2005 A group of British security researchers has decided to start a fork of the popular Nessus vulnerability scanner, following a decision by the owner of Nessus to change the licence under which the scanner was released. Nessus was released under the General Public License (GPL) which means its code was freely available. The change of licensing terms was announced last week by Renaud Deraison, who began the Nessus Project in 1998. Four years later, Deraison co-founded a company named Tenable Network Security which now develops Nessus. Last week, Deraison said [1] the forthcoming version of Nessus, version 3.0, would be available free, but not under the GPL. He said the current version, Nessus 2.0, would continue to be maintained under the GPL with bug fixes. The British team is headed by Tim Brown who, in a posting [2] to the Full-Disclosure vulnerability mailing list, said the fork would be called GNessUs. "As a result of recent announcements by Tenable, we believe a fork of Nessus is required to allow future free development of this tool," he wrote. Brown said the decision had been taken after consulting colleagues from within the security industry. "While we would like to believe that we will be able to continue to take updates of the Nessus 2 source code from the Nessus website, we will be endeavouring to add fresh functionality and plugins as part of the GNessUs project," he wrote. "The fork will be based on the current nessus 2.2.5 packages from GNU/Debian (sic), the source of which can be found above in a slightly modified form. We would welcome contact from any interested developers." [1] http://mail.nessus.org/pipermail/nessus/2005-October/msg00035.html [2] http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/037863.html From isn at c4i.org Thu Oct 13 00:02:38 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:10:26 2005 Subject: [ISN] Security UPDATE -- Copying Files Securely Between Systems -- October 12, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. CDW. The Technology You Need When You Need It. http://list.windowsitpro.com/t?ctl=1619A:4FB69 Speed up your systems--try Diskeeper 9 free http://list.windowsitpro.com/t?ctl=1617B:4FB69 ==================== 1. In Focus: Copying Files Securely Between Systems 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Releases 9 Security Bulletins in October - Microsoft Announces New Products and New Consortium - Microsoft Brings Antimalware Tech to Corporations - Symantec to Acquire BindView - 10 Network Security Assessment Tools You Can't Live Without 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Freeze Workstation Configurations ==================== ==== Sponsor: CDW ==== CDW. The Technology You Need When You Need It. It takes a lot to keep up with today's business. Starting with today's technology. Our account managers and product specialists can get you quick answers to any questions you might have. So visit us online and find out first hand how we make it happen. Every order, every visit, every time. No matter what you need in technology, you can count on CDW for the right technology, right away. http://list.windowsitpro.com/t?ctl=1619A:4FB69 ==================== ==== 1. In Focus: Copying Files Securely Between Systems by Mark Joseph Edwards, News Editor, mark at ntsecurity / net If you need to copy files from one system to another over an unprotected network, you can do it in a few ways. For example, you can employ the RRAS component that comes with Windows Server 2003 and Windows 2000 Server to establish a VPN that uses PPTP; you can use Microsoft IIS and Secure Sockets Layer (SSL) connections along with a custom Web interface; or you can use Secure Shell (SSH). There are other ways to accomplish this task, but these are probably the most common solutions. If you're interested in setting up RRAS and PPTP, you can find instructions in the Microsoft article "Step-by-Step Guide for Setting Up a PPTP-based Site-to-Site VPN Connection in a Test Lab" (URL below). This is a good solution, especially if you want to use the VPN for other tasks. http://list.windowsitpro.com/t?ctl=16179:4FB69 Using IIS and SSL is simple enough, but it does require you to design a Web interface that meets your needs. For example, designing for downloading files is easy enough, but you'll need a script or ActiveX control for uploading files. This method also requires that you expose the IIS system to some extent, which you might not want to do. The third method, using an SSH server, might be a better solution. SSH servers provide encrypted transports between clients and servers by using a variety of encryption methods, including Triple DES (3DES), Blowfish, CAST (named after its developers Carlisle Adams and Stafford Tavares), Advanced Encryption Standard (AES), and possibly others, depending on the software you use. Another benefit is that SSH can use public keys instead of passwords to authenticate a session. Plus, SSH servers offer cross-platform support--versions are available for just about every popular OS, including Linux and BSD, as well as Sun Microsystems and Apple platforms. By using SSH, you can not only copy files securely, you can also open a secure Telnet session (using a special shell client) to a remote server, which might come in handy for remote administration. In addition, you can tunnel unencrypted services over SSH connections. For example, by using port forwarding, you can run SQL traffic, POP3 traffic, and many other types of service traffic over SSH connections. Several commercial and open-source SSH servers are available for Windows. If you want a robust commercial solution, check out the products at SSH Communications Security (at the first URL below) or AttachmateWRQ (at the second URL below). If you want an open-source solution, consider OpenSSH for Windows (at the third URL below) or freeSSHd (at the fourth URL below). Both open-source solutions can run as a system service; freeSSHd offers a simple GUI interface, OpenSSH doesn't. http://list.windowsitpro.com/t?ctl=16190:4FB69 http://list.windowsitpro.com/t?ctl=16193:4FB69 http://list.windowsitpro.com/t?ctl=16197:4FB69 http://list.windowsitpro.com/t?ctl=1619C:4FB69 If you run Windows 2003, a step-by-step tutorial is available to help you install OpenSSH for Windows. "Installing OpenSSH for Windows 2003 Server - How to get it working," by Steve Pillinger, senior computer officer at the School of Computer Science at the University of Birmingham in England, describes how to set up user accounts, assign user rights, set file permissions, and configure authentication. http://list.windowsitpro.com/t?ctl=1618F:4FB69 If you run Win2K Server, you can use Beau Monday's step-by-step guide, "Configuring OpenSSH (Win32) for Public Key Authentication." His guide is equally detailed and includes information about how to configure PuTTY, which is an open-source SSH command-line client for Windows platforms. The PuTTY package also includes a PuTTY Secure Copy (PSCP) client. If you use Monday's guide, take note that his link to OpenSSH for Windows is broken. The project has relocated to SourceForge, and you can find it by using the second URL below. http://list.windowsitpro.com/t?ctl=16195:4FB69 http://list.windowsitpro.com/t?ctl=16197:4FB69 I've used the PuTTY PSCP client quite a bit, and even though it's a good tool, I prefer a GUI because it saves me a whole lot of typing. With a GUI, you can copy files using simple drag-and-drop techniques, and you can typically navigate directories in a treeview similar to that of Windows Explorer. As an alternative to PuTTY, you might consider WinSCP (at the URL below) for file-copying tasks. WinSCP supports both Secure Copy (SCP) and Secure FTP (SFTP). http://list.windowsitpro.com/t?ctl=16199:4FB69 ==================== ==== Sponsor: Diskeeper ==== Speed up your systems--try Diskeeper 9 free The secret to maximum computer speed is simple: Eliminate disk fragmentation entirely. Diskeeper 9, the Number One Automatic Defragmenter, features a high-speed defragmentation engine that runs in the background. It's so fast and so transparent that you can run it on active servers and PCs, keeping your systems defragmented while your users work. All you do is "Set It and Forget It", and fragmentation- related problems are gone for good. Don't settle for less performance than your servers and PCs can deliver. See the benefits for yourself-- download your FREE evaluation version of Diskeeper 9 now! http://list.windowsitpro.com/t?ctl=1617B:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=16183:4FB69 Microsoft Releases 9 Security Bulletins in October Microsoft released nine security bulletins yesterday. Eight of them relate to patches for Windows and one relates to a patch for Windows and Microsoft Exchange Server. Of the nine, Microsoft considers at least one to be critical. http://list.windowsitpro.com/t?ctl=1618A:4FB69 Microsoft Announces New Products and New Consortium After acquiring antivirus, antispyware, and antispam solution makers, Microsoft has finally announced its new antimalware product plans along with a new security consortium. http://list.windowsitpro.com/t?ctl=1618E:4FB69 Microsoft Brings Antimalware Tech to Corporations As promised, Microsoft will soon introduce a beta version of its antispyware and antivirus tools for managed corporate networks, giving enterprises the tools they need to remove malware on client PCs and file servers. http://list.windowsitpro.com/t?ctl=1618B:4FB69 Symantec to Acquire BindView Further strengthening its position in the security market space, Symantec announced a deal to acquire BindView. The acquisition, which is expected to close in first quarter 2006, better positions Symantec to offer end-to-end security solutions for policy compliance and vulnerability management. http://list.windowsitpro.com/t?ctl=1618D:4FB69 10 Network Security Assessment Tools You Can't Live Without Jerry Cochran describes his favorite penetration-testing tools, including Nmap and SNMPWalk, and encourages you to use them on your network--before the hackers do. After you read this article, tell us your network security assessment story and win a Windows IT Pro T-shirt. Just click in the Interact! box on the article Web page. http://list.windowsitpro.com/t?ctl=16188:4FB69 ==================== ==== Resources and Events ==== Discover SQL Server 2005 for the Enterprise. Are you prepared? In this free half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical enterprise database applications--making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today! http://list.windowsitpro.com/t?ctl=16180:4FB69 Get the Most from Your Infrastructure by Consolidating Servers and Storage Improved utilization of existing networking resources and server hardware enable allocation of scarce financial and time resources where they're needed most. In this free Web seminar, learn to optimize your existing infrastructure with the addition of server and storage consolidation software and techniques. You'll get the jumpstart you need to evaluate the suitability and potential of your computing environments for the added benefits that consolidation technology can provide. http://list.windowsitpro.com/t?ctl=1617D:4FB69 Deploy VoIP and FoIP Technologies Voice over Internet Protocol (VoIP) is the future of telecommunications, and many companies are already enjoying the benefits of transporting voice over IP networks to significantly reduce telephone and facsimile costs. Join industry expert David Chernicoff for this free Web seminar to learn the ins and outs of boardless fax in IP environments, tips for rolling out fax and integrating fax with telephony technologies, and more! http://list.windowsitpro.com/t?ctl=16182:4FB69 Exploit the Opportunities of a Wireless Fleet With the endless array of mobile and wireless devices and applications, it's hard to decide what you can do with the devices beyond providing mobile email access. It's even tougher to know how to keep it all secure. Join industry guru Randy Franklin Smith in this free Web seminar and discover what you should do to leverage your mobile and wireless infrastructure, how to pick devices that are right for you, and more! http://list.windowsitpro.com/t?ctl=1617C:4FB69 The Conference & Expo on Mobile and Wireless Security The must-attend event for securing your wireless applications and networks, the Conference & Expo on Mobile and Wireless Security is designed to navigate you through today's high-threat landscape. Discover real-world security solutions from practitioners winning the battle against hackers, undisciplined users, and the occasional villainous virus. Click here for details: http://list.windowsitpro.com/t?ctl=16194:4FB69 Cut Your Windows XP Migration Time by 60% or More! If your organization is considering--or has already begun migrating your operating system to Windows XP, then this Web seminar is for you. Sign up for this free event, and you'll learn how to efficiently migrate your applications into the Windows Installer (MSI) format, how to prepare them for error-free deployment, what steps you need to follow to package your applications quickly and correctly, and more! http://list.windowsitpro.com/t?ctl=16181:4FB69 ==================== ==== Featured White Paper ==== Stopping Crimeware and Malware: How to Close the Vulnerability Window Computer users can no longer wait for a new vaccine every time a new security threat appears. How do you defend your network in a world of smarter, faster, Internet-borne zero-day attacks? Find out about Intrusion Prevention that can detect and destroy unknown malware with virtually zero false positives. http://list.windowsitpro.com/t?ctl=1617F:4FB69 ==================== ==== Hot Release ==== Meeting Enterprise Management Needs: The Integration of Microsoft SMS 2003 and Afaria Learn about the capabilities offered by the integration of Microsoft SMS 2003 and Afaria. In this free white paper you'll learn about new functionality and benefits of Microsoft SMS specifically targeted to improving management of remote and mobile devices, challenges of managing frontline systems, how the combined solution creates value around the successful use of technology at the front lines of business and more. http://list.windowsitpro.com/t?ctl=1617E:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Nematodes: Worms That Help Your Networks by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=16192:4FB69 Would you unleash a worm on your networks if that worm was designed to protect the networks instead of infiltrate them? Dave Aitel thinks you would, and that was the subject of his presentation at the latest Hack in the Box conference in Malaysia. Read more about it in this blog entry. http://list.windowsitpro.com/t?ctl=16189:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=16191:4FB69 Q: Can I change the type of logging that Active Directory (AD) uses? Find the answer at http://list.windowsitpro.com/t?ctl=1618C:4FB69 Security Forum Featured Thread: How to Automate Setting ACLs on Folders Drew is trying to verify folder security on his file servers. He's running into many inconsistencies with folder permissions and wants to know if there's a script he can run to adjust the permissions. For example, all his users have a home directory on one of his file servers. He wants to set the ACL on each home directory folder to allow the user, administrators, and System account to have full control. Join the discussion at: http://list.windowsitpro.com/t?ctl=1617A:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Become a VIP Subscriber! Get inside access to ALL the articles, tools, and helpful resources published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security-- that's more than 26,000 articles at your fingertips. Your VIP subscription also includes a valuable 1-year print subscription to Windows IT Pro and two VIP CDs (that contain the entire article database). Sign up now: http://list.windowsitpro.com/t?ctl=16184:4FB69 SQL Server Magazine Has Answers You won't want to miss any of the fall issues! Subscribe now and discover the best tools to keep SQL Server tuned, the ins and outs of SQL Server 2005, ways ADO.NET 2.0 solves your problems, and much more. You'll also gain exclusive access to the entire SQL Server Magazine online article database (more than 2300 articles) and you'll SAVE 44% off the cover price. Click here: http://list.windowsitpro.com/t?ctl=16187:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Freeze Workstation Configurations Faronics Technologies announces the official release of Deep Freeze 5.5 Standard, Professional, and Enterprise editions. Deep Freeze protects original computer configurations. No matter what changes a user makes to a workstation, when he or she restarts the system, Deep Freeze eradicates all the changes and resets the computer to its original state. Deep Freeze 5.5's new features include enhanced compatibility when deployed as part of a master image, the ability to specify login information for executing custom scripts during scheduled maintenance periods, and enhanced password security. For more information, go to http://list.windowsitpro.com/t?ctl=1619B:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Admins rush to install BLOG servers How to run your own blog server. Free 5-user license. http://list.windowsitpro.com/t?ctl=16198:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=16196:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=16186:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 13 00:03:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:10:53 2005 Subject: [ISN] Princeton a hacker target, Symantec survey finds Message-ID: http://www.dailyprincetonian.com/archives/2005/10/12/news/13434.shtml Mark Stefanski Princetonian Contributor October 12, 2005 Princeton had the second-highest percentage of computers controlled by hackers among cities worldwide between Aug. 24 and Sept. 23, according to a recent Symantec Monthly Security Update, though OIT security officer Anthony Scaturro disputed the findings. The security update ranked Princeton second only to Cambridge, UK, in its report on hacker-controlled computers, also called bots. It attributed these two college towns' unusually high percentage of bots to an influx of users - returning and new faculty and students ? connecting to the school networks. "Education was the number one target because [universities] are mini service providers, serving in some cases 10,000 students," said Dean Turner, senior manager at Symantec Security Response. "There's often more money spent on building infrastructure and less time or money paid to security precautions, which is also a concern with small businesses, enterprises and users themselves." Princeton's bot problem, according to the Symantec report, is daunting. As of September, the town was home to seven percent of the world's bots, well ahead of Seoul, which ranked third with three percent. New York City, the American city with the next-highest ranking, came in 12th with one percent of the world's bots. Symantec compiled the rankings based on information from 120 million computers running its antivirus products. Since bots themselves are difficult to detect, Turner said Symantec had to look for activity indicative of bots, which yields only an estimate of their prevalence. But Scaturro said he thinks the ranking is not just an estimate but outright inaccurate, since the origin of such attacks, often carried out under false addresses, is difficult to pinpoint. Though Scaturro said he generally agreed with Symantec's ranking of the most frequent types of attacks, he said he didn't believe the ranking of the town as the second-biggest hub of bot activity was at all reflective of the University. "The intrusion prevention system sees attacks going both ways," Scaturro said. "If we were to look at our numbers [of attacks] going out, they would be very low. I think the figures are flawed. I can't say that definitively until I could review [Symantec's] method of determining the source of each attack." If anything, Scaturro added, the University should have a low density of bots because of its early adoption of an intrusion protection system, which intercepts and examines every message entering or exiting the University. "Anything that is a known attack that is coming out of our machines we are dropping at the front door and preventing from going out," he said. "That should skew our ranking down." The results are also suspect, Scaturro noted, due to the University's record of safe computing habits, including regular system security updates. It is unlikely that the density of bots in the rest of town could make Princeton the most bot-ridden city in the U.S. Symantec did not respond to Scaturro's concerns about the validity of its report. Hackers typically gain control of computers by infecting them with trojans, which execute a malicious code almost always unbeknownst to the computers' owners. Infected computers then become bots, communicating through backdoor channels with other bots and the hacker, who coordinates their activity. "[Bots are] zombie machines," Turner said. "They are machines that have been compromised by an attacker and are sort of sitting there waiting for commands from a remote attacker. They do the botmaster's bidding." Hackers often use the bots to bombard websites' servers with useless requests to the extent that the servers are either too busy to handle regular Internet traffic or shut down altogether. Bots also allow online criminals to assume a new identity - that of the bot computer's owner - and thereby lower the risk of getting caught. However damaging a bot can be, it is easy to prevent a computer from becoming one. Turner said he recommends antivirus software, a firewall and intrusion detection software. He added that emails should be opened with caution, since only an email that is opened can release a Trojan. By taking these precautions and actively addressing the problem, Princeton can further reduce its susceptibility to bots, Turner said. "Users become educated, and they become aware of the fact that they need an antivirus program and safe computing habits," he said. "It's part of the University's job, part of our job as a vendor and part of the student's job. Once word gets out we would expect that, if appropriate measures are taken, this [bot problem] will drop off." From isn at c4i.org Thu Oct 13 00:03:33 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:11:05 2005 Subject: [ISN] GAO: Defense agency not fully protecting information systems Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105358,00.html By Linda Rosencrance OCTOBER 12, 2005 COMPUTERWORLD The U.S. Defense Logistics Agency isn't fully protecting its information systems, according to a report released yesterday by the Government Accountability Office (GAO) (download PDF) [1]. The Defense Logistics Agency, or DLA, is responsible for providing food, fuel, medical supplies, clothing, spare parts for weapon systems and construction materials to support the country's military forces. The GAO had been asked to review the effectiveness of its operations -- including the DLA's information security program -- by members of the congressional Committee on Armed Services. According to the report, the DLA has made some progress in implementing elements of its information security program but needs to do more. Although the agency has established a central security management group and appointed a senior information security officer to manage the program, it has not consistently assessed risks to its systems from unauthorized access, use, disclosure or destruction of information, GAO officials said. In addition, employees responsible for the agency's information security haven't gotten enough training; annual security testing and evaluation of management and operational controls haven't been done; and plans to mitigate known IS deficiencies haven't been completed, the GAO said. The weaknesses in the agency's management and oversight of its security program "place DLA's information and information systems at risk," the agency concluded. It also said that until the DLA addresses the weaknesses and implements an agencywide information security program, it may not be able to protect its information or systems, according to the report. The GAO made a number of recommendations, calling on the DLA to: * Consistently assess risks that could result from the unauthorized access, use, disclosure or destruction of information and information systems; * Provide training for employees with major responsibilities for information security; * Make sure that security training plans are updated and maintained; * Ensure that annual security evaluations include management, operational and technical controls of every information system in DLA's inventory. In a written response to the GAO, Paul Brinkley, deputy undersecretary of defense, agreed with most of the GAO's recommendations and described the agency's efforts to address them. Brinkley said the DLA is working to fully implement an effective agencywide information security program, including publication of a Department of Defense manual that gives detailed guidance for training employees responsible for information security. Defense Department officials disagreed with other recommendations, including the need to annually test the effectiveness of security controls for all systems. According to Brinkley, that recommendation amounts to annual recertification, and is neither practical nor cost-effective. The GAO countered that it doesn't expect all information assurance controls for all systems to be evaluated annually, but to ensure that DLA's testing efforts include management, operational and technical controls of every information system in its inventory. [1] http://www.gao.gov/new.items/d0631.pdf From isn at c4i.org Thu Oct 13 00:03:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:11:25 2005 Subject: [ISN] Officials: How much security is enough? Message-ID: http://www.fcw.com/article91086-10-12-05-Web By Florence Olsen Oct. 12, 2005 In the White House situation room and in corporate boardrooms, people debate how much information security is enough - without reaching consensus. But a panel of national security experts said today that federal standards can help manage the country's considerable risk of a disruptive cyber event. Standards that the National Institute of Standards and Technology are developing provide the basics of due diligence for federal agencies and businesses, said Ronald Ross, a senior computer scientist and information security researcher at NIST. He spoke today at an event in Washington, D.C., sponsored by the Wall Street Journal. Businesses are not required by law to follow those information security standards, but Ross said many are doing so voluntarily because they can reduce the risk of a major cyber incident disrupting companies' business. The federal standards include one for categorizing information systems assets based on whether their loss would pose a high, medium or low risk to the agency or business. Ross said people are spending too much time and money to protect low-risk systems and not enough on high-risk systems. He said NIST will soon issue another federal standard requiring specific security settings and controls for protecting low-, medium- and high-risk systems. Roger Cressey, president of Good Harbor Consulting and a former counter-terrorism official, said the Homeland Security Department was slow to focus on cybersecurity vulnerabilities. To an extent, he added, the department is still reactive and "preparing to prevent the last attack." But Cressey said DHS Secretary Michael Chertoff has correctly adopted a risk management approach to the country's cyber vulnerabilities. Whether Chertoff can gain support in Congress and elsewhere for that approach remains to be seen, Cressey said. From isn at c4i.org Thu Oct 13 00:04:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:11:41 2005 Subject: [ISN] Securing mobile data more important than viruses Message-ID: http://www.networkworld.com/news/2005/101205-mobile-data.html By Nancy Gohring IDG News Service 10/12/05 Enterprises with workers that can access corporate data from mobile devices should be less concerned about mobile viruses and more focused on setting and enforcing rules for securing the data, said speakers at Symbian's Smartphone Show in London on Tuesday. Very few real mobile viruses have actually proliferated in the market, said Morton Graubelle, executive vice president of marketing at Red Bend Software, a company that offers products that allow over-the-air installation and management of firmware for mobile devices. Instead, the companies whipping up fear around mobile viruses are largely looking after themselves. "We have companies making money out of scaring people, warning them about viruses," he said. Industry leaders also blamed mobile operators for the growing concern over mobile viruses. "I have a sense that there's hysteria from the operators," said Ben Wood, research vice president for mobile devices at Gartner. Geoff Preston, head of marketing technology at Symbian, agreed that operators are getting "agitated" about the prospect of mobile viruses and thus are furthering the hype around such potential problems. Ultimately, these speakers were optimistic that the wireless industry could continue to aggressively push security in order to stem the possibility of viruses becoming a real problem in the mobile world. "The mobile world should not just follow the PC paradigm by being reactive. We should be proactive to prevent getting to the point the PC world is in today," said Preston. Rather than worrying so much about potential mobile viruses, IT departments can do a better job of securing data that is stored on devices. A simple education process for mobile workers can help, said Chris Atwell, sales director at Extended Systems, a company that offers software that secures mobile access to corporate data. IT departments should emphasize that users should keep their devices locked and use an authentication process to access data. With such policies in place, workers will begin to recognize that the data stored or accessible on the phone has value and that may make them think twice about downloading suspicious files, for example, Atwell said. Companies can also deploy platforms that allow them to remotely erase or kill a device that might be lost or stolen, thus helping to protect sensitive data from getting into the wrong hands. Graubelle also stressed that mobile operators can implement device management platforms that can allow them to revoke applications that users may download, thus stemming the spread of potentially harmful viruses. While some operators are beginning to police such downloads, all have a responsibility to do so, he said. From isn at c4i.org Fri Oct 14 00:11:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:24:13 2005 Subject: [ISN] US cybersecurity all at sea Message-ID: http://www.theregister.co.uk/2005/10/13/us_cybersecurity_analysis/ By John Leyden 13th October 2005 ... without a paddle US cybersecurity risks are being poorly managed by the Department of Homeland Security, according to a former US presidential information security advisor. Peter Tippett, who recently served a two-year term on the President's Information Technology Advisory Committee, said a lack of leadership on electronic security left the US at a greater risk of electronic attack. Tippett, who is now chief technology officer with managed security firm CyberTrust, compared Homeland Security's posture in defending against electronic attacks to the lack of preparation by FEMA (Federal Emergency Management Agency) in managing relief efforts for Hurricane Katrina. "Something similar happened when Homeland Security got responsibility for both FEMA and computer security. When responsibility was transferred from the White House to Homeland Security good people left the top. There's confusion over reporting lines and no leadership," Tippett told El Reg. US government's cybersecurity responsibilities - along with those of FEMA - were transferred from the White House to the Department of Homeland Security during a reshuffle of 22 federal agencies three years ago. Tippett's criticisms are echoed by accusations that Homeland Security is illprepared for emergencies and beset by bureaucratic bungling by auditors and segments of the security industry. However, Howard Schmidt, chief exec of R&H Security and a former senior White House cyber security advisor, defended the Homeland Security agency's record. "There's been a lot of criticisms but they don't take into account the good work that the Homeland Security agency is doing. It is doing all it can to improve government systems whithin the priorities it has. We are getting incrementally better systems. Improvements will take time." Back to basics Schmidt made the comments at the SecureLondon conference, organised by security training and certification body ISC(2), in London earlier this week. Both Schmidt and Tippett have radical ideas for improving cybersecurity in the IT industry. Schmidt wants to see software developers held personally accountable for the security of the code they write. This is a radical idea idea but who is to blame for a Win XP security bug, for example? It would take the brain of Sherlock Holmes to apportion personal blame for that on any one developer, we suspect. Tippett advocates the wider adoption of basic security defences rather than government standards, which "don't translate into fewer hacker attacks". It would be better if PCs denied actions by default rather than permitting anything that was not known to be bad, he argued. Tippett is credited with creating one of the first commercial anti-virus products, which later became Symantec's Norton Anti- Virus. He is highly critical of the industry he helped create. "The anti-virus industry is not interested in default deny because if they did that they wouldn't be able to sell updates," he said. "Information security problems are getting worse, even though people are spending more. Throwing money at the problem isn't helping. All the market wants to do is sell new gizmos," he added. ? From isn at c4i.org Fri Oct 14 00:11:55 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:24:32 2005 Subject: [ISN] DDoS attacks still biggest threat Message-ID: http://www.techworld.com/networking/news/index.cfm?NewsID=4570 By John E. Dunn, Techworld 13 October 2005 Companies should devote more resources to countering old-fashioned DDoS attacks when investing in security, a survey of global ISPs (pdf) [1] has argued. The figures from Arbor Networks in its Worldwide ISP Security Report came from questionnaires sent to 36 large ISPs in the US, Europe and Asia. Over 90 percent of ISPs surveyed cited simple "brute force" TCP SYN and UDP datagram DDoS floods from zombie PC networks as their biggest day-to-day hassle, a finding which should apply equally to their corporate clients. This puts DDoS ahead of more recent attack types such as fast-spreading worms and DNS poisoning, which were ranked second and third respectively, in terms of prevalence. Even then, worm attacks were often most hazardous in terms of their original effect on traffic. "The primary threat from worms is not the payloads but the network congestion they cause," the report noted. Surprisingly, given the prevalence of this type of attack in recent years, only 29 percent of ISPs offered services to counter and trace DDoS in an automated way at the ISP level. The majority only discovered such events when a customer contacted them for help. The main means of defending against DDoS remains the use of Access Control Lists (ACLs), but these come with the downside of shutting off network access. The DDoS attack is stopped but only by replicating much the same effect as the original traffic blocking. The reported motivations for DDoS attacks clusters around issues such as cyber-extortion, electronic protests against companies, and even corporate espionage. Few, if any, of such attacks are reported to result in criminal action against the instigator, which could account for its continued popularity. [1] http://www.arbor.net/downloads/Arbor_Worldwide_ISP_Security_Report.pdf From isn at c4i.org Fri Oct 14 00:13:13 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:24:52 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-41 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-10-06 - 2005-10-13 This week : 85 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released their monthly security updates, which corrects several vulnerabilities in various Microsoft products. All users of Microsoft products are advised to check Windows Update for available security updates. Additional details can be found in the referenced Secunia advisories below. References: http://secunia.com/SA17168 http://secunia.com/SA17167 http://secunia.com/SA17166 http://secunia.com/SA17165 http://secunia.com/SA17163 http://secunia.com/SA17161 http://secunia.com/SA17160 -- A vulnerability has been reported in Kaspersky Anti-Virus, which can be exploited by malicious people to cause a DoS (Denial of Service), or compromise a vulnerable system. Additional details and information about the solution can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA17130 -- Secunia Research has discovered two vulnerabilities in WinRAR, which can be exploited by malicious people to compromise a user's system. The vendor has released an updated version, which fixes these vulnerabilities. Reference: http://secunia.com/SA16973 VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: SOBER.AC - MEDIUM RISK Virus Alert - 2005-10-08 06:46 GMT+1 http://secunia.com/virus_information/22224/sober.ac/ Sober.R - MEDIUM RISK Virus Alert - 2005-10-06 12:55 GMT+1 http://secunia.com/virus_information/22225/sober.r/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA17071] Mozilla Firefox Iframe Size Denial of Service Weakness 2. [SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability 3. [SA17064] Microsoft Windows XP Wireless Zero Configuration Wireless Profile Disclosure 4. [SA16560] Windows Registry Editor Utility String Concealment Weakness 5. [SA17167] Microsoft Collaboration Data Objects Buffer Overflow Vulnerability 6. [SA16901] Thunderbird Command Line URL Shell Command Injection 7. [SA16869] Firefox Command Line URL Shell Command Injection 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 9. [SA17049] Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow 10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17172] Avaya Various Products Multiple Vulnerabilities [SA17167] Microsoft Collaboration Data Objects Buffer Overflow Vulnerability [SA17160] Microsoft Windows DirectShow AVI Handling Vulnerability [SA17168] Microsoft Windows Shell and Web View Three Vulnerabilities [SA17163] Microsoft Windows FTP Client Filename Validation Vulnerability [SA17117] aeNovo Cross-Site Scripting and SQL Injection Vulnerabilities [SA17091] aspReady FAQ Manager Login SQL Injection Vulnerability [SA17166] Microsoft Windows Plug-and-Play Service Arbitrary Code Execution [SA17165] Microsoft Windows Client Service for NetWare Buffer Overflow [SA17161] Microsoft Windows MSDTC and COM+ Vulnerabilities [SA17136] GFI MailSecurity HTTP Management Interface Buffer Overflow [SA17096] CheckMark Payroll DUNZIP32.dll Buffer Overflow Vulnerability UNIX/Linux: [SA17149] Ubuntu update for mozilla-thunderbird [SA17090] Red Hat update for thunderbird [SA17179] Mandriva update for xine-lib [SA17171] Ubuntu update for koffice-libs/kword [SA17162] Debian update for xine-lib [SA17145] KOffice KWord RTF Importer Buffer Overflow Vulnerability [SA17144] F-Secure Anti-Virus for Linux CHM File Parsing Buffer Overflow [SA17135] SGI Advanced Linux Environment Multiple Updates [SA17132] Slackware update for xine-lib [SA17127] SUSE update for realplayer [SA17116] Gentoo update for realplayer / helixplayer [SA17111] Gentoo update for xine [SA17102] Debian update for ethereal [SA17099] xine-lib CDDB Client Format String Vulnerability [SA17097] Ubuntu update for libxine1 [SA17177] Mandriva update for squid [SA17156] Ubuntu update for sqwebmail [SA17152] Gentoo update for uw-imap [SA17148] Debian update for uw-imap [SA17147] Red Hat update for ruby [SA17143] Fedora update for xloadimage [SA17140] Debian update for xloadimage [SA17139] Debian update for xli [SA17129] Debian update for ruby [SA17124] xli NIFF Image Title Handling Buffer Overflow [SA17120] Debian update for up-imapproxy [SA17108] Debian update for dia [SA17103] Debian update for openvpn [SA17100] imapproxy "ParseBannerAndCapability" Format String Vulnerability [SA17098] Ubuntu update for ruby1.8 [SA17095] Gentoo update for dia [SA17094] Gentoo update for ruby [SA17088] HP-UX Apache mod_ssl "SSLVerifyClient" Security Bypass Security Issue [SA17087] Xloadimage NIFF Image Title Handling Buffer Overflow [SA17128] OpenVMPS Logging Functionality Format String Vulnerability [SA17106] Debian update for py2play [SA17092] Sun Java System Directory Server HTTP Admin Interface Unspecified Vulnerability [SA17180] Gentoo update for openssl [SA17178] Mandriva update for openssl [SA17169] Sun Solaris OpenSSL SSL 2.0 Rollback Vulnerability [SA17153] Red Hat update for openssl [SA17146] FreeBSD update for openssl [SA17123] Debian update for cpio [SA17118] Debian update for tcpdump [SA17101] Debian update for tcpdump [SA17114] Linux Kernel Potential Denial of Service and Information Disclosure [SA17113] Ubuntu update for shorewall [SA17112] Gentoo update for weex [SA17110] Debian update for shorewall [SA17154] Red Hat update for util-linux/mount [SA17142] Ubuntu update for cfengine [SA17131] SGI IRIX "runpriv" Arbitrary Shell Command Injection Vulnerability [SA17125] Debian update for graphviz [SA17121] Graphviz "dotty.lefty" Insecure Temporary File Creation [SA17109] Debian update for masqmail [SA17107] Mandriva update for hylafax [SA17093] Ubuntu update for texinfo [SA17141] Ubuntu update for kernel [SA17133] Sun Java Desktop System umount "-r" Re-Mounting Security Issue Other: Cross Platform: [SA17158] WebGUI Unspecified Arbitrary Code Execution Vulnerability [SA17130] Kaspersky Anti-Virus Engine CHM File Parsing Buffer Overflow [SA17174] versatileBulletinBoard Cross-Site Scripting and SQL Injection [SA17173] Zope Unspecified docutils Security Issue [SA17164] Sun Java System Application Server JSP Source Code Disclosure [SA17159] Xeobook Guestbook Script Insertion Vulnerability [SA17138] BEA WebLogic 24 Vulnerabilities and Security Issues [SA17137] phpMyAdmin "subform" Local File Inclusion Vulnerability [SA17134] PHP Advanced Transfer Manager HTML Upload Vulnerability [SA17115] Utopia News Pro Cross-Site Scripting and SQL Injection [SA17104] Cyphor Cross-Site Scripting and SQL Injection Vulnerabilities [SA17175] ZeroBlog "threadID" Cross-Site Scripting Vulnerability [SA17151] OpenSSL Potential SSL 2.0 Rollback Vulnerability [SA17089] Paros hsqldb Exposure of Database Content ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17172] Avaya Various Products Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-10-12 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious, local users to gain escalated privileges, or by malicious people to cause a DoS (Denial of Service) or compromise a user's system or vulnerable system. Full Advisory: http://secunia.com/advisories/17172/ -- [SA17167] Microsoft Collaboration Data Objects Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 Gary O'leary-Steele has reported a vulnerability in Microsoft Windows and Microsoft Exchange 2000 Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17167/ -- [SA17160] Microsoft Windows DirectShow AVI Handling Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 eEye Digital Security has been reported a vulnerability in Microsoft Windows DirectShow, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17160/ -- [SA17168] Microsoft Windows Shell and Web View Three Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 Three vulnerabilities has been reported in Microsoft Windows, allowing malicious people to compromise a users system. Full Advisory: http://secunia.com/advisories/17168/ -- [SA17163] Microsoft Windows FTP Client Filename Validation Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17163/ -- [SA17117] aeNovo Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-10-10 KAPDA has reported some vulnerabilities in aeNovo, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17117/ -- [SA17091] aspReady FAQ Manager Login SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-10-10 Preben Nyloekken has discovered a vulnerability in aspReady FAQ Manager, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17091/ -- [SA17166] Microsoft Windows Plug-and-Play Service Arbitrary Code Execution Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-10-11 eEye Digital Security has reported a vulnerability in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17166/ -- [SA17165] Microsoft Windows Client Service for NetWare Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-11 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious users, or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17165/ -- [SA17161] Microsoft Windows MSDTC and COM+ Vulnerabilities Critical: Moderately critical Where: From local network Impact: Privilege escalation, DoS, System access Released: 2005-10-11 Some vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges, or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17161/ -- [SA17136] GFI MailSecurity HTTP Management Interface Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-10-12 Gary O'leary-Steele has reported a vulnerability in GFI MailSecurity, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerability system. Full Advisory: http://secunia.com/advisories/17136/ -- [SA17096] CheckMark Payroll DUNZIP32.dll Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-10-12 Juha-Matti Laurio has reported a vulnerability in CheckMark Payroll, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17096/ UNIX/Linux:-- [SA17149] Ubuntu update for mozilla-thunderbird Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-11 Ubuntu has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17149/ -- [SA17090] Red Hat update for thunderbird Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-07 Red Hat has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17090/ -- [SA17179] Mandriva update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-12 Mandriva has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17179/ -- [SA17171] Ubuntu update for koffice-libs/kword Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-12 Ubuntu has issued an update for koffice-libs/kword. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17171/ -- [SA17162] Debian update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-12 Debian has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17162/ -- [SA17145] KOffice KWord RTF Importer Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 A vulnerability has been reported in KOffice, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17145/ -- [SA17144] F-Secure Anti-Virus for Linux CHM File Parsing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 A vulnerability has been reported in F-Secure Anti-Virus for Linux, which can be exploited by malicious people to cause a DoS, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17144/ -- [SA17135] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, Privilege escalation, DoS, System access Released: 2005-10-11 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, or by malicious people to cause a DoS (Denial of Service), overwrite arbitrary files on a user's system, gain knowledge of various information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17135/ -- [SA17132] Slackware update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 Slackware has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17132/ -- [SA17127] SUSE update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 SUSE has issued an update for realplayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17127/ -- [SA17116] Gentoo update for realplayer / helixplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 Gentoo has issued an update for realplayer / helixplayer. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17116/ -- [SA17111] Gentoo update for xine Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 Gentoo has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17111/ -- [SA17102] Debian update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-10-10 Debian has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17102/ -- [SA17099] xine-lib CDDB Client Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 Ulf Harnhammar has reported a vulnerability in xine-lib, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17099/ -- [SA17097] Ubuntu update for libxine1 Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 Ubuntu has issued an update for libxine1. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17097/ -- [SA17177] Mandriva update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-12 Mandriva has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17177/ -- [SA17156] Ubuntu update for sqwebmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-12 Ubuntu has issued an update for sqwebmail. This fixes some vulnerabilities, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17156/ -- [SA17152] Gentoo update for uw-imap Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-11 Gentoo has issued an update for uw-imap. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17152/ -- [SA17148] Debian update for uw-imap Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-11 Debian has issued an update for uw-imap. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17148/ -- [SA17147] Red Hat update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-12 Red Hat has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17147/ -- [SA17143] Fedora update for xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 Fedora has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17143/ -- [SA17140] Debian update for xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 Debian has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17140/ -- [SA17139] Debian update for xli Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 Debian has issued an update for xli. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17139/ -- [SA17129] Debian update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-11 Debian has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17129/ -- [SA17124] xli NIFF Image Title Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 A vulnerability has been reported in xli, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17124/ -- [SA17120] Debian update for up-imapproxy Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-10 Debian has issued an update for up-imapproxy. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17120/ -- [SA17108] Debian update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-10 Debian has issued an update for dia. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17108/ -- [SA17103] Debian update for openvpn Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-10 Debian has issued an update for openvpn. This fixes some vulnerabilities, which can be exploited by malicious people and users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17103/ -- [SA17100] imapproxy "ParseBannerAndCapability" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-10 Steve Kemp has reported a vulnerability in imapproxy, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17100/ -- [SA17098] Ubuntu update for ruby1.8 Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-10 Ubuntu has issued an update for ruby1.8. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17098/ -- [SA17095] Gentoo update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-07 Gentoo has issued an update for dia. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17095/ -- [SA17094] Gentoo update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-07 Gentoo has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17094/ -- [SA17088] HP-UX Apache mod_ssl "SSLVerifyClient" Security Bypass Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-07 HP has acknowledged a vulnerability in Apache for HP-UX which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17088/ -- [SA17087] Xloadimage NIFF Image Title Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-07 Ariel Berkman has reported a vulnerability in xloadimage, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17087/ -- [SA17128] OpenVMPS Logging Functionality Format String Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-10-11 mazahaquer has reported a vulnerability in OpenVMPS, which potentially can be exploited by malicious people to cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17128/ -- [SA17106] Debian update for py2play Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-10 Debian has issued an update for py2play. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17106/ -- [SA17092] Sun Java System Directory Server HTTP Admin Interface Unspecified Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-07 Peter Winter-Smith has reported a vulnerability in Sun Java System Directory Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17092/ -- [SA17180] Gentoo update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-12 Gentoo has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17180/ -- [SA17178] Mandriva update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-12 Mandriva has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17178/ -- [SA17169] Sun Solaris OpenSSL SSL 2.0 Rollback Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-12 Sun Microsystems has acknowledged a vulnerability in Solaris, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17169/ -- [SA17153] Red Hat update for openssl Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation Released: 2005-10-12 Red Hat has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17153/ -- [SA17146] FreeBSD update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-11 FreeBSD has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17146/ -- [SA17123] Debian update for cpio Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-10-10 Debian has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious people to cause files to be unpacked to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/17123/ -- [SA17118] Debian update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-10 Debian has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17118/ -- [SA17101] Debian update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-10 Debian has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17101/ -- [SA17114] Linux Kernel Potential Denial of Service and Information Disclosure Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2005-10-11 Two vulnerabilities and a security issue have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service), or by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17114/ -- [SA17113] Ubuntu update for shorewall Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-10-10 Ubuntu has issued an update for shorewall. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17113/ -- [SA17112] Gentoo update for weex Critical: Less critical Where: From local network Impact: DoS, System access Released: 2005-10-10 Gentoo has issued an update for weex. This fixes a vulnerability, which potentially can be exploited by malicious users to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17112/ -- [SA17110] Debian update for shorewall Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-10-10 Debian has issued an update for shorewall. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17110/ -- [SA17154] Red Hat update for util-linux/mount Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-12 Red Hat has issued updates for util-linux and mount. These fix a security issue, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17154/ -- [SA17142] Ubuntu update for cfengine Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-11 Ubuntu has issued an update for cfengine. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17142/ -- [SA17131] SGI IRIX "runpriv" Arbitrary Shell Command Injection Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass, Privilege escalation Released: 2005-10-11 A vulnerability has been reported in IRIX, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17131/ -- [SA17125] Debian update for graphviz Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-10 Debian has issued an update for graphviz. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17125/ -- [SA17121] Graphviz "dotty.lefty" Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-10 Javier Fernandez-Sanguino Pena has reported a vulnerability in Graphviz, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17121/ -- [SA17109] Debian update for masqmail Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-10 Debian has issued an update for masqmail. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17109/ -- [SA17107] Mandriva update for hylafax Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-10 Mandriva has issued an update for hylafax. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17107/ -- [SA17093] Ubuntu update for texinfo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-07 Ubuntu has issued an update for texinfo. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17093/ -- [SA17141] Ubuntu update for kernel Critical: Not critical Where: From remote Impact: DoS Released: 2005-10-11 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users, or by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17141/ -- [SA17133] Sun Java Desktop System umount "-r" Re-Mounting Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-10-11 Sun Microsystems has acknowledged a security issue in Sun JDS (Java Desktop System) which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17133/ Other: Cross Platform:-- [SA17158] WebGUI Unspecified Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-12 A vulnerability has been reported in WebGUI, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17158/ -- [SA17130] Kaspersky Anti-Virus Engine CHM File Parsing Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-10-11 A vulnerability has been reported in Kaspersky Anti-Virus, which can be exploited by malicious people to cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17130/ -- [SA17174] versatileBulletinBoard Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-10-12 rgod has discovered some vulnerabilities and a security issue in versatileBulletinBoard, which can be exploited by malicious people to disclose system information, and conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17174/ -- [SA17173] Zope Unspecified docutils Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-10-12 A security issue with an unknown impact has been reported in Zope. Full Advisory: http://secunia.com/advisories/17173/ -- [SA17164] Sun Java System Application Server JSP Source Code Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-12 A vulnerability has been reported in Sun Java System Application Server, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17164/ -- [SA17159] Xeobook Guestbook Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-12 rjonesx has discovered a vulnerability in Xeobook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17159/ -- [SA17138] BEA WebLogic 24 Vulnerabilities and Security Issues Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Brute force, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-10-11 24 vulnerabilities and security issues have been reported in WebLogic Server and WebLogic Express, where the most critical ones potentially can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting and HTTP request smuggling attacks, cause a DoS (Denial of Service), and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17138/ -- [SA17137] phpMyAdmin "subform" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-11 Maksymilian Arciemowicz has discovered a vulnerability in phpMyAdmin, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17137/ -- [SA17134] PHP Advanced Transfer Manager HTML Upload Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-11 Hamed Bazargani has discovered a vulnerability in PHP Advanced Transfer Manager, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17134/ -- [SA17115] Utopia News Pro Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-10-10 rgod has discovered some vulnerabilities in Utopia News Pro, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17115/ -- [SA17104] Cyphor Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-10-10 rgod has discovered some vulnerabilities in Cyphor, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17104/ -- [SA17175] ZeroBlog "threadID" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-12 trueend5 has discovered a vulnerability in ZeroBlog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17175/ -- [SA17151] OpenSSL Potential SSL 2.0 Rollback Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-11 A vulnerability has been reported in OpenSSL, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17151/ -- [SA17089] Paros hsqldb Exposure of Database Content Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2005-10-10 A security issue has been reported in Paros, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17089/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Oct 14 00:13:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:25:14 2005 Subject: [ISN] Military foundation's website hacked Message-ID: http://www.koreaherald.co.kr/SITE/data/html_dir/2005/10/14/200510140034.asp By Jin Dae-woong 2005.10.14 Personal information taken by computer hackers from the website of an organization affiliated to the Defense Ministry may have been used to aid criminal acts, the Defense Security Command said yesterday. The Command said many attempts to hack into the website of the M.N.D Ho Guk Foundation were made during the past two months. The command said two attempts were successful - one apparently from inside Korea, the other possibly from abroad. The foundation controls scholarships and welfare grants for soldiers' families and stores huge amounts of personal information about troops and their dependents on its database. The command raised the possibility during initial investigations that the cyber raiders gathered information such as personal identity numbers and addresses to carry out a variety of crimes. The website is now closed to prevent additional hacking. The government's security systems - designed to protect personal information - were gravely tested in July when information from more than 250 computers in 10 government organizations was stolen through large-scale hacking. The National Police Agency, the National Assembly, Korea Institute for Defense Analyses and USFK were among the organizations hacked. The command has also launched an investigation into claims made by a lawmaker based on classified military information. Rep. Kwon Young-ghil, a lawmaker of the Labor Democratic Party, said Monday in a press release that South Korea and the United States agreed a war plan, code-named Operation Plan 5027-04, against North Korea in 2002. Kwon cited a classified document taken from the Security Consultative Meeting when this plan was agreed. Defense Minister Yoon Kwang-ung said Tuesday in the wake of this disclosure that the ministry will soon launch an investigation into how the confidential information leaked out. Rep. Kwon and his secretaries have already been summoned to appear at the investigation. From isn at c4i.org Fri Oct 14 00:13:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:25:35 2005 Subject: [ISN] Security fix assures long election nights Message-ID: http://www.ajc.com/metro/content/metro/1005/13metvote.html By RICHARD WHITT The Atlanta Journal-Constitution Published on: 10/13/05 Software installed to improve security in Georgia's new touch-screen voting machines has significantly slowed the process of counting ballots - and it might not get much faster for next month's municipal elections or statewide and U.S. House elections in 2006. Although election officials believe adjustments could yet improve the speed, some local officials aren't so sure. "We have actually taken steps backward," says Gwinnett Election Supervisor Lynn Ledford. "We may go from five or six hours [counting votes] to maybe getting results the next day." Several metro Atlanta counties have experienced the slowdown in local elections. Last month, it took Cobb County more than four hours to count votes for a sales tax referendum - an election in which one in 10 eligible voters cast ballots and fewer than half of the county's voting machines were in use. In June, Fulton County election officials didn't finish counting votes on the Sandy Springs referendum until nearly midnight. And in Coweta County, counting ballots in a June special election went so slowly that election officials first thought something was wrong with the system. Led by Secretary of State Cathy Cox, Georgia election officials began considering touch-screen voting following the debacle of the 2000 presidential election in Florida. "The fact we now have a slight delay over what we had two years ago is, I think, a worthy trade-off for enhanced security," Cox says. Expect long nights Cox, who is running for governor, says county election officials are sharing information on how to speed up the process, and they hope counting will go faster as election workers become more familiar with the the new system. But some local election officials worry that a general election requiring all of their voting machines will be excruciatingly slow, particularly in larger counties. All of this is bad news for candidates waiting for results at parties or people watching TV or scouring the Internet for returns on election night. "The balloons won't fall ... I'd miss that," says Miranda Dillard, a registered voter and a music teacher at Paideia School in Atlanta. "I want votes to be counted correctly - we don't want a repeat of Florida - but there ought to be a balance between security and speed so we can enjoy the excitement of election night." 30 seconds per ballot The problem can be traced to new security software, given to Georgia by Diebold Elections Systems of Ohio, which has a $54 million contract to supply the state with the touch-screen machines. The software was added to all voting machines last spring. It encrypts the transmission of election data from precincts to county election headquarters, making electronic vote tampering, internally or externally, more difficult. Votes from machines are now coded onto a data card. Then, those cards have to be decoded and counted by a computer before the vote is official. Before the new security measures, computers decoded the data cards almost instantly. Now, it takes about 30 seconds to process each data card - and keep in mind, there are about 2,000 data cards used in Cobb County alone. All of this explains why Sandy Springs residents waited - and waited - for results on that new city's incorporation vote. "It was just a shocker for us to have that type of delay in June," says Fulton County's elections chief Cynthia Welch, who watched the painstaking process. Speed or security? Cox admits it's a balancing act between speed and security. "I'm sure you will talk to people in this state who think we can never have too much security," she says. "Certainly I think this enhancement was a good thing for our machines." Even though there hasn't been a recorded incident of fraud involving the system, some people simply don't trust it. Since touch-screen voting debuted, Cox has faced steady criticism from a small but vocal group of Georgians who say the system is vulnerable to manipulation. And several respected computer security experts have suggested the machines' software can be tampered with to change the outcome of elections. To pacify uneasy voters, the state is considering retrofitting the machines with printers so voters could double-check their on-screen choices. Creating a paper trail could slow the vote count even more ? if those ballots were used in the official count, says Cox's spokesman Chris Riggall. Georgia is the only state that uses the Diebold machines in every precinct. Some counties and cities in other states that use Diebold machines have the enhanced security system, but others do not, says David Bear, a spokesman for Diebold. Maryland, Ohio, Mississippi and Utah are phasing in Diebold touch-screen machines. Computer consultants in Maryland first raised security concerns, resulting in the new software. Linda Lamone, Maryland's administrator of elections, says she's unaware of any complaints of slow vote counts during statewide elections in 2004. In the meantime, in Georgia, the debate over speed and security continues. Cox remains confident Beth Kish, Cobb County's elections supervisor, says glitches were expected because of the new security software. But, she warned we shouldn't expect quick counts in next month's municipal elections. "Candidates are going be frustrated," she says. "When we had optical scanners we were done in an hour or an hour-and-a-half. That will not happen again. It just won't happen." Looking forward to next year's governor's race, Cox expects to know the outcome before midnight on election night. "I don't think anybody is telling you it's going to be the next day," says Cox. "We are so far away from the nightmarish days of waiting for those punch cards to come in, I'm not the least bit afraid of going back to that." Even if there is a wait, it won't bother Marietta Mayor Bill Dunaway, who is running for re-election in November. "I'm so old I date back to the old paper ballot," says Dunaway, who is 66. "So anything is faster than what I grew up with." From isn at c4i.org Fri Oct 14 00:14:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:26:05 2005 Subject: [ISN] Staff 'need reasons' to believe in security Message-ID: http://www.zdnet.com.au/news/security/soa/Staff_need_reasons_to_believe_in_security/0,2000061744,39217156,00.htm By Tom Espiner ZDNet UK 14 October 2005 Companies must ensure that their staff understand the reasons behind security policies and support them, rather than just dictating them from on high, a government consultant said at Secure London 2005 on Tuesday. Paul Hansford, class consultant for GCHQ and senior consultant at Insight Consulting, said that many security procedures fail because staff don't understand what their company is trying to do. "It is not enough to get staff to literally 'sign up' to procedures -- they must fully appreciate their purpose," he said. He recalled an apocryphal story illustrating the point: "A colleague went into a government agency and at one cluster of desks saw a line of 'bobbing bird' toys. The system locked out the user if they didn't touch the keyboard for a certain length of time, and required them to re-input their password. The 'bobbing birds' were lined up next to everyone's computer so that they would tap the 'enter' key every 30 seconds." The underlying beliefs of staff can be at odds with security policy, he said. "People tend to have a 'What's in it for me?' attitude. For example, some people may feel that it's fine to share passwords if it makes the business tick over, their attitude being that business is more important than security," Hansford said. "Companies need to assess people's security training needs, which includes having to elicit how security 'aware' they are," he said. "Awareness is not just about education and training, but is also an appreciation of, and a motivation to support, an issue." An IBM security expert emphasised the need to monitor personnel to maintain security levels. "Personnel security is not just about initially screening and vetting employees, but it's also about monitoring the guy who might have personal problems," said Julian Lander, IT security programme manager with IBM. "If their work performance isn't right, they may be involved in drug or alcohol abuse, or if they have an overelaborate lifestyle -- which I've seen in the past -- that can indicate possible security problems." Lander argued that security procedures need to recognise the human factor. "Security is about people. Speaking generally, the way to address the problem is by coaching, mentoring or counselling -- all the soft skills that HR has. You have to work with HR to maintain a successful security policy," Lander said. According to Hansford, security standards become harder to maintain as more staff work remotely - noting that more than half of all UK businesses currently allow staff remote access. "As more staff work remotely, physical security is difficult to achieve. At the end of the day (employers and security professionals) won't be there, so procedural security needs to be got right," he said. From isn at c4i.org Mon Oct 17 00:01:59 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:11:47 2005 Subject: [ISN] Critical Windows patch may wreak PC havoc Message-ID: http://news.com.com/Critical+Windows+patch+may+wreak+PC+havoc/2100-1002_3-5896041.html By Joris Evers Staff Writer, CNET News.com October 14, 2005 A Microsoft patch meant to fix critical security flaws in Windows 2000, Windows XP and Windows Server 2003 is causing trouble for some users, the company said Friday. The patch was released Tuesday to fix four Windows flaws, including one that experts predict will be exploited by a worm in the coming days. The flaw, tagged "critical" by Microsoft, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC. Installing the patch can cause serious problems, Microsoft said in an advisory posted to its Web site Friday. The patch could lock users out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said. The trouble appears to occur only when default permission settings on a Windows directory have been changed, according to Microsoft. The software maker has received "limited reports" of problems from customers but is still investigating the issue, a representative said. Even if users experience PC trouble after installing the patch, they will still be protected against any attack exploiting the Windows flaw, a Microsoft representative said. The patch was delivered with Microsoft security bulletin MS05-051. To resolve any problems caused by the MS05-051 patch, users should restore the default permissions for the Windows folder and the COM+ catalog. A guide is available on the Microsoft Web site, and steps start with changing the permissions on the "registration" folder in the Windows directory. From isn at c4i.org Mon Oct 17 00:03:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:13:32 2005 Subject: [ISN] Lock-picking club feels responsibility is key Message-ID: http://www.utdmercury.com/media/paper691/news/2005/10/17/News/LockPicking.Club.Feels.Responsibility.Is.Key-1022034.shtml By Roman Starsky October 17, 2005 After he was denied permission to start a lock-picking club in high school, electrical engineering freshman Doug Farre decided to try his luck at UTD. "When I came to UTD, I toyed with the idea again and started talking to my roommates about it. They agreed that it was a good idea, we started collaborating, and things took off from there," Farre said. Within the first two weeks of the semester, Farre's club received official approval and sponsorship from Brian Berry, dean of social sciences. "I had convinced myself there was no way the university would let me have the club. I was prepared to fight for it, but when the time came and they told me it was approved, I was very excited," Farre said. Farre created an outline of club activities and set new member dues, which cover a personal lock-picking kit, at $20. "The name says it all. We will be picking locks. We hope to have competitions, guest speakers and learn a lot about bypassing locks," Farre said. Farre said many students expressed an interest in his organization, and the club currently boasts 30 lock pickers and 30 more potential members who have expressed interest in the club. "Lots of different people decided to join. Members have a love for technology and are not the type of people that are going to give up an opportunity to learn something as intriguing as lock picking. We also have many girl members," Farre said. Farre envisions the Lock Picking Club as doing more than just teaching members to pick locks. "I think that having the Lock Picking Club on campus will get people involved who aren't normally involved in other activities. It also gives people a chance to learn an extremely important skill and educates people so they aren't ignorant about their surroundings," Farre said. Despite Farre's enthusiasm, several Waterview Park residents have complained about the potential privacy risks associated with having an organized lock-picking group. "While I can see how the club may be a good thing, I can definitely see how this can be a security risk too," psychology freshman Mayra Artega said. Farre argues that only irresponsible lock pickers present a danger to residents' privacy. According to Farre, lock picking should be allowed if jujitsu, which teaches deadly combat techniques, is permissible. "I don't think there is anything to fear. Anyone can buy lock picks and use them for criminal purposes. All Lock Picking Club members are required to sign a code of ethics and will be made aware of the responsibilities that go along with being a member of our organization," Farre said. The club plans to hold its first meeting on Oct. 4 from 6-7 p.m., followed by another meeting on Oct. 5 from 7-8 for those unable to attend the first meeting. The location has not been determined. "The club will meet twice a week, so members will be able to attend at least one meeting. The meetings will be on Tuesdays from 6- 7 p.m. and on Wednesdays from 7- 8 p.m. bi-weekly," Farre said. Eventually, Farre said he hopes the Lock Picking Club will grow enough to offer services to UTD. "We hope to offer a discounted locksmithing service to the university for people locked out of their apartments and cars," Farre said. While previous lock-picking clubs at UTD failed long before they could offer an organized service to UTD students, Farre claims this club is going to be different. "I can guarantee that the new Lock Picking Club is going to be much bigger and better," Farre said. From isn at c4i.org Mon Oct 17 00:04:23 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:14:04 2005 Subject: [ISN] Interview: Fyodor Message-ID: http://www.whitedust.net/article/41/Interview:_Fyodor/ By Mark Hinge and Peter Prickett 17 Oct 2005 WD> What first drew you into the world of computing? My father is a hobbyist programmer, so I grew up with computers. In the early days I used an Apple ][ and Vic-20. By the time I really learned how to program, we had a PC XT. I thought DOS was cool, so UNIX really blew my mind when I discovered it in high school. That was where I got into security, too, as my friend David and I had shell accounts on the same ISP and would continually hack each others' accounts :). WD> Why did you create Nmap? [1] In The Cathedral and the Bazaar [2], Eric Raymond notes that 'every good work of software starts by scratching a developer's personal itch.' That was certainly my motivation for creating Nmap. I had a whole directory of scanners, including Julian Assange's Strobe, the reflscan SYN scanner, the UDP scanner from SATAN, a FIN scanner from Uriel Maimon, and many more. They all have very different options and limitations. I would want to use one scanner with an option from another. So initially I made my own modified versions of each scanner. Eventually, I decided the best approach was to create my own scanner from scratch. It would support all of the major scan types while being fast and efficient against large networks. Thus, Nmap was born. I used it myself for a while, and then released it to the public in a 1997 Phrack Article [3]. I hoped people would find it useful, but considered the project 'done' at that point and was ready to move onto new things. So much for that! I was overwhelmed with the response to Nmap, with so many people sending improvements that I released a new version. That cycle has continued for more than 8 years now :). WD> Have you ever been concerned that Nmap is used for blackhat purposes? I doubt that Nmap has ever been used for blackhat purposes. OK, maybe once or twice :). But seriously -- there is no way I can write a program that allows you to audit your own networks for security risks without also enabling bad guys to do the same. And trying to limit distribution to only 'good guys' is a lost cause. I believe that on balance, Nmap is a major net benefit to Internet security. If that ever becomes untrue, I will cease development. Another tool I have written is an advanced denial of service utility named Ndos, which I have used effectively to briefly disable the web presence of major corporations (at their request and under controlled circumstances). I have not publicly released Ndos because I fear that it would be used more for abuse than for constructive purposes. WD> Your most famous piece of software is, obviously, Nmap. What over pieces of software have you created? How successful have they been? I used to work for an Internet startup company, which was purchased by Netscape, which was then purchased by AOL, which then merged with Time Warner. Phew! I created (and helped create) a number of popular online applications during that period, though none are really relevant to the security community. Most of the time I write something new, I try to architect it so that it fits into Nmap. For example, OS detection [4] and version detection [5] could easily be standalone applications, but I decided to build them into Nmap instead. This summer, Google generously agreed to sponsor 10 student Nmap developers [6] as part of their Summer of Code program. One of the most exciting projects is Ncat by Chris Gibson. This is a reinvention of Ncat with cool features such as IPv6, better portability and documentation, connection encryption and authentication, inetd-like capability to spawn multiple concurrent applications, connection redirection, and more. One neat feature is connection brokering, which allows multiple hosts behind NAT gateways to communicate with each other through a centralized Ncat server. It shares a lot of code I wrote for Nmap, including the Nsock and Nbase portable networking libraries. Other interesting Summer of Code projects include: * Doug Hoyte nearly tripled the size of the version detection database and added OS/device type/hostname detection to the system. The database now contains about 3,000 entries for more than 350 service protocols (X11, SNMP, SMTP, etc.) * Zhao Lei added more than 350 OS detection fingerprints to Nmap [7], bringing the total to 1684. He also helped design a 2nd generation OS detection (stack fingerprinting) system * Adriano Monteiro designed and implemented an advanced Nmap GUI and results viewer named UMIT [8] (screenshots) [9]. * Ole Morten Grodaas designed and implemented another advanced Nmap GUI and results viewer (its nice to have choices in open source!) named NmapGUI. Further details and download links are here) [10]. It is worth noting that these GUIs aren't simple wrapper scripts for people who have trouble remembering Nmap command-line options. They offer powerful features for visualizing and searching large scan results. While the program is over, all of these developers have continued active development to improve their projects, which aren't yet fully polished and debugged. People interested in helping with development and testing of these or any other Nmap-related projects are encouraged to join the nmap-dev [11] (high volume, unmoderated) and nmap-hackers [12] (low volume announcements) lists. WD> How long did Exploit World [13] run for? What were it's aims? What caused it to come to an end? I launched Exploit World in 1995 and updated it regularly until the summer of 1998. The aim was to catalog vulnerabilities in a full-disclosure manner that includes bug details and even exploits. This was another 'scratch an itch' project -- I kept such a database for my own purposes anyway, so I decided to put it up online so everyone could benefit from it. While the exploits are all ancient, the site is still pretty popular because it is the first Google hit for various phrases such as 'ping of death'. The problem, as so many exploit and vulnerability archives have learned over the years, is that maintenance is hard and tedious work. As the Nmap project grew to take up most of my time, I lost the motivation to continue with Exploit World. Plus, there were other good archives by that point in time and so redirecting the effort to Nmap was more useful. WD> We have been asking the question is hacking an art or a science? What is your opinion? The question makes it sounds like these are exclusive. Science can be creative and beautiful like art. Also, the term 'hacking' is overburdened with meanings. But I'll try to answer anyway. I consider programming and vulnerability research and exploitation to be more science/engineering than art. You are drawing upon a large base of knowledge and using a methodology to achieve a desired practical and verifiable result (such as busting root). That is not to say that hacking is pure methodology that could be reproduced by a robot or shell script. True breakthroughs usually require great creativity. But this also is true of biology, chemistry and just about any other science. My major in college was molecular and cellular biology until I switched it to computer science, and there were many parallels. WD> On your site you claim 'there are aspects of the hacker community that disgust me', can you give us examples? I hate to see people out there causing wanton damage just for attention. Compromising some school network just so that you can delete their web pages and post some self-aggrandizing rant about how skilled you are and how dumb the admin must be does not help make the world a better place. Such antics won't impress anyone worth impressing either. Illegal activity motivated by money is at least as bad. I hate to see security tools and information misused for spamming, propagating worms, extortion, etc. One of the Google SoC applicants listed on his resume that 'I am the leader of small programming band that developes ... email retrive application (from sites, newsgroups, brut force selection) for spam distribution'. WTF? Since when is that something to be proud of? I'm not saying that these people are part of the hacker community per se, but they are often using some of our tools and techniques. While conducting illegal/hurtful activity for money makes my blood boil, I'm not anti-capitalist. Sourcefire was recently acquired for $225,000,000, and I say good for them! Especially if they keep their commitment to continue GPL Snort development. WD> How do you feel about Tenable's announcement [14] that Nessus 3 will be closed source? I am disappointed by that move, as I feel that source code availability is critical for trusting important security tools. Nessus' open source nature was one of its biggest advantages over a myriad of commercial competitors. Heck -- their official slogan was 'the open-source vulnerability scanner' until this month. This leaves a vacuum in the security community for a new open source vulnerability scanner (or fork of Nessus 2.2). Several groups (Gnessus, Sussen, Porz-Wahn [15]) have stepped up to the plate in launching these forks, and I hope that at least one of them succeeds. One of Tenable's justifications for closing the Nessus source was that few people contributed. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar software model doesn't work so well with everyone taking and not contributing back. In my Nessus response [16], I suggest a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted. Note that I have no plans to change the license for Nmap. It has been distributed under the GPL for more than eight years and I am happy with that license. WD> Do you consider yourself to be a hacker? Yes. WD> In order to be a hacker do you need to be part of the 'scene'? Absolutely not. Some of the smartest guys I know are your stereotypical anti-social nerds that spend all of their time hacking, driven by an insatiable passion for technology. Yet they don't care for attention, recognition, or the whole social scene. That doesn't make them any less of a hacker. WD> Do you know Tony Watson? Yes. I live in Palo Alto, a few miles from Google's headquarters in Mountain View. While Google has screwed up the already obscenely high housing values around here by minting so many millionaires, a side benefit is that they have recruited many great security minds from around the world. Niels Provos, Paul (Tony) Watson, 0100, and other cool hackers now call the area home. While I'm glad that Tony moved here, I've knew him previously from his CanSecWest appearances. Speaking of Tony, I hear that he gave a great interview for Whitedust [17] :) [Yeah we really liked talking to him he's one cool cat :) -psg]. WD> Do you have a day job? I work for my own company, Insecure.Com LLC. The primary business is licensing Nmap technology for inclusion in commercial products. Companies are welcome to use Nmap for free if they comply with the GPL (make their product open source), but those wanting to use Nmap in proprietary products must pay a license fee. This allows me to work on Nmap full time. It also benefits users of those proprietary tools, which are often specialized for different purposs than Nmap. The code these companies get is exactly the same as GPL Nmap. I also do some pen-testing and vulnerability assessment gigs, though I'm too busy to take on new clients for the next year or so. WD> You co-authored a best selling book last year named Stealing the Network: How to Own a Continent. What is it about? This was an exciting project because it is hacker fiction, as opposed to the technical documentation that I usually write. I teamed up with FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale and several other hackers to write individual stories that combine to describe a massive electronic financial heist. Unlike your average Hollywood portrayal (Swordfish, Hackers, The Net, etc.), we portrayed realistic attacks and technology. For example, my character Sendai uses Nmap, Hping2, Ndos, and similar tools to exploit network configuration and software vulnerabilities commonly found in the wild. Syngress (the publisher) was cool enough to let me post my chapter online for free [18]. I am also working on a book on network scanning with Nmap. I only have a couple chapters left to draft, though the editing and publishing phase will take months. [1] http://www.insecure.org/nmap/p51-11.txt [2] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ [3] http://www.insecure.org/nmap/p51-11.txt [4] http://www.insecure.org/nmap/nmap-fingerprinting-article.html [5] http://www.insecure.org/nmap/versionscan.html [6] http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0000.html [7] http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0002.html [8] http://sourceforge.net/projects/umit [9] http://umit.sourceforge.net/screenshots/umit_pics/ [10] http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0125.html [11] http://cgi.insecure.org/mailman/listinfo/nmap-dev [12] http://cgi.insecure.org/mailman/listinfo/nmap-hackers [13] http://www.insecure.org/sploits.html [14] http://mail.nessus.org/pipermail/nessus/2005-October/msg00035.html [15] http://www.gnessus.org/ [15] http://sussen.sourceforge.net/ [15] http://porz-wahn.berlios.de/homepage/about.php [16] http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html [17] http://www.whitedust.net/article/31/Interview:_Paul_Watson/ [18] http://www.insecure.org/stc/ From isn at c4i.org Mon Oct 17 00:04:38 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:14:35 2005 Subject: [ISN] Incredulous ranking: 'Adbots' love Princeton Message-ID: http://www.zwire.com/site/news.cfm?newsid=15387510&BRD=1091&PAG=461&dept_id=425695&r By: George Spohr Business Editor 10/14/2005 Talk about a dubious honor. In its most recent "Security Update" report, Symantec - a provider of anti-virus software - lists Princeton as the hemisphere's most "adbot"-ridden city. The company said it traced 17 percent of adbot attacks in the Americas to computers in the Princetons. That number is so high, it makes the second- and third-place cities in North and South America - New York and Sao Paulo, Brazil - look like also-rans. Both cities played host to 3 percent of adbot attacks in the Americas, Symantec said. When all continents are taken into consideration, Princeton is the second-most adbot-ridden city, with 7 percent of all adbot attacks being traced here. Cambridge, in the United Kingdom, topped the list at 8 percent. New York was in 12th place, credited with just 1 percent of the world's attacks. Adbots, short for "advertisement-driven robots," are programs that are covertly installed on your computer, allowing hackers to remotely control it for a wide variety of malicious purposes, said Brian Watkins, a Symantec spokesman. The end result sometimes is referred to as a "payload." Attackers often command large groups of bot-controlled systems known as bot networks, Mr. Watkins explained. Those networks, which often are available for rent by Internet thieves, can be used to conduct coordinated attacks. College networks are particularly vulnerable. "As Princeton University is located there, Symantec believes that this may be related to the beginning of a new school year," the company said in explaining Princeton's rank. But that explanation - indeed, the very findings themselves - are baffling, said Anthony Scaturro, Princeton University's IT security officer. "The report stated that the city of Princeton has the second-largest bot population - 7 percent of the world's bots, to be exact," Mr. Scaturro said. "All of New York City, with its 8 million-plus population, paled at a mere 1 percent. Clearly, with results such as these, the credibility of the Symantec report is questionable." The report's methodology also leaves much to be desired, he said. Symantec traces the origin of adbots by examining the bits of identifying data that attach themselves to whatever kind of file the bots produce - an e-mail message, a Web page or malicious piece of software. When you receive an e-mail, for example, a quick check of the message's "header" can tell you the general area from which the e-mail was sent. "In today's modern attacks, the source of many attacks is forged," Mr. Scaturro explained. "So if the hacker programmed in the address of a Princeton computer in the bot program, when it spreads to a million computers and they start sending out their payload, it will appear that all of the attacking computers are from Princeton, even though 50 are in Tokyo, 100 are in Los Angeles, three are in Vermont, et cetera." That Symantec, which - perhaps ironically - is the provider of computer security software for all Princeton University faculty, staff and student computers, would publish this report without mentioning its questionable methodology is surprising, Mr. Scaturro said. Mr. Scaturro said the university has taken a multi-pronged approach to protecting those computers from worms, viruses and adbots by: * Being an early adopter of technology that examines the network traffic going to and from the Internet on the campus. "Any piece of network traffic that appears to carry a destructive virus or worm is blocked - both coming into the campus and going out to the Internet," Mr. Scaturro said. * Using firewall technology to protect critical devices. * Constantly monitoring for the latest security-related updates from computer vendors. * Communicating with the campus about the importance of using strong passwords and installing anti-virus and anti-spyware software. "I am very proud of the technical staff that we have at Princeton University and have personally never worked with a team that has been more security aware," Mr. Scaturro said. "Their efforts in setting up and maintaining our systems in a secure manner and ensuring that any offending computer is removed from the network as soon as it is detected are the primary reason that we do not see a lot of attack traffic exiting our network." From isn at c4i.org Mon Oct 17 00:04:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:14:57 2005 Subject: [ISN] FBI puts stop to spam king Message-ID: http://www.detnews.com/2005/technology/0510/16/B01-349738.htm By Joel Kurth and David Shepardson The Detroit News October 16, 2005 Michigan's unapologetic king of bulk e-mail is in trouble again. This time, an FBI raid has closed what some consider one of the world's largest houses of spam. Warrants unsealed last week revealed that agents in September seized computers, laptops, financial records and disks from the 8,000-square-foot home of Alan M. Ralsky. The $750,000 West Bloomfield mini-mansion was built off profits from the 100 million electronic offers for everything from Botox to mortgages that Ralsky sends every day. FBI agents even took a copy of a 2002 Detroit News story that called Ralsky the "poster boy for spam." "We're out of business at this point in time," Ralsky said last week. "They didn't shut us down. They took all our equipment, which had the effect of shutting us down." The raid is the latest episode in a cat-and-mouse game between anti-spammers and Ralsky, 60, a gregarious, heavy-smoking ex-convict considered Public Enemy No. 1 in some pockets of the Internet. In 2002, Ralsky agreed to an undisclosed cash settlement to end a landmark lawsuit from Verizon Internet Services, which alleged he twice paralyzed its network in 2000 with his pitches for diet pills, vacations and such. The deal forbade Ralsky's companies from sending spam on its networks. Last year, Michigan lawmakers passed legislation that allows parents to put their children's e-mail addresses on do-not-spam lists. Even though he insists he doesn't target kids, Ralsky was an inspiration for the bills. "Michigan has been called a cesspool for Internet spam, and Ralsky is recognized as one of the worst," said the bills' sponsor, Sen. Mike Bishop, R-Rochester. "I've been waiting for this moment. I knew it was a matter of time before the law caught up to him." Terry Berg, the top deputy in the U.S. Attorney's Detroit office, declined to comment on the probe. The home of Ralsky's son-in-law, Scott Bradley, also of West Bloomfield, was also raided in September. The federal CAN-SPAM law that took effect last year tries to make spammers play fair. It bans tricks, such as misleading subject lines or e-mails that appear to be from friends. Commercial e-mail must be clearly identified as such, and must label porn pitches as "sexually explicit." The law also forbids spammers from using multiple e-mail addresses or domain names to camouflage their identities. Penalties include up to 20 years' imprisonment and an $11,000 fine per offense. Warrants show FBI agents sought evidence Ralsky and Bradley sent commercial e-mail using at least 14 domain names. "I'm not a spammer," Ralsky said. "I'm a commercial e-mailer." Ralsky spent "tens of thousands of dollars" on software to comply with the law, said Philip Kushner, his Cleveland lawyer. "Alan Ralsky believes he's complied with the laws," Kushner said. "These are new laws that, in some cases, have never been interpreted by any courts or used before." During previous discussions with The News, Ralsky called bulk e-mail "the greatest business in the world." It's revived his life and won him many foes. A former insurance agent who made $500,000 a year in the 1980s, Ralsky hit the skids in the 1990s. He lost his license in Illinois, declared bankruptcy and served three years' probation on a felony related to falsified bank records. In the late 1990s, Ralsky sold his used car, bought two computers and reinvented himself on the Internet. He makes money sending bulk e-mail on behalf of clients selling products or services -- a gig he's said puts small merchants on equal footing with giant companies. As he's become more outspoken, Ralsky claims he's received numerous death threats. A few years ago, Ralsky was deluged with hundreds of unwanted magazines at his house, after anti-spammers signed him up for subscriptions. "Ralsky is quite public about his activities," said Lih-Tah Wong, president of Computer Mail Services, a Southfield company that sells anti-spam software to companies. "For every one like Ralsky, there are thousands of others who are hiding in the shadows and scurrying away like cockroaches when the light is shone upon them." A recent study by the research firm International Data Corp. predicted spam would increase to 7.6 trillion messages this year from 4.5 trillion in 2003. The investigation by the FBI's cyber crimes unit is one of several ongoing in Michigan. None has come to trial. John Mozena, a Grosse Pointe Woods anti-spam activist, said the weak law only allows authorities to crack down on the "most egregious" spammers. He said he helped FBI agents with technical expertise before the Ralsky raid. You can reach Joel Kurth at (313) 222-2610 or jkurth at detnews.com From isn at c4i.org Mon Oct 17 00:05:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:15:33 2005 Subject: [ISN] Linux Advisory Watch - October 14th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 14th, 2005 Volume 6, Number 42a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mason, cpio, dia, masqmail, shorewall, tcpdump, openvpn, up-imapproxy, ethereal, weex, py2play, graphviz, xloadimage, xli, xine-lib, hylafax, Ruby, SVG, hexlix player, uw-imap, openssl, thunderbird, binutils, and libuser. The distributors include Debian, Gentoo, and Red Hat. --- System Accounting By: Dave Wreski It is very important that the information that comes from syslog not be compromised. Making the files in /var/log readable and writable by only a limited number of users is a good start. Be sure to keep an eye on what gets written there, especially under the auth facility. Multiple login failures, for example, can indicate an attempted break-in. Where to look for your log file will depend on your distribution. In a Linux system that conforms to the "Linux Filesystem Standard", such as Red Hat, you will want to look in /var/log and check messages, mail.log, and others. You can find out where your distribution is logging to by looking at your /etc/syslog.conf file. This is the file that tells syslogd (the system logging daemon) where to log various messages. You might also want to configure your log-rotating script or daemon to keep logs around longer so you have time to examine them. Take a look at the logrotate package on recent Red Hat distributions. Other distributions likely have a similar process. If your log files have been tampered with, see if you can determine when the tampering started, and what sort of things appeared to be tampered with. Are there large periods of time that cannot be accounted for? Checking backup tapes (if you have any) for untampered log files is a good idea. Intruders typically modify log files in order to cover their tracks, but they should still be checked for strange happenings. You may notice the intruder attempting to gain entrance, or exploit a program in order to obtain the root account. You might see log entries before the intruder has time to modify them. You should also be sure to separate the auth facility from other log data, including attempts to switch users using su, login attempts, and other user accounting information. If possible, configure syslog to send a copy of the most important data to a secure system. This will prevent an intruder from covering his tracks by deleting his login/su/ftp/etc attempts. See the syslog.conf man page, and refer to the @ option. Finally, log files are much less useful when no one is reading them. Take some time out every once in a while to look over your log files, and get a feeling for what they look like on a normal day. Knowing this can help make unusual things stand out. Read more from the Linux Security Howto: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New mason packages fix missing init script 6th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120537 * Debian: New cpio packages fix several vulnerabilities 7th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120548 * Debian: New dia packages fix arbitrary code execution 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120550 * Debian: New masqmail packages fix several vulnerabilities 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120551 * Debian: New shorewall packages fix firewall bypass 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120552 * Debian: New tcpdump packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120555 * Debian: New openvpn packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120556 * Debian: New up-imapproxy packages fix arbitrary code execution 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120557 * Debian: New ethereal packages fix several vulnerabilities 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120558 * Debian: New tcpdump packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120559 * Debian: New weex packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120561 * Debian: New py2play packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120562 * Debian: New graphviz packages fix insecure temporary file 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120563 * Debian: New xloadimage packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120568 * Debian: New xli packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120570 * Debian: New Ruby packages fix safety bypass 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120571 * Debian: New uw-imap packages fix arbitrary code execution 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120572 * Debian: New Ruby 1.6 packages fix safety bypass 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120573 * Debian: New xine-lib packages fix arbitrary code execution 12th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120583 * Debian: New Ruby 1.8 packages fix safety bypass 13th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120589 * Debian: New hylafax packages fix insecure temporary files 13th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120590 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Ruby Security bypass vulnerability 6th, October, 2005 Ruby is vulnerable to a security bypass of the safe level mechanism. http://www.linuxsecurity.com/content/view/120539 * Gentoo: Dia Arbitrary code execution through SVG import 6th, October, 2005 Improperly sanitised data in Dia allows remote attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/120540 * Gentoo: RealPlayer, Helix Player Format string vulnerability 7th, October, 2005 RealPlayer and Helix Player are vulnerable to a format string vulnerability resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120549 * Gentoo: xine-lib Format string vulnerability 8th, October, 2005 xine-lib contains a format string error in CDDB response handling that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/120553 * Gentoo: Weex Format string vulnerability 8th, October, 2005 Weex contains a format string error that may be exploited by malicious servers to execute arbitrary code. http://www.linuxsecurity.com/content/view/120554 * Gentoo: uw-imap Remote buffer overflow 11th, October, 2005 uw-imap is vulnerable to remote overflow of a buffer in the IMAP server leading to execution of arbitrary code. http://www.linuxsecurity.com/content/view/120575 * Gentoo: OpenSSL SSL 2.0 protocol rollback 12th, October, 2005 When using a specific option, OpenSSL can be forced to fallback to the less secure SSL 2.0 protocol. http://www.linuxsecurity.com/content/view/120586 * RedHat: Important: thunderbird security update 6th, October, 2005 An updated thunderbird package that fixes various bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120541 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: binutils security update 11th, October, 2005 An updated binutils package that fixes minor security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120578 * RedHat: Low: libuser security update 11th, October, 2005 Updated libuser packages that fix various security issues are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120579 * RedHat: Moderate: util-linux and mount security update 11th, October, 2005 Updated util-linux and mount packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120580 * RedHat: Moderate: ruby security update 11th, October, 2005 Updated ruby packages that fix an arbitrary command execution issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120581 * RedHat: Moderate: openssl security update 11th, October, 2005 Updated OpenSSL packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120582 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Oct 17 00:02:28 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:16:15 2005 Subject: [ISN] Glitch forces fix to cockpit doors Message-ID: Forwarded from: matthew patton > The design demands were extraordinarily tricky. The doors had to be > strong enough to withstand bullets, yet engineered to burst open to > avoid a catastrophic twisting of the airframe in the event of a > sudden loss of cabin pressure. I'll show my ignorance of aircraft construction and ponder why a fixed door is somehow going to contribute to airframe twist. How is the cockpit door any different than a bulkhead? Albeit a leaky one? With all the walls in the cockpit vicinity (food galley, bathroom) that section of the plane should be quite heavily reinforced and structurally sound in the first place. Or is the concern that the door and/or door frame warpage arising from the pressure differential will prevent them from opening the door and thus seal the pilots into the cockpit? This is a problem, why? Couldn't they design the door with a couple of pressure-cooker or air-compressor style over-pressure relief plugs that blow out? > In both cases, the cockpit door is secured by aluminum rods that > slide into the lock or unlock positions when activated by an > electronic signal. Rapid decompression would also unlock the door. Says me the amateur terrorist, I have one of my buddies get one of them car escape hammers and bust out a window in the back of the plane and when the pilot declares an emergency and makes for 10,000 ft avail myself of the now unlocked (and/or open) cockpit door. If I'm on a suicide mission (what terrorist isn't) I probably don't much care if I succeed at getting into the cockpit and taking control. 2 shots or a flick of my wrist and my work is done. > "I'd have to have equipment. I'd have to get it through security. > I'd have to know the right channel," the chief engineer said. How about I just get a job as a maint guy - you know for like Boeing or whoever they subcontract out the door installation/testing/maint to. Or bribe somebody who has access to the information. > "I'd need to know quite a lot about where parts are installed on the > airplane. I'd need to do a lot of things I couldn't actually do" on > a commercial flight. well duh. I'm not going to try to create an exploit while being watched by a hundred passengers. > Originally, airlines paid $29,000 for each of the Airbus wide-body > door kits and between $40,000 and $100,000 for the Boeing wide-body > kits, depending on the plane's model and configuration. wouldn't it be cheaper to have a guy with a welding torch on standby at both ends to just weld and unweld a plate of 1/2" steel? Or put the pilot entrance hatch in the cargo hold and forget about having cockpit doors at all? Pilots in the military get in and out thru a hatch in the bottom... > Both Boeing and Airbus used the same supplier, Adams Rite Aerospace > of Fullerton, Calif., for their in-house door control. So who's up for a smash and grab? All one would need is 1 unit, defective or otherwise to reverse engineer at one's leisure. I wonder if it uses a rolling code like a garage opener... > Boeing already had provided a manual bolt lock as a backup. A pilot > could use it in case of a perceived threat. I'm flat-out amazed the PRIMARY let alone only means of activation isn't manual. 3 or 4 hardened steel slides, like you see on bathroom stalls (albeit beefier) should about do it. > Airbus does not install a mechanical backup lock as standard. NUTS! From isn at c4i.org Mon Oct 17 00:03:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:16:58 2005 Subject: [ISN] Staff 'need reasons' to believe in security Message-ID: Forwarded from: Harlan Carvey Cc: edit@zdnet.com.au > http://www.zdnet.com.au/news/security/soa/Staff_need_reasons_to_believe_in_security/0,2000061744,39217156,00.htm > > By Tom Espiner > ZDNet UK > 14 October 2005 > > Companies must ensure that their staff understand the reasons behind > security policies and support them, rather than just dictating them > from on high, Here it is...the latter half of 2005, and this is being reported as "news"? Sorry, but security professionals have been saying this since the early days of infosec. It doesn't take a rocket scientist or a brain surgeon to understand what you see when senior management dictates any sort of policy to the assembled masses, and doesn't bother to follow it themselves. Wow. HC ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------ From isn at c4i.org Tue Oct 18 02:33:40 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:47:37 2005 Subject: [ISN] Homeland Security inches toward makeover Message-ID: http://news.com.com/Homeland+Security+inches+toward+makeover/2100-7348_3-5898244.html By Anne Broache Staff Writer, CNET News.com October 17, 2005 The U.S. Department of Homeland Security is on its way to an organizational makeover, thanks to a bill that President Bush is scheduled to sign on Tuesday. According to a final report that accompanies the Homeland Security Appropriations Act of 2006, lawmakers from both houses agreed to move all "infrastructure protection and information security programs," which include cybersecurity, into a "Preparedness Directorate" proposed in July as part of Secretary Michael Chertoff's plan to restructure the department. The directorate is slated to include a medley of new officials, including an assistant secretary for cybersecurity and telecommunications. The bill makes no direct mention of money for the cybersecurity secretary role. But it's not up to the committee to design the makeup of Homeland Security offices, a U.S. Senate Appropriations committee aide said Monday. She said the department could use its allotment to create the position if it wishes to do so. The department declined to elaborate on its plans. "We continue to anticipate that the proposals put forward by the secretary under the Second Stage Review will be enacted," Kirk Whitworth, a Homeland Security spokesman, said in an e-mail. Since the department's creation, its top cybersecurity official has held a low to midlevel role several layers below the secretary. Some members of Congress and industry representatives have been clamoring for a more powerful post, but so far, action has stalled. The latest spending bill allocates $93.3 million under the broad heading of cybersecurity, earmarking $30 million for "national cybersecurity exercises and outreach." An unspecified portion is supposed to fund the U.S. Computer Emergency Readiness Team, a group charged with analyzing cyberthreats and coordinating incident-response activities in public and private sectors. The bill also sets aside a separate $16.7 million to fund cybersecurity research, placing the category third from the bottom of the list for research and development spending. The biggest chunk for the upcoming year, $380 million, would go to financing work on "biological countermeasures." Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue Oct 18 02:32:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:47:59 2005 Subject: [ISN] At Microsoft, Interlopers Sound Off on Security Message-ID: http://www.nytimes.com/2005/10/17/technology/17hackers.html By JOHN MARKOFF October 17, 2005 REDMOND, Wash., Oct. 14 - In a windowless war room where Microsoft manages worldwide computer security crises, George Stathakopoulos, the general manager for security, opened a small refrigerator, revealing three bottles of Champagne. "These are for the arrests," he said, with a brief smile. Locked in a struggle with a shadowy "black hat" computer underground that exploits any flaw in its software, Microsoft has spent three and a half years trying to transform its engineering culture to make security the company's priority. Recently there have indeed been some arrests for computer attacks that capitalized on Microsoft software flaws. But more important, during the last year the company has made measurable progress in improving the quality of its software code, according to many computer security specialists and customers. That has in effect raised the bar for the computer outlaws seeking to exploit the company's software for data theft, extortion or simple mischief. It now appears that Microsoft can begin to celebrate - a little. Last Thursday and Friday, the company held its second Blue Hat briefing, a meeting with a small group of about a dozen independent computer security specialists invited to the company's headquarters here to share detailed research on vulnerabilities in Windows software. Microsoft managers chose the term blue hat to distinguish their outreach campaign from the usual division in the computer security world between warring communities of white hats and black hats. Whatever their hats, those invited here were a group not generally inclined to think highly of Microsoft. On the first day of the meeting, the visitors made presentations to some of the company's top executives. The sessions were repeated on Friday for more than 500 of the company's approximately 9,000 programmers. David Maynor, an intrusion detection expert at Internet Security Systems, based in Atlanta, began by giving Microsoft good marks for addressing conventional computer threats. But Mr. Maynor cited a fundamental design error in the way Windows operating systems handle peripherals, making it theoretically possible for an attacker to insert a malicious program into a personal computer by attaching a hand-held device to a computer port. "You trust stuff way too much," he said. Microsoft had also erred in public assertions about the security of its coming Xbox 360 game console, he said, adding, "You're a huge target, and when you challenge people, they will prove you wrong." It was clear from the presentations that Microsoft still has work to do to secure its programs, which are the most widely used on the Internet. But it was also the consensus of those attending that the company might have made progress in slowing the deluge of viruses, worms, spam and spyware that plagues its customers. "It's not perfect, but compared to the competition, they've made significant progress," said Dan Kaminsky, a prominent independent computer security researcher who attended the meeting. For the first time, Microsoft executives allowed a reporter to attend the meeting, although one research group making a presentation was unwilling to speak publicly. Microsoft's decision to reach out to critics it would once have shunned shows its change in attitude about computer security. The effort began four years ago when Mr. Stathakopoulos, a veteran Microsoft security executive, attended Black Hat, an annual computer security conference focused on software vulnerabilities, in Las Vegas. Although he found that Microsoft was broadly attacked at the meetings, Mr. Stathakopoulos returned the next year and even sponsored a party for the researchers to begin to build bridges. He said he had second thoughts after scheduling the event. "I turned to another Microsoft executive and said: 'What did we do? This is going to be a disaster,' " he said. In the end, disaster was averted. The Microsoft executives and the Black Hat researchers talked until 7 the next morning. This year Microsoft has gone further. In March and again last week, it invited the outside specialists to its campus in an effort to learn more from an insular community that studies the company's software for chinks in its armor. Microsoft had previously resisted efforts to open a dialogue even with "white hat" hackers like those in attendance here - computer security researchers who expose vulnerabilities but do not exploit them, and who have frequently been bitterly critical of Microsoft as indifferent to security. Microsoft's stance changed in 2002 and 2003 when computer worms like Blaster and Slammer, preying on flaws in Microsoft software, spread worldwide and began to threaten the company's relations with consumers and corporate customers alike. The situation became so grave that in 2002 Microsoft suspended its programming development for more than two months and sent all of its programmers to remedial security classes. The wrenching change the company has gone through was an absolute necessity, said Mr. Kaminsky, the security researcher. "Security issues can kill Windows; you can't say it any other way," he said. And Microsoft's willingness to engage its security critics directly has made a significant impression on many of them. "The battleship is starting to turn," said George Spillman, a computer security researcher who calls himself Geo and whose card describes him as the minister of propaganda for the Toorcon Computer Security Conference. "The fact that I am here is a good indication of how much Microsoft has changed. They are starting to understand that our community cares as much about security as they do." But Mr. Maynor cautioned that the company was on the brink of an era of threats that would prove far more vexing. He pointed to a world of mobile devices that make today's defense concepts obsolete. Such devices would allow remote attackers to leap past firewalls guarding corporate borders and jump from one network to another to get access to corporate networks. The nature of attacks, he said, will also shift away from global Internet worms such as Blaster because of the increasing profitability of computer crime. A single bug can now bring as much as $50,000 in the computer underground and is likely to be used for data theft or extortion, not unleashed simply for widespread chaos. "We're seeing the rise of designer malware," or malicious software, he said. "There will be a shift toward targeted attacks." Another attendee, Brett Moore, chief technology officer of Security Assessment, a consulting firm in Auckland, New Zealand, said he had success in finding undiscovered vulnerabilities in some versions of Windows by looking for known bugs in different parts of programs or in other applications. "In a couple of hours I found four vulnerabilities," he said. Microsoft executives responded that they were trying to improve their code by using a similar technique in their development process. Known as fuzzing, it involves automatically testing tens of thousands of combinations in programs to hunt for flaws. Microsoft executives and the independent researchers said that the company had bolstered security significantly with the release of Windows XP Service Pack 2 in 2004. The update, a free download, made the operating system much less vulnerable. Microsoft executives also cite a decline in the number of security bulletins issued for major products like Windows Server and Office as evidence that the new engineering discipline is having an impact. There were 69 such bulletins issued for Windows 2000 Server in two and a half years and only 41 for Windows Server 2003 in a comparable period, the company said. Eleven bulletins were issued for the 2001 version of Office XP during the first 594 days after its introduction; for Office 2003, there were six bulletins in the same period. For the last two Windows XP updates, 35 bulletins were issued for Service Pack 1 in the year ended last June but only 18 for Service Pack 2. Mr. Stathakopoulos takes pride in the achievement, as when he notes that he has been involved in shipping more compact discs - Windows software - than the Beatles, Rolling Stones and Madonna combined. From isn at c4i.org Tue Oct 18 02:32:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:48:14 2005 Subject: [ISN] Avoid costly clearance delays - Field investigator cautions that a security clearance is not a resume Message-ID: http://www.fcw.com/article91121-10-17-05-Web By Florence Olsen Oct. 17, 2005 Delays in getting security clearances to satisfy critical staffing needs frustrate many agency officials and federal contractors. Although Congress enacted an intelligence reform law last year to help reduce a backlog of security clearance applications, experienced field investigators say the problems remain. Some say the law's 90-day deadline for completing investigations was never realistic, and agencies have been slow to comply with the law's reciprocity provision, which requires them to accept one another's security clearances. But businesses and agencies can prevent many delays and find skilled technology employees with security clearances, according to several investigative experts who spoke at a September meeting of the Business Forum for HR Professionals in the Washington, D.C., area. A security clearance can take as long as two years to process, said Earl Gould, a special investigator under contract with the FBI. Gould is president of the Association of Certified Background Investigators. The Intelligence Reform and Terrorism Prevention Act of 2004 mandates that by Dec. 17, 2006, agencies must be able to complete 80 percent of background investigations for security clearances within 90 days. Gould said that time frame is unreasonable. The law allows an additional 30 days for three independent adjudicators to decide whether the field investigators' findings justify granting a security clearance. Although the new law requires all agencies to accept security clearances completed by an authorized investigative or adjudicative agency, few have rushed to comply, Gould said. "It's just been recently that the CIA, National Security Agency and FBI have agreed to accept each other's clearances," he said. Other agencies have not embraced reciprocity. In 2004, background investigations for most agencies became the Office of Personnel Management's responsibility, but OPM has been slow to find ways to eliminate the backlog and delays, Gould said. He said agencies will eventually solve those problems. In the meantime, however, he and other experts advise agencies and businesses needing employees with clearances to avoid delays they can control. One way to facilitate clearances is to hire a part-time or full-time security clearance officer, said Roger Campbell, who worked at the CIA for 25 years as an HR manager and director. He is now human capital strategy director at Monster Government Solutions, which sells online HR staffing services. A security clearance officer would track applications as they are processed. In addition, guidance from a knowledgeable professional could help employees verify that all information submitted on a clearance application is accurate and complete, which speeds the process, Campbell said. "Any hiccup at all takes your candidate from the front of the line to the back of the line," he said. Another way to avoid delays is to begin the recruiting and security clearance processes early, Campbell said. "Build bench strength," he said, by initiating the security clearance process or validating existing security clearances before hiring people. Campbell said a security clearance officer is invaluable to companies and agencies that need to hire hundreds of employees to fill national security and public trust positions. A clearance officer who knows the right questions to ask could make the difference in whether a security clearance investigation moves quickly or slowly. Such officers, for example, know to ask if an employee was born in a foreign country. To get a security clearance, a person must renounce any foreign citizenship and produce a naturalization certificate from Citizenship and Immigration Services, the former Immigration and Naturalization Service. If applicants collect all that paperwork in advance, a field investigator could save many hours, Gould said. "Trying to find a naturalization certificate in INS is like trying to find Osama bin Laden," he said. "Those people are really understaffed." Sometimes the simplest way to maneuver around the processing backlog is to hire an ex-military employee with an active security clearance, said Carl Savino, president of Competitive Edge Services, a company that finds jobs for military veterans. Nearly 250,000 people leave active military duty each year, he said, and many of them have clearances. Through several steps, agencies and businesses can avoid unnecessary clearance delays. But Gould said agencies cannot control delays rooted in OPM's HR culture. For its expanded role in conducting security clearances, he said, the agency needs to replace its mentality with a national security mind-set. "National security is not a human resources chore." An HR official, for example, cannot explore someone's marital status during a hiring interview, whereas a security investigator "will explore this area rather deeply in some cases," Gould said. "You would not like the questions we ask," he said, addressing the audience of HR officials. But for security clearances, background investigators need to ask personal questions, he said. "We have a lot more to lose if we screw up." From isn at c4i.org Tue Oct 18 02:33:07 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:48:32 2005 Subject: [ISN] Linux Security Week - October 17th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 17th, 2005 Volume 6, Number 43n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Web Application Firewall Evaluation Criteria Announced," "Perform due diligence with RFID security," and "Government must push on IT security." --- ## EnGarde Secure Linux 3.0 - Download Now! ## * Linux 2.6 kernel featuring SELinux Mandatory Access Control * Guardian Digital Secure Network features free access to all system and security updates (to be available shortly through an updated release) * Support for new hardware, including 64-bit AMD architecture * Web-based management of all functions, including the ability to build a complete web presence with FTP, DNS, HTTP, SMTP and more. * Apache v2.0, BIND v9.3, MySQL v5.0(beta) * Completely new WebTool, featuring easier navigation and greater ability to manage the complete system * Integrated firewall with ability to manage individual firewall rules, control port forwarding, and creation of IP blacklists * Built-in UPS configuration provides ability to manage an entire network of battery-backup devices * RSS feed provides ability to display current news and immediate access to system and security updates * Real-time access to system and service log information LEARN MORE: http://www.guardiandigital.com/products/software/community/esl.html --- LINUX ADVISORY WATCH This week, advisories were released for mason, cpio, dia, masqmail, shorewall, tcpdump, openvpn, up-imapproxy, ethereal, weex, py2play, graphviz, xloadimage, xli, xine-lib, hylafax, Ruby, SVG, hexlix player, uw-imap, openssl, thunderbird, binutils, and libuser. The distributors include Debian, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120593/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Guardian Digital launches new edition of award-winning EnGarde Secure Linux platform 10th, October, 2005 Guardian Digital, Inc., the world's premier provider of open source security solutions, today announced the latest innovation of its product portfolio with the launch of EnGarde Secure Linux: Community Edition, a freely-available version of its award-winning enterprise product. EnGarde is the first product to bring complete Web-based management capability, Security-Enhanced Linux functionality, and the ability to control a complete Internet presence in one platform. http://www.linuxsecurity.com/content/view/120566 * How to keep instant messaging off the record 13th, October, 2005 Sometimes encryption isn't enough to keep your conversations private. With standard encryption, it's theoretically possible for someone to steal your secret encryption keys and decipher the conversation. For conversations that need to be kept confidential, the Off-the-Record (OTR) plugin for Gaim saves the day. It leaves no trace of a conversation ever having taken place. http://www.linuxsecurity.com/content/view/120591 * What Are Digital Vaults? 11th, October, 2005 A major challenge that is faced by all organisations selecting IT technology is trying to clearly understand how a particular solution may address the challenges they are tasked with solving. And this often involves trying to understand what various vendors mean when using generic terminology. http://www.linuxsecurity.com/content/view/120574 * Insider Security Threats Q&A 12th, October, 2005 We conducted a brief Q&A session with David Lynch, CMO at Apani Networks, a global network security software provider focused on securing inside the network perimeter. He discusses the security breach in White House, internal security attacks in general and how to prevent them. http://www.linuxsecurity.com/content/view/120584 * Red Hat Certified Security Specialist 14th, October, 2005 Red Hat yesterday announced the availability of a new security certification for IT professionals: Red Hat Certified Security Specialist (RHCSS). The announcement of the RHCSS certification is the Company's latest milestone in its "Security in a Networked World" initiative lanched in August. http://www.linuxsecurity.com/content/view/120599 * Web Application Firewall Evaluation Criteria Announced 10th, October, 2005 The Web Application Firewall Evaluation Criteria project announced its first public release. The goal of the project is to develop a testing methodology that can be used by any reasonably skilled technician to independently assess quality of a web application firewall. http://www.linuxsecurity.com/content/view/120564 * Playing Nice With Physical Security 10th, October, 2005 At a small company, the information security manager is sometimes also responsible for physical security. At very large corporations, the physical security - sometimes called safety and security - is a completely separate department, responsible for hardware such as biometric ID or badge systems, security cameras and the management of guards. Safety and security departments handle investigations of physical breaches, such as theft, and workplace violence. http://www.linuxsecurity.com/content/view/120565 * Google fixes Web site security bug 11th, October, 2005 Google has fixed a security flaw on its Web site that opened the door to phishing scams, account hijacks and other attacks, security researchers said Monday. http://www.linuxsecurity.com/content/view/120577 * Perform due diligence with RFID security 12th, October, 2005 Most notably, EPCglobal Gen 2 standards currently lack over-the-air data-stream encryption between passive RFID tags and readers, though there are provisions for locking RFID tag memory and disabling tags. EPCglobal Gen 2 is the current standard for how passive tags affixed to items and encoded with information about them communicate wirelessly with readers, which collect that information and pass it to upstream applications. http://www.linuxsecurity.com/content/view/120585 * Developers 'should be liable' for security holes 12th, October, 2005 Security expert Howard Schmidt wants coders to be held responsible for vulnerabilities in their code, but others say their employers should be held to account http://www.linuxsecurity.com/content/view/120587 * I get a right good fisking 13th, October, 2005 Is Windows inherently less secure than Linux, or just more popular? Presently available data is inconclusive, because Windows still holds the bulk of consumer and small business market http://www.linuxsecurity.com/content/view/120592 * Government must push on IT security 14th, October, 2005 IT security has matured significantly over the past few years. An increase in the number of viruses such as Slammer, the advent of phishing, and a spate of high-profile attacks on organisations such as Sumitomo Bank, have pushed security to the top of many company agendas. http://www.linuxsecurity.com/content/view/120594 * Hacking for Dollars 11th, October, 2005 Threats to information security come in all shapes and sizes, and from all directions: blended threats, mass-mailer worms, Trojans, phishing attacks, spyware, keystroke loggers, etc. Every day, one or more of these threats put critical information at risk in Internet-connected corporations and businesses around the globe. http://www.linuxsecurity.com/content/view/120576 * Basic Bluetooth Security 14th, October, 2005 Bluetooth has been around since the 90s, and even today, most mobile devices come with the technology embedded in them. Bluetooth provides a wireless, point-to-point, "personal area network" for personal digital assistants (PDAs), notebooks, printers, mobile phones, audio components, and other devices. The wireless technology can be used anywhere if you have two or more devices that are Bluetooth-enabled. And as with any wireless connectivity, there are bound to be security issues since data is being sent over the air invisibly from device to device. http://www.linuxsecurity.com/content/view/120595 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Oct 18 02:33:25 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:48:58 2005 Subject: [ISN] Addressing the Human Security Vulnerability Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105395,00.html Opinion by Douglas Schweitzer OCTOBER 17, 2005 COMPUTERWORLD So, you have the best firewall, intrusion-detection and antivirus systems technology has to offer. Yet, despite your Fort Knox approach, you're still hit with security breaches and the occasional malware du jour. One reason for this may be the lack of motivation by your workers. Unlike owners, they don't have a direct interest in the success of the company. Or do they? How far are they willing to go to ensure corporate success? Usually, not very. In fact, in most cases, they don't put much additional effort into executing their duties -- just enough to get the work done and retain their jobs. According to Ken Shaurette, information security solutions manager at MPC Technology Solutions, however, "a too-often overlooked way to improve these attitudes is to include information security in the job descriptions of employees." When your organization makes security awareness and policy compliance mandatory, the apathetic trend can be reversed. When management requires security policy compliance to be a key part of an employee's job, interest is generated. An added benefit is that security becomes part of the corporate culture. With performance reviews (hence, possible raises) looming periodically, employees are more apt to fit compliance into their daily routine. Knowing that they're being graded encourages employees to comply with policies. Shaurette encourages employers to include a wider cross section of employees in the interview portion of security assessment and in compliance reviews. These additional personnel will automatically gain a better awareness of security issues simply as a result of their exposure to security professionals. Not only will they add their input as to what data should be gathered for analysis, but they'll also come away with a better appreciation of the need for assessments. When they're a part of the compliance review, employees "will get a sense of ownership of the final results from the assessment," says Shaurette. Inclusion alone won't always solve employee-apathy problems, however. Here are some other ways to reduce security risks created by employees who just don't care. Monitoring. One solution that maybe isn't palatable but certainly is effective is employee usage monitoring. Tracking employee PC use can result in negative repercussions for the company, but it's one sure way to establish control over the network. Monitoring needs to be carried out in such a way that employee dignity is protected -- a daunting task because few tools are available to automate the process. "Doing the monitoring can become a very heavy administrative burden or require many application modifications that are often not even possible because applications are vendor-maintained," says Shaurette. Restricted access. Limiting or retracting network access can also reduce (if not prevent) the impact of employee apathy, according to Simon Heron, managing director of Network Box. With the IT manager in control, "signatures for antivirus and antispam can be pushed to the gateway and to the desktop from central company servers," says Heron. The manager is in control of downloading the signatures, and the manufacturer can push software updates onto the gateway to ensure that it's up to date. "This means that the apathetic employee can't get in the way of updating their systems; it takes them out of the equation," says Heron. Unified threat management. Heron points out, however, that limiting access may not prevent infections altogether. Therefore, many organizations are turning to unified threat management systems. Deploying this type of technology restricts employee access to the Internet for browsing and using e-mail and instant messaging applications. Endpoint security. It's important to realize that careless use of endpoint devices like laptops and handhelds is one of the biggest causes of compromised security. Recent surveys have found that -- because of outright ignorance of or, even worse, apathy toward security -- roughly a third of users don't even bother using password protection on their devices. This, of course, leaves data vulnerable to hackers and other opportunists, especially if the devices are lost or stolen. Moreover, remote users and mobile workers have been known to pick up viruses and worms on the road, then infect the corporate network when they return to the office. It's imperative that endpoint devices be checked for compliance with your network security policy. Mandate that all endpoint devices have the latest patches and antivirus software. In addition, your policy should restrict the use of file-sharing and peer-to-peer applications and require certain operating system, browser and application security settings. -=- Douglas Schweitzer is a freelance writer and Internet security specialist in Nesconset, N.Y. He can be reached at dougneak at juno.com. From isn at c4i.org Tue Oct 18 02:34:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:49:15 2005 Subject: [ISN] Hackers no hassle: Hoff Message-ID: http://www.theage.com.au/news/people/hackers-no-hassle-hoff/2005/10/18/1129401238164.html By Jane Holroyd October 18, 2005 Baywatch star David Hasselhoff, who arrived in Australia this morning, says he's flattered by his cult hero status among hackers. Hackers have defaced websites worldwide - including the Fremantle Dockers homepage this year - with images of the the US actor and singer. The practice is known as 'Hoffing'. "I don't really know how the whole thing started but I take no offence," he told theage.com.au at Melbourne Airport this morning. "I think it's a wonderful form of flattery and it's a lot of fun. And it's nice to be recognised for doing shows that actually save lives and not take lives," Hasselhoff said. "Knight Rider and Baywatch have always been synonymous with heroes and are about love, and about action, and humour, and I think that's what the world is about. "I think people want to smile and be happy and that's what it's all about." A thin-looking Hasselhoff emerged from the airport about 10.45am - wearing lime green cord trousers and a matching jumper - with his arm around his wife. Chewing gum while he spoke, he seemed quite relaxed. When asked by the small group of waiting reporters to name his favourite Australian musicians, he replied: "Johnny Farnham and the Little River Band. He was then whisked away by men in suits to a waiting white car. Hasselhoff will appear on Rove Live tonight and is a guest at the ARIA music awards in Sydney on Sunday night. He is also set to appear on the Australian Idol live verdict show next Monday night, but Channel Ten would only say he would chat with the contestants. Hasselhoff is a close friend of Idol judge Mark Holden, who produced a number of the star's songs during the 1990s, which skyrocketed up the German charts. - theage.com.au, with Jano Gibson From isn at c4i.org Tue Oct 18 02:34:36 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:49:42 2005 Subject: [ISN] Microsoft: Unauthorized Windows XP SP3 'Preview' Bad News Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=172301710 By Gregg Keizer TechWeb News Oct. 17, 2005 Microsoft warned users to stay away from an unauthorized "preview" of Windows XP Service Pack 3, just as the site which hosts the collection updated the package to version 3. "Anyone who installs this thinking they are getting SP3 (even as a preview) is being grossly mislead and is posing a significant potentially non-recoverable risk to their PC and data," wrote Mike Brannigan, who identified himself on a Microsoft newsgroup as an employee of the Redmond, Wash.-based developer. Microsoft has not released an SP3 update to Windows XP, although it recently confirmed it would do so sometime after Windows Vista launches late in 2006. "Frankly this 'package' should be avoid [sic] and you should continue to use Windows Update and the download site to get the most up-to-date and correctly issued Microsoft fixes and patches," he added. The preview -- dubbed Windows XP SP3 Preview Pack -- is a collection of hotfixes and other updates that Microsoft has released since the debut of SP2 more than a year ago. The pack, which was updated to version 3 on Monday, can be downloaded from the Hotfix.net Web site. Brannigan dismissed the preview, saying that it also included a number of private hotfixes generated for users with very specific problems. "The hotfixes are not as rigorously tested at public released ones," he wrote. Installing all the 'privates' may make your machine LESS stable and will also put you out of support from Microsoft or an OEM as you are installing incorrectly issued private hotfixes." For his part, Ethan Allen, the creator and administrator of Hotfix.net, defended the 'preview' in a posting on his site. "This is NOT an official SP3 package from Microsoft, but rather just a collection of hotfixes that will most likely be in SP3 releasing in 2006. Use at your own risk." From isn at c4i.org Wed Oct 19 03:02:13 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:11:36 2005 Subject: [ISN] Packet analysis beats off hackers Message-ID: http://www.theinquirer.net/?article=27026 By Tony Dennis 18 October 2005 ALTHOUGH THEY don't like to admit it, online gambling companies are frequently the victims of denial of service attacks. And, since they can lose significant amounts of revenue during such events, this opens them up to blackmail from hackers. Naturally, such companies have deployed state-of-the-art firewalls and intrusion protection systems. However, one such operator - Bet365 - has found a new weapon. Namely real-time packet analysis. The technology has been developed to enable the typical corporate network management to discover why a LAN is slowing down and who or what is causing it. Bet386 has acquired this technology from network analysis specialists, WildPackets. The software was originally developed for Mac based networks. The main point about Wildpackets' Omni software is that it looks directly at the actual data rather than merely counting the packets. So, if a server suddenly experiences a sudden surge in traffic, Omni can pinpoint exactly where it is coming from and block the offending user/port. It's not exactly the kind of application Wildpackets had in mind but at least it now has a very happy customer. ? From isn at c4i.org Wed Oct 19 03:02:27 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:11:55 2005 Subject: [ISN] Sourcefire discloses buffer-overflow vulnerability in Snort Message-ID: http://www.networkworld.com/news/2005/101805-snort.html By Ellen Messmer NetworkWorld.com 10/18/05 Sourcefire, which oversees the open-source intrusion-detection system Snort and makes commercial products based on it, Tuesday disclosed a major vulnerability in Snort along with corrective measures to mitigate the risk. Snort versions 2.4.0 and higher are subject to a buffer-overflow vulnerability that would let an attacker execute code remotely on a Snort sensor when the Back Orifice preprocessor is running, resulting in complete compromise of Snort. The Back Orifice preprocessor is the Snort functionality for detecting any activity associated with the malicious back-door code Back Orifice. Jennifer Steffens, Sourcefire's director of product management, said there are two ways Sourcefire is advising Snort users and Sourcefire customers to eliminate the problem. Details about the vulnerability and mitigation instructions from Sourcefire are here [1]. Sourcefire is urging users to install an updated version of Snort released Tuesday, Snort v. 2.4.3, to correct the problem. If it's not feasible for Snort users or Sourcefire customers to immediately update the new version that corrects the buffer-overflow vulnerability, then they should consider disabling the Back Orifice preprocessor function. "But then they wouldn't be able to detect Back Orifice activity," Steffens added. The flaw associated with Snort's Back Orifice preprocessor is only the second major vulnerability to be discovered in Snort for the past two years, she added. The Snort vulnerability was first uncovered by Internet Security Systems (ISS), which reported it directly to US-CERT, which transmitted the information to Sourcefire. Snort information from US-CERT can be found here [2]. Steffens said Sourcefire heard about it on Oct. 13 and spent the weekend testing for it and coming up with a fix. There are an undisclosed number of Sourcefire customers and about 100,000 users of open-source Snort. Neel Mehta, team lead at the ISS X-Force research and development division, which investigates security weaknesses throughout a wide variety of vendor products, said ISS discovered the Snort vulnerability while doing routine testing. "It's trivial to exploit," Mehta claims. "Anyone who does vulnerability testing can do this. It's a buffer overflow that is triggered with a single UDP packet. It would make it easy for worms to exploit this." Mehta said ISS took its concerns directly to US-CERT, the group responsible for alerting government agencies and the public, "asking them to do the coordination on this since there are a wide number of Snort users." "We saw it as an infrastructure issue," says Mehta. [1] http://www.snort.org/rules/advisories/snort_update_20051018.html [2] http://www.kb.cert.org/vuls/id/MIMG-6H6P65 From isn at c4i.org Wed Oct 19 03:02:57 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:12:13 2005 Subject: [ISN] Report: U.S. DOT needs to improve IT security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105530,00.html By Linda Rosencrance OCTOBER 18, 2005 COMPUTERWORLD During a recent audit of the U.S. Department of Transportation's IT systems, the agency's inspector general was able to take control of a vulnerable server and gain access to sensitive information -- a security lapse that he said could put a number of department systems at risk. It was one of the findings by DOT Inspector General Kenneth Mead, who uncovered about 3,000 weaknesses in the department's IT systems -- including previously reported vulnerabilities that were never fixed, according to the report (download PDF) [1]. The DOT oversees 10 agencies, including the Federal Railroad Administration (FRA) and the Federal Aviation Administration (FAA). It was an FRA server that the inspector general was able to take over. "These weaknesses enabled us to gain total [root-level access] control over a critical file server, desktop computers and a network switch," according to Mead's report. "From these computers, we accessed sensitive information that enabled us to gain unauthorized entry from the Internet and obtain sensitive information." Because of interconnectivity among all DOT networks, the security lapse put other departmental systems at risk, the report said. The inspector general also noted that the FRA hasn't fully deployed an intrusion-detection system, despite years of effort, meaning the DOT can't effectively protect its computers, according to the report. Mead also noted that the DOT failed to install software patches on a timely basis, allowing 700 departmental computers to be infected with the recent Zotob worm. The worm was introduced to the DOT's network by a contract employee who connected his laptop to the agency's network in violation of department policy, he said. "DOT needs to develop a mechanism to ensure that all computers used by telecommuting employees are periodically checked for vulnerabilities and patched with the latest security upgrades," according to the report. Although the report said that FRA officials are working to eliminate critical vulnerabilities, other agencies have been slow to act. "For example, one of the pending actions is to enhance password security protection in [an FAA] system that contains privacy information," Mead said. "This inexpensive fix would significantly reduce the risk of unauthorized access." According to the report, the Mead notified DOT officials in 2004 that the FAA needed to improve its IT system security. But the aviation agency didn't start making improvements until this past April. Mead is now working on two new reports on security problems in the FAA system for maintaining air traffic control surveillance, navigation and communications equipment. According to the inspector general, the FAA failed to address earlier air traffic control systems security recommendations. For example, the FAA collected system security information on only about half of the systems used to support high-altitude air traffic services, meaning other critical systems were not reviewed. Because it has not yet analyzed the information it collected, it hasn't determined what needs to be done to correct any problems. FAA officials also haven't performed independent testing on-site of its high risk systems, something that's required by law, according to the report. In addition to addressing specific vulnerabilities, the DOT also needs to provide more oversight of its IT investments at the FAA, the report said. "We reviewed 16 FAA major acquisitions and found that nine projects had experienced schedule delays of two to 12 years and 11 projects had experienced cost growth of about $5.6 billion (from $8.9 billion to $14.5 billion)," Mead said, adding that air traffic control modernization projects still face performance problems, cost increases and schedule delays. According to the inspector general, the DOT's CIO received a draft of the report, agreed with Mead's findings and recommendations, and plans to provide written comments describing exactly what the DOT is doing to correct the problems. "We have reviewed the report, and we will provide the [inspector general] with a response shortly," DOT spokesman Bill Mosley. [1] http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/DOT_FISMA.pdf From isn at c4i.org Wed Oct 19 03:03:10 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:12:31 2005 Subject: [ISN] Security pros win out in office politics Message-ID: http://www.theregister.co.uk/2005/10/18/security_workforce_study/ By John Leyden 18th October 2005 More than a quarter (25.4 per cent) of the security workforce in Europe spends most of their workday dealing with internal politics or selling security to upper management, according to early results from a new survey. The second annual workforce study from security certification and training organisation ISC(2) also found that either researching or implementing new technologies occupied the majority of time for around a third (30.1 per cent) of the 595 experienced security practitioners and managers quizzed. According to the survey, the efforts of many in the profession to sell their value to the organisations they work for are beginning to pay off. Survey respondents were generally optimistic about levels of influence within their organizations, with a third (33.4 per cent) saying that information security?s level of influence within business units and executive management has significantly increased. The survey, conducted by analyst firm IDC on behalf of ISC(2), also looked at the places inhabited by security functions within organisations. Around one in five (18.8 per cent) of those quizzed report into a dedicated security or information assurance department, with another one in ten (10.5 per cent) reporting directly to the board of directors and 17.4 per cent to executive management. This compares to around a quarter (28.4 per cent) who indicated they reported directly into an IT department. "We are encouraged to see from the study strong evidence that information security is becoming a domain in its own right, separate from IT, and backed by a swell in the desire to professionalise security as a recognised field of practice," said Sarah Bohne, director of communications at (ISC)2. Around two-thirds of survey respondents (62.2 per cent) said they would be pursuing information security certifications in the next 12 months. The demand for training reflects a desire by those quizzed to learn broader management skills, with the top areas of interest including information risk management (51.3 per cent), business continuity and disaster recovery (50.6 per cent) and security management practices (44.1 per cent). A preview of findings from (ISC)2 Information Security: The Shape of the Profession was delivered during a presentation at this week's RSA Europe conference in Vienna, Austria. The full report of global results, including salaries, and the expected rate of growth in the information security workforce, is due to be published in December. ? From isn at c4i.org Wed Oct 19 03:03:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:12:57 2005 Subject: [ISN] Davidson: Lessons of warfare for IT security Message-ID: http://www.fcw.com/article91127-10-17-05-Web By Mary Ann Davidson Oct. 17, 2005 As a security professional, I research the latest issues, threats and hacking techniques. For pleasure, however, I read mostly military history, which shapes my view of information security. As a result, I offer the following lessons from military history for federal agency information technology security professionals. Most security professionals attempt to implement programs to defend all access points because intruders need to find only one way in. But because agency resources are finite, boundaries typically exceed resources. To best apply limited resources to maximize defense success, carefully select your turf. Risk management approaches to security must move beyond identifying and defending the most important assets to include an analysis of a network's strategic points where intruders could attack. Here are some IT security lessons from military history. * Intelligence has value only if you act on it. The Battle of Midway in June 1942 was arguably the turning point of World War II in the Pacific rim. The victory hinged partly on U.S. code crackers' breaking JN25 naval cipher to learn that the Japanese planned to attack Midway. Adm. Chester Nimitz, commander of the U.S. Pacific fleet, sent two carrier task forces to Midway to ambush the Japanese Navy. A second lesson is the hubris of assuming that enemies cannot break ciphers and codes. Security professionals have many means of defense at their disposal. Through network mapping, they can determine the landscape of their networks. Knowing how many systems are locked down and adequately patched, they can assess their readiness. Using intrusion-detection systems, they can know the types of probes the enemy has attempted. But some organizations don't use or act on the intelligence they have. Many turn off their auditing systems, fail to review the logs or ignore alarms. A military parallel is Pearl Harbor, the attack in which the United States ignored radar detecting the incoming Japanese planes. * Interior defensive perimeters are critical. The network perimeter has disappeared as ubiquitous computing and extranet access have surged. The model of hardened perimeters and wide-open interiors is no longer adequate. During the 1879 defense of Rorke's Drift in South Africa, about 150 British soldiers held off 4,000 Zulus by defending the inherently indefensible. They created makeshift barricades from grain sacks and biscuit boxes to secure the perimeter. They had fallback positions and used them. Security professionals can learn from this example. A network is not defensible if attackers breach the perimeter and the rest of the network is wide open. Today, administrators segment networks with interior firewalls. Tomorrow, networks may be able to create dynamic barriers in response to worm and virus invasions. Admirals and generals set strategies, but individuals who make tactical decisions and take the initiative win battles. Every federal agency employee has a responsibility to make IT security a priority. Davidson is Oracle's chief security officer. From isn at c4i.org Wed Oct 19 03:03:36 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:13:11 2005 Subject: [ISN] Oracle fixes bugs with mega patch Message-ID: http://news.zdnet.com/2100-1009_22-5900784.html By Joris Evers CNET News.com Published on ZDNet News October 18, 2005 Oracle on Tuesday released fixes for a laundry list of security vulnerabilities in many of its software products. The "Critical Patch Update," part of Oracle's quarterly patch release cycle, delivers fixes for 33 flaws in Oracle's Database products, 14 in its Application Server, 13 in the Collaboration Suite, 22 in E-Business Suite and Applications, four in PeopleSoft's PeopleTools, and two in JD Edwards software. Several of the flaws carry Oracle's most serious rating, which means they are easy to exploit and an attack can have a wide impact, according to the alert. "The most severe of the vulnerabilities could possibly expose affected computers to complete compromise," Symantec said in an alert to users of its DeepSight intelligence service. Oracle doesn't provide many details in its advisory, which could be a challenge for users when prioritizing patches, Pete Finnigan, a security specialist in York, England, wrote on his Weblog. "The descriptions for all the bugs except for the database section give nothing away whatsoever," he said. Oracle has been criticized for dragging its heels on fixing security flaws and being unresponsive to researchers who find bugs. Oracle's Chief Security Officer, Mary Ann Davidson, in response said security researchers can be a problem when it comes to product security. From isn at c4i.org Wed Oct 19 03:02:00 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:13:35 2005 Subject: [ISN] Only Suckers Renew Message-ID: http://www.eweek.com/article2/0,1895,1872416,00.asp By Larry Seltzer October 18, 2005 Opinion: If something goes up in price over 650 percent in four years it has to have gotten a whole lot better, right? The industry has shot anti-virus subscription prices up over the last few years hoping to make users pay full price every year. The price of most things in the computer industry is driven down over time, from competition, economies of scale and advances in the technology. But one product is up over 650 percent in the last 4 years: the annual subscription to Norton Antivirus updates. In 2001 Symantec increased the price from $3.95 to $9.95, quite a large increase on its own. Just recently, coincident with the release of the 2006 versions of their security line of products, Symantec once again increased the price of the subscription renewal to $29.99. The new 2006 version of Norton Antivirus, of course including an annual subscription itself, costs $39.99. Symantec's message is clear: you're a sucker if you don't upgrade the program. The only question is whether you're a sucker for getting the new version too. Symantec has absolutely been the leader in this price boom, but most other vendors have happily kept up. Many trail a bit behind. All of them are pricing their products so that you have a strong incentive not to renew your subscription, but to upgrade to the new version. From what I can tell, McAfee has moved completely to a subscription model for the software. The cheapest resubscription I could find was Computer Associates eTrust EZ Antivirus at $19.95. Their new product is only $29.95, so it too is no big savings over a full upgrade. So the point is not to get you to pay more for your signature resubscription; it's to move you to a model where you subscribe at once to software and signature updates, the model to which Symantec has moved with the 2006 products. The annual product version model is dead, more or less. If you were to buy Norton 2006 six months from now, and even if they come out with major updates in another 12 months, you'd get all the updates. I guess if I were an anti-virus company I would do this too; after all, the product actually doesn't change much from year to year, so there's not much point in existing customers upgrading. Symantec does claim advances in their products over the years, including the new 2006 versions - in particular a new Norton Protection Center which attempts to explain complex issues in straightforward language. I haven't tested the new products so I can't say whether they're worth going through the trouble of an upgrade. And installing a new Norton product these days is definitely a process that goes wrong for some [1] (check out this link too [2]). Anyway, with respect to the new features they add each year, so what? They may justify price increases in the new versions, but they don't justify increases in subscription cost for users of old versions who don't get the benefit of new features. Of course there are things that are good for the user about the subscription model. As Symantec pointed out to me, many users are confused about the fact that they pay for the product once, then after a year they have to pay once again for something not exactly the same. Instead, with 2006, they are told from the beginning that they are subscribing to all updates, including new features. Maybe it's clearer, it's hard to say. But it does clarify another problem Symantec has with respect to their copy protection. If the real value is in the subscription and not the initial software?and even the new software is useless if you can't update it?then there's no point in protecting the software through copy protection. They should give their software away and charge whatever they want for their subscriptions. Symantec says that the copy of the new software comes with an annual subscription and that the copy protection therefore protects that, but this just tells me they have an implementation problem. Incidentally, I was curious about how these program updates would be delivered. Right now Symantec has three different mechanisms: Automatic Updates, which happen without user action, deliver only signature updates. Manually running the LiveUpdate program delivers signatures and some program updates, such as bug fixes. And there have been some cases where Symantec has delivered updates as downloaded executables. I asked Symantec how they would deliver new updates including new features, and they got vague on me. It's not clear. If it's through manual downloads and the equivalent of an upgrade process then most users won't do it, although they will have access to it. It's especially galling to see Symantec increase prices for their signatures when they are regularly one of the slowest companies to update those signatures in response to threats. Symantec updates regularly once a week and only goes out of cycle with updates when a category 3 or higher threat comes along. In the last year there have been only a handful of 3+ threats. The signature update process has therefore become well-oiled and as regular as grandma when she takes her Metamucil. In fact, the 2006 versions address this somewhat. If you are running the 2006 or future versions you will get daily updates. If you're running 2005 or earlier versions, you're still on the old schedule. For this they deserve a raise? Other companies release at least once a day, many of them hourly, such as BitDefender and Kaspersky. This usually matters little, but if you're one of the unfortunate few to get one of the very common new threats at level 2 or 1 there could be 6 more days before Norton ponies up with protection for it. And for keeping you at the old, embarrassingly slow schedule, they do you the favor of charging you almost as much as they do for a full new copy. Maybe anti-virus vendors figure that their time is limited and that they better suck whatever money they can from customers before something supplants them. We've been looking at products like Panda TruPrevent that don't rely on signatures for detection; they're not perfect, but they're getting a lot better. One day if they get good enough the great Norton Cash Cow will moo its last. -=- Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. [1] http://blog.ziffdavis.com/seltzer/archive/2004/11/18/3338.aspx [2] http://blog.ziffdavis.com/seltzer/archive/2005/08/28/27160.aspx From isn at c4i.org Wed Oct 19 03:03:47 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:13:54 2005 Subject: [ISN] Hacker loses name suppression Message-ID: http://tvnz.co.nz/view/page/411749/620770 One News Oct 19, 2005 A Dunedin university lecturer who hacked into a US company's computer has finally been outed after an 18 month battle to keep his name suppressed. Timothy Molteno, 38, was the first person caught under new computer crime laws. The senior lecturer in physics at Otago University pleaded guilty 18 months ago, but wanted his name permanently suppressed. Molteno had been employed as a software writer for US online shopping company buymusichere.com. But he fell out with CEO Bob Lee and subsequently hacked into the site from Dunedin - deleting and destroying data. Two months ago Molteno was convicted and sentenced to 200 hours community work and ordered to pay $12,000 to buymusichere.com. Lawyer Judith Ablett-Kerr wanted him discharged without conviction and appealed, saying it wasn't fair to publish Molteno's name. "Those who might have the impression that this man is a high achieving... one of New Zealand's tall poppies who has just sailed through this... they are quite wrong," Kerr said in court on Wednesday. She argued publishing his name would be stressful and confusing because other family members have the same surname. It was also argued that it would cause problems for the university where he worked. However, the appeal judge said even though the offending was out of character the conviction was appropriate and his name should be published. Buymusichere.com CEO Bob Lee is happy with the outcome. "Part of being held accountable is having to face the rest of the world... and acknowledge the fact that you've done it," he says. Internet experts are also pleased with the decision. From isn at c4i.org Thu Oct 20 02:05:52 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 20 02:17:06 2005 Subject: [ISN] As battlefield moves online, DOD needs new technologies to fight terrorists Message-ID: Forwarded from: William Knowles http://www.gcn.com/vol1_no1/daily-updates/37350-1.html By Dawn S. Onley GCN Staff 10/19/05 ATLANTIC CITY, N.J - Fighting al-Qaida marks the first time in world history that a guerilla faction has moved war from the physical domain to cyberspace, said the Army CIO. The concepts of warfare have not changed in over 2,000 years, but the tools used for war have, Army Lt. Gen. Steven Boutelle said during a lunch address yesterday at the MILCOM 2005 conference. Boutelle implored the audience not to get comfortable about the advances that have been made by commercial technologies. Those same technologies, Boutelle warned, are being used by terrorist groups like al-Qaida, and in some instances, America's adversaries are better at obtaining and using information to their advantage. These groups have "fully embraced the Internet and fully embraced the technology, and they are using it to kill your people," he added. Today, members of the terrorist network use the Internet to communicate with each other and to recruit new members, Boutelle said, adding that they have posted recipes for ricin poison, outlined the chemicals needed to make a bomb and described in vivid language the best way to shoot and kill an American soldier. "Your enemy, your adversary, is using your information, and they do it faster, better and cheaper," Boutelle said. The best counterattack to al-Qaida's increasing use of IT is to spiral new technologies into Iraq as soon as possible, Boutelle said. He encouraged contractors to "think about what you're bringing to the table for us." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Oct 20 02:07:15 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 20 02:17:40 2005 Subject: [ISN] Security UPDATE -- Auditing Your Systems Can Improve Security -- October 19, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Control access, change and availability of IT http://list.windowsitpro.com/t?ctl=16E6F:4FB69 Software Packaging Workflow Best Practices http://list.windowsitpro.com/t?ctl=16E5B:4FB69 ==================== 1. In Focus: Auditing Your Systems Can Improve Security 2. Security News and Features - Recent Security Vulnerabilities - Overlooked Security Patches Bring Down Spread Firefox Site - Check Point Snaps Up Sourcefire - Curious Stirrings in the World of Open Source 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 5. New and Improved - VPN Firewalls Add Malware Protection ==================== ==== Sponsor: Quest Software ==== Control access, change and availability of IT This paper provides an overview of the techniques for implementing internal controls and how these techniques are utilized to mitigate an organization's IT applications and infrastructure risk. This paper also discusses the importance of IT control standards and frameworks, such as COSO and CobiT, and examines specific examples of IT controls. Get your paper today. http://list.windowsitpro.com/t?ctl=16E6F:4FB69 ==================== ==== 1. In Focus: Auditing Your Systems Can Improve Security by Mark Joseph Edwards, News Editor, mark at ntsecurity / net As you hopefully know by now, Microsoft released nine security bulletins this month as part of its regular patch release schedule. One of the bulletins includes a vulnerability in Microsoft Distributed Transaction Coordinator (MSDTC). The vulnerability is serious, and an exploit has already been created. Although the exploit was created by Immunity Security strictly for release to its business customers, by the time you read this newsletter, someone else will likely have already released another exploit onto the Internet--possibly in the form of a worm or Trojan horse, either of which could lead to a complete compromise of your entire network. Protecting your systems in advance is of paramount concern. The obvious approach is to load the patch as soon as you can, and if you can't, for whatever reason, then take other defensive measures. MSDTC listens on TCP port 3372. Minimally, scan your network to determine which systems listen on TCP port 3372. You can disable MSDTC on individual systems or by using Group Policy. But doing so might break various types of functionality. Review Microsoft Security Bulletin MS05-051-- Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) for details. http://list.windowsitpro.com/t?ctl=16E62:4FB69 The fact that someone created an exploit for the MSDTC vulnerability in fewer than 24 hours points out the need to stay on top of vulnerability reports and patching. It also points out the need to know precisely what software runs on your systems. A fantastic case in point is Mozilla Foundation, which I wrote about in a news story on our Web site that's also included in this newsletter. http://list.windowsitpro.com/t?ctl=16E67:4FB69 In summary, the Spread Firefox Web site was compromised back in July. After that intrusion, Mozilla Foundation rebuilt the entire server. But, when doing so, the company failed to properly record what software runs on that server. Apparently between July and October, no significant audit was performed on the server either. As a result, Mozilla Foundation overlooked the fact that TWiki runs on the server, although not as a prominent service. (For more information about TWiki, go to http://list.windowsitpro.com/t?ctl=16E74:4FB69 ) You can probably guess what happened next: A vulnerability was discovered in TWiki, and soon an intruder began attempts to break into the Spread Firefox Web site. So Mozilla Foundation once again spent considerable time rebuilding a server that was rebuilt only a few months prior. The Spread Firefox site was taken offline by October 4, and didn't come back online until yesterday. I have no idea what the combined incidents cost the company in terms of time and money, but in addition to those costs, the incidents cost the organization in terms of reputation. These sorts of incidents can happen to anybody who doesn't know exactly what software runs on their systems and doesn't stay up to date on new vulnerabilities. The bottom line is that you're responsible to determine what software runs on your systems, and you can't rely on your software vendors to consistently provide you the latest vulnerability information. The reason for the latter is simple: When vulnerabilities are announced to the public (sometimes with only scant details), potential intruders can use that information to begin looking for a way to breach security. In some cases, all a discoverer needs to say is, "I found a problem in XYZ application," and someone else can use logic to figure out where the vulnerability might be, find it, and develop a way to exploit it. The lessons here are clear. In order to maintain optimum network security, you must audit your system regularly, keep precise and up-to- date records, and monitor the Internet for new vulnerability developments. Doing so can make even the biggest networks a much smaller target. ==================== ==== Sponsor: Macrovision ==== Software Packaging Workflow Best Practices Managing desktop software configurations doesn't have to be a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free whitepaper you'll learn how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. Download your copy now and discover the value of standardizing the software packaging process. http://list.windowsitpro.com/t?ctl=16E5B:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=16E61:4FB69 Overlooked Security Patches Bring Down Spread Firefox Site Mozilla Foundation overlooked critical patches on its Spread Firefox site. As a result, the site was temporarily taken offline and site visitors were redirected to the Firefox area of the main Mozilla Web site. http://list.windowsitpro.com/t?ctl=16E67:4FB69 Check Point Snaps Up Sourcefire Check Point Technologies announced a deal to acquire Sourcefire, makers of the ever-popular open-source Snort Intrusion Detection System (IDS). Check Point will add the Sourcefire line of commercial security products to its suite of offerings. http://list.windowsitpro.com/t?ctl=16E6A:4FB69 Curious Stirrings in the World of Open Source Several events in the open-source world have piqued my curiousity. What's going on? To see what I mean, read this news item on our Web site. http://list.windowsitpro.com/t?ctl=16E69:4FB69 ==================== ==== Resources and Events ==== Recovery vs. Continuity--Do You Know the Difference? Attend this free Web seminar and learn the difference between the ability to quickly recover lost or damaged data and the ability to keep your messaging operations running normally before, during, and after an outage. You'll discover what the real technical differences between recovery and continuity are, when each is important, and what you can do to make sure that you're hitting the right balance between them. http://list.windowsitpro.com/t?ctl=16E5D:4FB69 Discover SQL Server 2005 for the enterprise. Are you prepared--In New York! In this free half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical enterprise database applications, making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today for the new show added in New York! http://list.windowsitpro.com/t?ctl=16E5F:4FB69 Do You Know What "High Availability" Really Means? In this free Essential Guide learn what high availability really means and the different strategies that you can use to improve your email systems' availability and resiliency. http://list.windowsitpro.com/t?ctl=16E60:4FB69 Get the Maximum Return on Software Investments by Optimizing Every Dollar Spent on Software Often software applications are over-licensed by one department and under-licensed by another, resulting in denial of some end users the access to software they need or overspending on additional licenses that go unused. In this free Web seminar get the 5-step plan for quickly implementing a license management program today! http://list.windowsitpro.com/t?ctl=16E5E:4FB69 Compliance vs. Recovery: Can You Have Your Cake and Eat It Too? In this free, on-demand Web seminar, discover the issues involved with integrating your compliance system with backup and recovery, including backup schedules, the pros and cons of outsourcing your backup media storage and management, the DR implications of having to back up all that compliance data, and the possibility of using alternative backup methods to provide backup and compliance in a single system. You'll learn what to watch out for when combining the two functions and how to assess whether your backup/restore mechanisms are equal to the challenge. http://list.windowsitpro.com/t?ctl=16E5C:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Have you, your company, or someone you know been a victim of online fraud? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 30 votes: - 57% Yes - 37% No - 7% Not sure (Deviations from 100% are due to rounding.) New Instant Poll: Which of the following devices and/or software do you monitor? Go to the Security Hot Topic and submit your vote for - Windows - Network devices such as firewalls, gateways, VPN appliances, and wireless Access Points - Important applications such as Exchange Server and IIS - Two or more of the above - None of the above http://list.windowsitpro.com/t?ctl=16E6C:4FB69 ==================== ==== Featured White Paper ==== Can you afford to have anything less than 100% uptime for your mission critical email? Email has become mission critical to the functioning of business, and every hour of downtime can cost thousands of dollars in lost productivity and revenue. In this free white paper, learn how to address challenges such as: making email truly available 24x7x365, securing against viruses, comprehensively backing up email data and more. Download your copy now! http://list.windowsitpro.com/t?ctl=16E59:4FB69 ==================== ==== Hot Release ==== Free Network Security Test from Qualys Testing and improving your network security has never been easier. Requiring NO software, QualysGuard will safely and accurately test your network for security threats and provide you with the necessary fixes to proactively guard your network. Try QualysGuard Risk Free. http://list.windowsitpro.com/t?ctl=16E70:4FB69 ==================== ==== 4. Security Toolkit ==== Security Matters Blog: Network Security Toolkit 1.2.3 by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=16E6E:4FB69 Version 1.2.3 of the Network Security Toolkit was recently released. This is an excellent toolkit, and if you haven't looked at it, consider doing so. This blog entry links to my review of version 1.0.6. http://list.windowsitpro.com/t?ctl=16E68:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=16E6D:4FB69 Q: How can I enable access-based share enumeration so that users see only files and folders to which they have access? Find the answer at http://list.windowsitpro.com/t?ctl=16E6B:4FB69 Security Forum Featured Thread: Stop IE from Downloading .exe Files A forum participant asks whether there's any way to prevent Microsoft Internet Explorer (IE) users from downloading and saving .exe, .mp3, and other files to their network drives in a Windows 2000 environment. Join the discussion at: http://list.windowsitpro.com/t?ctl=16E5A:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Access to Every Windows IT Pro Article on CD Get the Windows IT Pro Master CD and get portable, high-speed access to the entire Windows IT Pro article database--more than 9,000 articles on CD! The newest issue includes BONUS Windows Tips, and if you sign up now, you'll SAVE 25%. Offer ends 10/31/05, so subscribe now: http://list.windowsitpro.com/t?ctl=16E63:4FB69 The Windows Scripting Solutions Newsletter The Windows Scripting Solutions Newsletter is a "must have." Subscribe today and get a 12-issue resource loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You will also get online access to the entire newsletter archive (over 500 scripting articles), including access to our popular "Shell Scripting 101" series. This resource will help to save you time and money. Order now: http://list.windowsitpro.com/t?ctl=16E64:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com VPN Firewalls Add Malware Protection NETGEAR announced the incorporation of Trend Micro's Client/Server (CS) and Client/Server/Messaging (CSM) Suite for Small and Medium Business (SMB) into the NETGEAR ProSafe VPN Firewall 200 (FVX538) and ProSafe VPN Firewall 50 (FVS338). Both firewalls now enforce security policies established by the network administrator by allowing Internet access for only those computers that have the latest antivirus and antispam signatures. Computers that aren't compliant will be redirected to a server to obtain updates. The ProSafe VPN firewalls with Trend Micro software are designed to be all-in-one security appliances for SMBs. They're list priced at $557 for the ProSafe 200 (200 simultaneous IPsec tunnels) and $278 for the ProSafe 50 (50 tunnels). For more information, go to http://list.windowsitpro.com/t?ctl=16E73:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Admins rush to install BLOG servers How to run your own blog server. Free 5 user license. http://list.windowsitpro.com/t?ctl=16E72:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=16E71:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=16E66:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 20 02:04:39 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 20 02:18:03 2005 Subject: [ISN] Cyber crime comes of age as foreign plugs sell secrets Message-ID: http://dnaindia.com/report.asp?NewsID=6411 Neha Dara October 19, 2005 NEW DELHI: Cases of data loss from ITES companies may no longer be new but the arrest of two employees, from an Indian BPO in Gurgaon has a twist in the tale. The two arrests were made on Tuesday and Wednesday. British national Harish Parmar and Sarita Rawat, both employees of Cybersys Infotech Limited, were arrested by the Gurgaon police for stealing confidential data and selling it to different competitors, special superintendent of police Hanif Qureshi said in a press conference in Gurgaon on Wednesday. However, this is no ordinary case of data loss. Cybersys Infotech Ltd had entered into an exclusive contract with the British company City Credit Management. As a condition of this exclusive contract, Harish Parmar was made City Credit's representative on the board of Cybersys. As outsourced work dealt with a highly specialised area like mortgage, Cybersys spent huge amounts developing training manuals and systems. However, soon after, City Credit started outsourcing its call-centre work to other Indian BPOs, in a breach of the exclusivity contract. Not only that, to cut costs, the specially developed manuals and systems were allegedly stolen through Parmar and Rawat and sold to those BPOs. This saved them the investment that Cybersys has made in developing the same, and consequently saved City Credit money as well. Vanguard Info-Solutions Limited in Gurgaon was one of the BPOs to which this information was sold and which was forthcoming with the details to the police. The involvement of one other BPO is suspected, but its name, and the extent of the loss incurred by Cybersys, is yet to be established. The complaint with the police was filed by Vineet Kanwar, the director of Cybersys Infotech Limited, against employees Sarita Rawat, Harish Parmar who is a director on the Indian company and the British, his wife, who is also a director of the British company, and City Credit Management itself. According to Supreme Court advocate and cyber law expert Pavan Duggal, the crime in this case is therefore "both of hacking (covered by section 66 of the IT Act) and of breach of trust, because an exclusive contract was broken (covered under section 72 of the IT Act and 406, 409 and 120b of the IPC)." Indian ITES companies have recently been haunted by a spate of crimes that have raised questions about security of client data. However, this is perhaps the first time when the overseas client itself has been accused of engineering the data loss. From isn at c4i.org Thu Oct 20 02:05:13 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 20 02:18:31 2005 Subject: [ISN] Bruce Schneier talks cyber law Message-ID: http://www.theregister.co.uk/2005/10/19/schneier_talks_law/ By John Oates in Vienna 19th October 2005 RSA Europe 2005 ISPs must be made liable for viruses and other bad network traffic, Bruce Schneier, security guru and founder and CTO of Counterpane Internet Security, told The Register yesterday. He said: "It's about externalities - like a chemical company polluting a river - they don't live downstream and they don't care what happens. You need regulation to make it bad business for them not to care. You need to raise the cost of doing it wrong." Schneier said there was a parallel with the success of the environmental movement - protests and court cases made it too expensive to keep polluting and made it better business to be greener. Schneier said ISPs should offer consumers "clean pipe" services: "Corporate ISPs do it, why don't they offer it to my Mum? We'd all be safer and it's in our interests to pay. "This will happen, there's no other possibility." He said there was no reason why legislators do such a bad job of drafting technology laws. Schneier said short-sighted lobbyists were partly to blame. He said much cyber crime legislation was unnecessary because it should be covered by existing laws - "theft is theft and trespass is still trespass". But Schneier conceded that getting international agreements in place would be very difficult and that we remain at risk from the country with the weakest laws - in the same way we remain at risk from the least well-protected computer on the network. ? From isn at c4i.org Thu Oct 20 02:10:11 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 20 02:18:58 2005 Subject: [ISN] Mother Nature's storms postpone DHS' Cyber Storm Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27222-1.html By Wilson P. Dizard III Contributing Staff Writer 10/19/05 The Homeland Security Department's Cyber Storm exercise, consisting of a virtual attack on the nation, has been pushed back from November to February 2006 because of resource demands on the federal government and infrastructure damage caused by the recent hurricanes in the Gulf Coast region, the department and other sources said. DHS spokeswoman Michelle Petrovich confirmed that the Cyber Storm exercise [1] had been pushed forward from next month to February. "It makes sense to work on real-time occurrences such as hurricanes Katrina and Rita [before carrying out the exercises]," she said. "It would be fair to say that the storms required a reallocation of resources, [but] all efforts to move forward with Cyber Storm are continuing," Petrovich added. Terry Benzel, a computer scientist at the University of Southern California whose DETER Internet test bed project is scheduled to play a key role in Cyber Storm, said the electric utility industry had requested the delay so that the companies could repair their shredded networks. Electric utility industry sources were not immediately available to verify Benzel's statement. Cyber Storm is designed to combine a virtual attack on the financial sector with a virtual assault on the power grid, as well as a simulated array of attacks on physical assets. Acting Cybersecurity Division director Andy Purdy had described Cyber Storm as an interagency project that would involve participation by various critical infrastructure owners in the private sector. Wilson P. Dizard III is a senior writer for Washington Technology's sister publication, Government Computer News. [1] http://www.washingtontechnology.com/news/1_1/homeland/26631-1.html From isn at c4i.org Fri Oct 21 16:07:28 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:19:24 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-42 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-10-13 - 2005-10-20 This week : 69 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Neel Mehta has reported a vulnerability in Snort, which can be exploited by malicious people to compromise a vulnerable system. What makes this vulnerability particular dangerous is that it may be exploited by sending a single specially crafted UDP packet to a vulnerable system. Users of Snort are advised to update to the latest version. Reference: http://secunia.com/SA17220 -- 85 vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to conduct PL/SQL injection attacks, cross-site scripting attacks, or potentially to compromise a vulnerable system. Details about some of the vulnerabilities may be found in the referenced Secunia advisory. The advisory will be continuously updated when more information becomes available. Reference: http://secunia.com/SA17250 -- A vulnerability has been discovered in the popular text-based browser Lynx, which can be exploited to compromise a vulnerable system. For additional details please view the referenced Secunia advisory. Reference: http://secunia.com/SA17216 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA17071] Mozilla Firefox Iframe Size Denial of Service Weakness 2. [SA17167] Microsoft Collaboration Data Objects Buffer Overflow Vulnerability 3. [SA16480] Microsoft Windows COM Object Instantiation Memory Corruption Vulnerability 4. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 5. [SA17250] Oracle Products 85 Unspecified Vulnerabilities 6. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 7. [SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability 8. [SA17220] Snort Back Orifice Pre-Processor Buffer Overflow Vulnerability 9. [SA17138] BEA WebLogic 24 Vulnerabilities and Security Issues 10. [SA17183] McAfee Anti-Virus Engine Malformed ARJ Archive Virus Detection Bypass ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17223] Nortel Centrex IP Client Manager Multiple Vulnerabilities [SA17240] MailSite Express Attachment Upload Vulnerability [SA17214] IBM TotalStorage SAN Volume Controller PuTTY Vulnerability [SA17219] Comersus Power Pack Premium Cross-Site Scripting Vulnerabilities [SA17196] Typsoft FTP Server Denial of Service Vulnerability [SA17188] Kaspersky Anti-Virus Engine Malformed Archives Virus Detection Bypass [SA17186] AVG Anti-Virus Engine Malformed ARJ Archive Virus Detection Bypass UNIX/Linux: [SA17248] Fedora update for lynx [SA17238] Gentoo update for lynx [SA17235] Sun Solaris Multiple Mozilla Vulnerabilities [SA17231] Red Hat update for lynx [SA17230] Ubuntu update for lynx [SA17220] Snort Back Orifice Pre-Processor Buffer Overflow Vulnerability [SA17216] Lynx "HTrjis()" NNTP Buffer Overflow Vulnerability [SA17212] Fedora update for koffice [SA17190] Gentoo update for koffice/kword [SA17257] Avaya Products BFD Integer Overflow Vulnerability [SA17256] Red Hat update for netpbm [SA17252] Avaya Intuity LX Two Vulnerabilities [SA17247] Fedora update for wget [SA17236] Sun Solaris Network Security Services (NSS) Security Tools Zlib Vulnerability [SA17234] Gentoo update for phpmyadmin [SA17233] Red Hat update for openldap / nss_ldap [SA17228] Fedora update for curl [SA17222] Ubuntu update for netpbm [SA17221] NetPBM "pnmtopng" Stack Corruption Vulnerability [SA17215] SUSE Updates for Multiple Packages [SA17213] Fedora update for abiword [SA17208] Ubuntu update for libcurl2/libcurl3 [SA17206] Red Hat update for xloadimage [SA17203] Mandrake update for curl [SA17200] Ubuntu update for abiword [SA17199] AbiWord RTF Importer Buffer Overflow Vulnerabilities [SA17193] cURL/libcURL NTLM Username Handling Buffer Overflow Vulnerability [SA17192] wget NTLM Username Handling Buffer Overflow Vulnerability [SA17244] SUSE update for OpenWBEM [SA17245] Ubuntu update for openssh-server [SA17210] Fedora update for openssl/openssl096b/openssl097a [SA17191] Slackware update for openssl [SA17189] Ubuntu update for openssl [SA17217] Avaya Modular Messaging ucd-snmp Denial of Service Vulnerability [SA17258] Avaya CMS Solaris X11 Pixmap Creation Integer Overflow Vulnerability [SA17249] Avaya CMS / IR Solaris UFS File System Denial of Service [SA17246] Avaya CMS / IR Solaris Xsun and Xprt Privilege Escalation Vulnerability [SA17241] Gentoo update for spe [SA17232] Gentoo update for perl / qt-unixodbc / cmake [SA17226] Linux Kernel Console Keyboard Mapping Shell Command Injection [SA17224] Stani's Python Editor Insecure Default File Permissions [SA17211] Fedora update for texinfo [SA17209] Flexbackup Insecure Temporary File Creation [SA17207] Ubuntu update for graphviz [SA17202] AIX LSCFG Insecure Temporary File Handling Vulnerability [SA17194] XMail Command Line Buffer Overflow Vulnerability [SA17187] Debian update for hylafax [SA17242] YIFF Sound Systems Arbitrary File Playback Weakness [SA17229] Ubuntu update for php [SA17198] Sun Solaris SCTP Denial of Service Weaknesses [SA17195] HP-UX Unspecified Denial of Service Weakness Other: [SA17255] Nortel Threat Protection System Back Orifice Pre-Processor Buffer Overflow Cross Platform: [SA17237] e107 "a_name" SQL Injection Vulnerability [SA17201] W-Agora Local File Inclusion and File Upload Vulnerabilities [SA17250] Oracle Products 85 Unspecified Vulnerabilities [SA17243] Xerver Multiple Vulnerabilities [SA17227] PunBB "old_searches" SQL Injection Vulnerability [SA17225] Network Security Services (NSS) Library Zlib Vulnerability [SA17205] Gallery "g2_itemId" Disclosure of Sensitive Information [SA17253] ManageEngine NetFlow Analyzer "grDisp" Cross-Site Scripting [SA17197] BitDefender Anti-Virus Engine Malformed Archives Virus Detection Bypass [SA17204] iTunes Shared Music Potential Denial of Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17223] Nortel Centrex IP Client Manager Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-10-18 Nortel Networks has acknowledged multiple vulnerabilities in Centrex IP Client Manager, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges, and by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/17223/ -- [SA17240] MailSite Express Attachment Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-18 Soroush dalili has discovered a vulnerability in MailSite Express, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17240/ -- [SA17214] IBM TotalStorage SAN Volume Controller PuTTY Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-17 IBM has acknowledged a vulnerability in TotalStorage SAN Volume Controller, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17214/ -- [SA17219] Comersus Power Pack Premium Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-17 Lostmon has reported a vulnerability in BackOffice Plus included in Comersus Power Pack Premium, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17219/ -- [SA17196] Typsoft FTP Server Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-14 Donnie Werner has discovered a vulnerability in Typsoft FTP, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17196/ -- [SA17188] Kaspersky Anti-Virus Engine Malformed Archives Virus Detection Bypass Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-10-13 fRoGGz has reported a weakness in Kaspersky Anti-Virus scan engine, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/17188/ -- [SA17186] AVG Anti-Virus Engine Malformed ARJ Archive Virus Detection Bypass Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-10-13 fRoGGz has discovered a weakness in AVG Anti-Virus scan engine, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/17186/ UNIX/Linux:-- [SA17248] Fedora update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-18 Fedora has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17248/ -- [SA17238] Gentoo update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-18 Gentoo has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17238/ -- [SA17235] Sun Solaris Multiple Mozilla Vulnerabilities Critical: Highly critical Where: From remote Impact: Spoofing, System access Released: 2005-10-17 Sun Microsystems has acknowledged some vulnerabilities in Solaris, which can be exploited by malicious people to spoof the contents of web sites or to compromise a user's system. Full Advisory: http://secunia.com/advisories/17235/ -- [SA17231] Red Hat update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-17 Red Hat has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17231/ -- [SA17230] Ubuntu update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-17 Ubuntu has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17230/ -- [SA17220] Snort Back Orifice Pre-Processor Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-18 Neel Mehta has reported a vulnerability in Snort, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17220/ -- [SA17216] Lynx "HTrjis()" NNTP Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-17 Ulf Harnhammar has reported a vulnerability in Lynx, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17216/ -- [SA17212] Fedora update for koffice Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-17 Fedora has issue an update for koffice. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17212/ -- [SA17190] Gentoo update for koffice/kword Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-14 Gentoo has issued updates for koffice and kword. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17190/ -- [SA17257] Avaya Products BFD Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-19 Avaya has acknowledged a vulnerability in various products, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17257/ -- [SA17256] Red Hat update for netpbm Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-19 Red Hat has issued an update for netpbm. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/17256/ -- [SA17252] Avaya Intuity LX Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-19 Avaya has acknowledged a security issue and a vulnerability in Intuity LX, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17252/ -- [SA17247] Fedora update for wget Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-18 Fedora has issued an update for wget. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17247/ -- [SA17236] Sun Solaris Network Security Services (NSS) Security Tools Zlib Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-17 Sun Microsystems has acknowledged a vulnerability in Solaris and Sun Java Enterprise System, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/17236/ -- [SA17234] Gentoo update for phpmyadmin Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-18 Gentoo has issued an update for phpmyadmin. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17234/ -- [SA17233] Red Hat update for openldap / nss_ldap Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-10-17 Red Hat has issued updates for openldap / nss_ldap. This fixes two security issues and a vulnerability, which can be exploit by malicious people to gain knowledge of sensitive information or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17233/ -- [SA17228] Fedora update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-19 Fedora has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17228/ -- [SA17222] Ubuntu update for netpbm Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-19 Ubuntu has issued an update for netpbm. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/17222/ -- [SA17221] NetPBM "pnmtopng" Stack Corruption Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-19 Bastien Nocera has reported a vulnerability in NetPBM, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/17221/ -- [SA17215] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-10-17 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, by malicious users to cause a DoS (Denial of Service), and by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/17215/ -- [SA17213] Fedora update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-17 Fedora has issued an update for abiword. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17213/ -- [SA17208] Ubuntu update for libcurl2/libcurl3 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-17 Ubuntu has issued an update for libcurl2/libcurl3. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17208/ -- [SA17206] Red Hat update for xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-19 Red Hat has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17206/ -- [SA17203] Mandrake update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-14 Mandriva has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17203/ -- [SA17200] Ubuntu update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-14 Ubuntu has issued an update for abiword. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17200/ -- [SA17199] AbiWord RTF Importer Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-14 Chris Evans has reported some vulnerabilities in Abiword, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17199/ -- [SA17193] cURL/libcURL NTLM Username Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-14 A vulnerability has been reported in cURL/libcURL, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17193/ -- [SA17192] wget NTLM Username Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-14 A vulnerability has been reported in wget, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17192/ -- [SA17244] SUSE update for OpenWBEM Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-18 SUSE has issued an update for OpenWBEM. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17244/ -- [SA17245] Ubuntu update for openssh-server Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-10-18 Ubuntu has issued an update for openssh-server. This fixes a security issue, which can be exploited malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17245/ -- [SA17210] Fedora update for openssl/openssl096b/openssl097a Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-17 Fedora has issued updates for openssl/openssl096b/openssl097a. These fix a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17210/ -- [SA17191] Slackware update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-14 Slackware has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17191/ -- [SA17189] Ubuntu update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-14 Ubuntu has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17189/ -- [SA17217] Avaya Modular Messaging ucd-snmp Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-10-19 Avaya has acknowledged a vulnerability in Avaya Modular Messaging, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17217/ -- [SA17258] Avaya CMS Solaris X11 Pixmap Creation Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-19 Avaya has acknowledged a vulnerability in CMS, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17258/ -- [SA17249] Avaya CMS / IR Solaris UFS File System Denial of Service Critical: Less critical Where: Local system Impact: DoS Released: 2005-10-19 Avaya has acknowledged a vulnerability in CMS and IR, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17249/ -- [SA17246] Avaya CMS / IR Solaris Xsun and Xprt Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-19 Avaya has acknowledged a vulnerability in CMS and IR, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17246/ -- [SA17241] Gentoo update for spe Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-17 Gentoo has issued an update for SPE. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17241/ -- [SA17232] Gentoo update for perl / qt-unixodbc / cmake Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-17 Gentoo has issued updates for perl / qt-unixodbc / cmake. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17232/ -- [SA17226] Linux Kernel Console Keyboard Mapping Shell Command Injection Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-17 Rudolf Polzer has reported a vulnerability in the Linux Kernel, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17226/ -- [SA17224] Stani's Python Editor Insecure Default File Permissions Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-17 Bryan Ostergaard has reported a security issue in Stani's Python Editor (SPE), which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17224/ -- [SA17211] Fedora update for texinfo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-17 Fedora has issued an update for texinfo. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17211/ -- [SA17209] Flexbackup Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-17 Eric Romang has reported a vulnerability in Flexbackup, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17209/ -- [SA17207] Ubuntu update for graphviz Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-17 Ubuntu has issued an update for graphviz. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17207/ -- [SA17202] AIX LSCFG Insecure Temporary File Handling Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-14 A vulnerability has been reported in AIX, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17202/ -- [SA17194] XMail Command Line Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-14 A vulnerability has been reported in XMail, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17194/ -- [SA17187] Debian update for hylafax Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-13 Debian has issued an update for hylafax. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17187/ -- [SA17242] YIFF Sound Systems Arbitrary File Playback Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2005-10-19 Javier Fernandez-Sanguino Pena has discovered a weakness in YIFF Sound Systems, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17242/ -- [SA17229] Ubuntu update for php Critical: Not critical Where: Local system Impact: Security Bypass Released: 2005-10-17 Ubuntu has issued an update for php. This fixes a security issue, which can be exploited by malicious, local users to access certain files outside the "open_basedir" root. Full Advisory: http://secunia.com/advisories/17229/ -- [SA17198] Sun Solaris SCTP Denial of Service Weaknesses Critical: Not critical Where: Local system Impact: DoS Released: 2005-10-14 Some weaknesses have been reported in Solaris, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17198/ -- [SA17195] HP-UX Unspecified Denial of Service Weakness Critical: Not critical Where: Local system Impact: DoS Released: 2005-10-14 A weakness has been reported in HP-UX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17195/ Other:-- [SA17255] Nortel Threat Protection System Back Orifice Pre-Processor Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-19 Nortel Networks has acknowledged a vulnerability in two Threat Protection System products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17255/ Cross Platform:-- [SA17237] e107 "a_name" SQL Injection Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2005-10-19 rgod has reported a vulnerability in e107, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17237/ -- [SA17201] W-Agora Local File Inclusion and File Upload Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-10-17 rgod has discovered some vulnerabilities in W-Agora, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17201/ -- [SA17250] Oracle Products 85 Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data, System access Released: 2005-10-19 85 vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to conduct PL/SQL injection attacks, cross-site scripting attacks, or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17250/ -- [SA17243] Xerver Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2005-10-19 Ziv Kamir has reported some vulnerabilities in Xerver, which can be exploited by malicious people to conduct cross-site scripting attacks, and disclose system and sensitive information. Full Advisory: http://secunia.com/advisories/17243/ -- [SA17227] PunBB "old_searches" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-10-17 Devil_box has reported a vulnerability in PunBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17227/ -- [SA17225] Network Security Services (NSS) Library Zlib Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-17 A vulnerability has been reported in Network Security Services (NSS), which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17225/ -- [SA17205] Gallery "g2_itemId" Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-17 A vulnerability has been reported in Gallery, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17205/ -- [SA17253] ManageEngine NetFlow Analyzer "grDisp" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-19 "Why" has discovered a vulnerability in ManageEngine NetFlow Analyzer, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17253/ -- [SA17197] BitDefender Anti-Virus Engine Malformed Archives Virus Detection Bypass Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-10-14 fRoGGz has reported a weakness in BitDefender Anti-Virus scan engine, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/17197/ -- [SA17204] iTunes Shared Music Potential Denial of Service Critical: Not critical Where: From local network Impact: DoS Released: 2005-10-17 Seth Fogie has reported a security issue in iTunes, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17204/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Oct 21 16:07:47 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:19:40 2005 Subject: [ISN] Security is not a PR problem Message-ID: http://www.theage.com.au/news/soapbox/security-is-not-a-pr-problem/2005/10/21/1129775950797.html By Sam Varghese Comment October 22, 2005 (Microsoft general manager for security George) Stathakopoulos takes pride in the achievement (number of security bulletins issued), as when he notes that he has been involved in shipping more compact discs - Windows software - than the Beatles, Rolling Stones and Madonna combined. - The New York Times -=- Initially, one could well be forgiven for thinking that the sentence above was drafted by some spinmeister. It is the last bit in a tale about a meeting Microsoft held recently with independent security researchers, most of them former black hats. The meeting is called a Blue Hat briefing. This is the second such publicised meeting, part of a media offensive to spread the idea that Microsoft is taking security seriously. The reality is different. In January 2002, Microsoft announced what it called a Trustworthy Computing Initiative. The term was trademarked, a paper published and everyone was made to feel that the company would be taking steps to improve the abysmal security of its products. The years 2000 and 2001 were horror years for Microsoft, with one worm after another affecting one product or the other and users taking a beating as the malware wreaked havoc. Three years on, it doesn't look like too much has changed. There is, and has, been a lot of talk but the company still appears to treat security as a PR issue, much the same way that it did before the trademarking of TCI. Security holes continue to appear as frequently - or sometimes even more frequently - as before in Microsoft's products and the only reason large-scale disruption doesn't become visible is because those who exploit the flaws are nowadays geared towards making money. The trend now is more or less uniformly towards using vulnerabilities for pecuniary gain - for example, by creating zombies that can be used to attack targets. It is relatively safe to do this: no company which has been held ransom in this manner is going to complain. Once a company that does business of any kind online is known to have poor security, the chances of improving its business prospects often lessen dramatically. One of the more recent examples is that of Cardsystems, a US company handling credit card validation. A leak of card numbers earlier this year has hit the company badly and it is now about to be taken over. The company was running its databases on Microsoft's operating systems. Thus the extent of electronic fraud remains largely unknown. And companies such as Microsoft are able to boldly claim that flaws in their products are not known to have been exploited. Yet it is easy to find on the web - at times in password-protected sites - and in chatrooms, exploit after exploit for common vulnerabilities that have yet to be patched. eEye Digital Security has for years been informing the public [1] about holes in Microsoft's products. Right now, there are many in that list, some pending for nearly seven months. That the company will not patch these flaws is not surprising; after all, the security advisory site Secunia estimates that fully 30 per cent of 70 Internet Explorer flaws posted since 2003 remain unpatched. Security through obscurity is not possible these days so security through denial is practised instead. One way of avoiding the obvious is meeting people from the black hat community who have now gone into business for themselves and are no longer crackers - these meetings are apparently meant to indicate that Microsoft takes security seriously. The Blue Hat briefings have got their requisite publicity through largely unquestioning media outlets - but whether anything positive actually happens as a result is largely unknown. It looks like a means of getting people who could be a problem on-side. And there is of course the positive spin that publications, often so-called reputable outlets such as the New York Times (which firmly believed in the existence of WMD in Iraq) provide. The quote at the start of this piece is one such an example - it's cute. It fudges the fact - that security is precisely where it was in 2002 and, in fact, is much worse. The future direction that Microsoft will take has been indicated by its choosing executives with strong business and marketing backgrounds to head the three divisions of the company, following a reorganisation last month. The last genuine techie among the crowd, Jim Allchin, will retire next year. And the goal of the restructuring? To get products faster to market. Not better products, just those that can come off the conveyor belt faster. The next version of Windows will surely be more secure than its predecessors. And I believe strongly that Santa Claus will bring me that new laptop for Christmas. [1] http://www.eeye.com/html/research/upcoming/index.html From isn at c4i.org Fri Oct 21 16:10:37 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:21:24 2005 Subject: [ISN] Guard against Titan Rain hackers Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105585,00.html Opinion by Ira Winkler OCTOBER 20, 2005 COMPUTERWORLD At the moment, there's a dirty little secret that only a few people in the information security world seem to be privileged to know about, or at least take seriously. Computers around the world are systematically being victimized by rampant hacking. This hacking is not only widespread, but is being executed so flawlessly that the attackers compromise a system, steal everything of value and completely erase their tracks within 20 minutes. When you read this, it almost sounds like the plot of a cheesy science fiction novel, where some evil uberhacker is seeking world domination, while a good uberhacker applies all his super brain power to save the world. Sadly, this isn't science fiction, and we don't typically have uberhackers on our side. Talk of these hacks is going on within the intelligence and defense communities in the U.S. and around the world. The attacks were even given a code name, Titan Rain, within the U.S. government. The attackers appear to be targeting systems with military and secret information of any type. They are also targeting the related technologies. But I'm not just talking about government systems. There are a variety of industries that support the government. For example, automobile companies make tanks and other military equipment. Food service companies supply military rations. Oil companies provide fuel to the government. Companies with personal information on federal employees can be exploited to identify undercover operatives. That also brings up other potential targets, as the attackers are necessarily limiting their sites on apparent military systems. Oil companies know where potentially valuable oil reserves might be. Telecommunications companies have details about satellite communications and new technologies for improving communications reliability and bandwidth. Any organization with intellectual property worth protecting is a potential victim of these attackers. I only present the above facts to demonstrate that most companies can expect to fall victim to the attackers. Way too many companies believe that they have nothing to fear or nothing of value that sophisticated attackers would want. The fact of the matter is that these attackers are extremely indiscriminate in whom they compromise. The critical issue is the identity of the attackers. The source of the attacks will tell you how much you have to be worried about. Initially, the attacks were traced to China, which told investigators very little. There are so many poorly secured computers in China that many hackers use China-based systems as relay points for their attacks. So despite the fact that all attacks went through China, there was little evidence to conclude that China was responsible. That was until Shawn Carpenter, a security analyst at Sandia National Laboratories, decided to pursue the attacks after being told to drop them by his superiors. Using computer forensics techniques and hacking into the offending systems, Carpenter was able to use the compromised systems against themselves and find the actual origin of the attacks. Doing things that official government agents could not, he determined that the root of the attacks was China. He set up the attack systems to report back to him what the attackers were doing and also performed analysis of the attacks. Based on the volume of the attacks, he determined that there were anywhere from six to 10 people hacking around the clock. Given the skill and the size of the operation, there could be only two sources of the attack: the Chinese intelligence agencies or the Chinese triads (a.k.a., the Chinese Mafia). As I describe in my book, Spies Among Us (Wiley, 2005), China as a government vacuums up whatever information it can for potential value. Chinese triads examine whatever they can get for profit potential, whether it's to extort money or to sell to the highest bidder. Even worse for non-Chinese entities, the Chinese government cooperates and exchanges information with the triads. The information is used against its victims in a variety of ways. Many companies, both high- and low-tech, find themselves competing against Chinese companies that somehow seemed to invent the exact same products or technologies, but that don't seem to care about recovering research and development costs. Companies operating in Southeast Asia seem to be one step behind the Chinese triads and end up paying a great deal more for their operations than they would have expected. Companies that aren't directly involved are still enablers for the attacks, allowing the Chinese hackers to compromise other organizations and national security. Despite the level of sophistication of the attacks, most of them are completely preventable. That includes the attacks on the government and contractor systems. They are exploiting some vulnerabilities that are unknown to the general security community. However, they only resort to those when all else fails, and that isn't very frequently. Generally, though, even the "unpreventable" attacks could be prevented in some ways. For example, unnecessary services on a computer can't be exploited if they aren't running. Firewalls don't have to let unnecessary traffic through. There are many things organizations can do to protect themselves by adding defense in depth. Given the current diplomatic situation between the U.S. and China, Titan Rain attacks will continue to proliferate in the foreseeable future. It's essentially a vacuum of cyberspace by the Chinese. Unfortunately, we are relying on uberhackers, like Shawn Carpenter, who are few and far between, to protect us. It's up to CIOs and other IT managers to ensure that their companies practice good systems-hardening procedures, along with applying defense in depth throughout their entire organization. While people may think of Titan Rain as just applying to organizations with high-tech or national security interests, the fact is that since every organization faces the same wide threat landscape, you can't ignore basic security practices. The sad fact is that if you're hit by the Titan Rain hackers, you'll likely never know about it. Even worse, though, is that you are more likely to be hit by other attackers who will cause blatant damage to your systems and business. The good news is these attackers are less talented and can more easily be stopped by basic security measures. -=- Ira Winkler is president of the Internet Security Advisors Group. He is a former National Security Agency analyst and the author of Spies Among Us (Wiley, 2005). From isn at c4i.org Fri Oct 21 16:08:06 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:21:39 2005 Subject: [ISN] Judge orders Interior IT system shutdown Message-ID: http://www.fcw.com/article91172-10-20-05-Web By Aliya Sternstein Oct. 20, 2005 A judge has ordered the Interior Department to disconnect all information technology systems that access Indian trust fund data because the systems are vulnerable to hacker attacks. Today, U.S. District Judge Royce Lamberth granted American Indian plaintiffs a motion for a preliminary injunction to shut down all computers, networks, handheld computers and voice-over-IP equipment that access trust fund data. The injunction prohibits Interior employees, contractors, tribes and other third parties from using those systems. Interior's IT security has been the focus of a nine-year class-action lawsuit that criticizes the department's oversight of Indian trust funds. Plaintiffs have accused Interior officials of failing to properly protect data. Department officials took the Bureau of Land Management's Web sites off-line for two months this spring after Interior's inspector general issued a report warning that its IT systems are vulnerable to cyberattacks. In 2001, Lamberth ordered Interior to disable Internet connections on all computers that employees - and hackers -- could use to access trust fund data. He ordered two subsequent shutdowns, although Internet access had returned to the department following a federal appeals court ruling that blocked the second order. Most recently, lapses in Interior's oversight allowed government-hired hackers to infiltrate the agency's systems, according to a Sept. 6 memo from Earl Devaney, Interior's IG. Since November 2004, the IG has been independently testing the department's network security. Because of "vulnerabilities in several bureaus" [IT] systems, [Interior] internal networks, as a whole, are vulnerable to unauthorized access," Devaney wrote in his most recent assessment. Interior's lawyers and IT employees will soon determine the amount of equipment and networks that the new order affects. "We are working with our IT personnel and attorneys to help interpret the judge's order and to determine the actions that we need to take to comply," Interior spokesman John Wright said. "The impact potentially involves approximately 6,000 computers that house individual Indian trust data and an undetermined number of other computers that may provide indirect access to IT systems that house individual Indian trust data." The shutdown's start date has not been determined, he added. Based on an initial review of the order, Interior officials said the shutdown will adversely impact Interior programs that benefit American Indians and other customers. Wright said the order will undermine the agency's ability to distribute royalty payments to Indian beneficiaries and the federal government. The Indian plaintiffs in the case are expected to issue a formal statement later today. The plaintiffs are generally satisfied with today's outcome, said Bill McAllister, their spokesman. "It seems to follow pretty much what we've requested in the hearing," McAllister said. "It supported our contention that the computers were unsafe." From isn at c4i.org Fri Oct 21 16:09:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:21:55 2005 Subject: [ISN] 50-Cent Holes Message-ID: Forwarded from: William Knowles http://www.csoonline.com/read/100105/security.html BY THOMAS WAILGUM CSO Magazine October 2005 This has not been a banner year for information security. From a stolen laptop full of Social Security numbers to a website that lost oceans of credit card data, commonsense security procedures seem in short supply. "Almost without exception we're living in a world where no one thinks to lock the stable doors until the horses have escaped," says David Friedlander, a senior analyst at Forrester Research. CIOs can spend millions on firewalls, intrusion detection systems and whatever else their security vendors are selling, but when that VP of marketing decides to sync his work laptop with his unsecured home PC - and there's no policy or training to make him think twice - your million-dollar security efforts become worthless. With that in mind, here are 10 common security ailments and 10 practical remedies. They're easy and inexpensive, and you can do them right now. All involve some form of user education and training. "How do you stop stupid mistakes?" asks Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. "It's education and security awareness - basic blocking and tackling - and it does not have to cost a fortune." Save As... The Hole | A company familiar to Adam Couture, a principal analyst at Gartner Research, searched its Exchange servers for documents called "passwords.doc." There were 40 of them. The Problem | Uneducated users. "Some of these [mistakes] are so obvious that you think, "Nobody would do that,'" Couture says. "But you give people too much credit." Any hacker, malcontent employee or grandmother with a minimal amount of computer know-how could unlock those documents and ravage your company's most sensitive applications (not to mention all of your employees' personal information). The Solution | First, CIOs need to acknowledge that there might be passwords.doc files on their networks, find them and destroy them. Then, via e-mail or a companywide meeting, they need to explain to users why keeping a file like this on the network is a really, really bad idea. Ever Heard of "bcc:"? The Hole | On June 13, 2005, the University of Kansas Office of Student Financial Aid sent out an e-mail to 119 students, informing them that their failing grades put them at risk of losing their financial aid. The e-mail included all 119 students' names within the e-mail address list. The Problem | Besides embarrassing their students, U. Kansas administrators may have violated the Department of Education's Family Education Rights and Privacy Act, which protects the privacy of students' grades and financial situations. The Solution | First, companies need a policy that explicitly states what can and cannot be sent out via e-mail or IM. "A lot of companies don't have good acceptable-use policies for e-mail," says Michael Osterman, founder of Osterman Research. He suggests that they map out how employees should handle confidential information, offer them training and have them sign a one-page document stating that they have taken the course and understand what to do. University of Kansas officials say they have "undertaken internal measures - such as reviewing e-mail and privacy policies, and training staff - to ensure it does not happen again." Osterman also suggests that CIOs add an outbound scanning system to the existing e-mail system that looks for sensitive content in e-mails (such as 16-digit numbers, which could be credit card numbers). He says these systems are inexpensive and are offered by scores of messaging vendors; some vendors will even do a complimentary scan of a company's messages to see how bad it might be. One vendor that he's familiar with started scanning a new customer's network and found 10 violations in 10 minutes. No One Noticed? Really? The Hole | Orazio Lembo, of Hackensack, N.J., made millions by purchasing account information from eight bank employees who worked at several financial institutions, including Bank of America, Commerce Bank, PNC, Wachovia and others. Lembo paid $10 for each pilfered account. Most of the felonious employees were high-level, but two bank tellers were also arrested. Lembo had approximately 676,000 accounts in his database, according to Capt. Frank Lomia of the Hackensack Police Department, an official investigating Lembo. The Problem | Capt. Lomia says that many of Lembo's contacts usually accessed and sold 100 to 200 accounts a week - but one managed to access 500 in one week. "What surprised me is that someone could look at 500 accounts and have no one notice," he says. The Solution | CIOs, with the help of the HR, security and audit functions, need to institute a clearly defined policy on who has access to what information, how they can access it and how often. After all, with HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley looking over CIOs' shoulders, compliance and controls have to be on the top of the to-do list. "Through all the phases of information creation to maintenance and storage and destruction," asks PwC's Lobel, "do you have that data classification and lifecycle process, and do people know what it is?" Lobel says many of his clients have compliance controls, but employees either don't know such controls exist or aren't clear where they apply. "User education is not easy, but it is worth the effort," he says. ChoicePoint's Bad Choice The Hole | Criminals posing as small-business owners accessed the information - names, addresses and Social Security numbers - of 145,000 ChoicePoint customers. The Problem | Call it what you will - fraud, "social engineering," the Kevin Mitnick effect - this was one really glaring example of how these kinds of attacks are plaguing companies. Lobel says commercial enterprises could improve when it comes to training users about social engineering - hackers targeting well-meaning users over the phone or Internet to obtain private information such as passwords. "We're always going to find somebody who doesn't know what they shouldn't be doing," he says. The Solution | CIOs should make sure that both users and customers are adequately trained in how to recognize and respond to phishing and other related attacks - especially before they go out and hire a company such as PwC to audit their user base. "[CIOs] should spend their money on a [training] program rather than on testing," Lobel says. ChoicePoint claims that it has strengthened its customer-credentialing procedures and is re-credentialing broad segments of its customer base, including its small-business customers. Loose Laptops The Hole | On April 5, MCI said that an MCI financial analyst's laptop had been stolen from his car, which was parked in his home garage. That laptop contained the names and Social Security numbers of 16,500 current and former employees. The Problem | In many recent cases involving laptops, the computer's security was handled by a Windows log-on password. "It's getting easier for even the more casual criminal to find out how to break into the laptop," says Forrester's Friedlander. "There's more awareness that the information is valuable." Plus, the data in many of these recent incidents wasn't encrypted. (MCI won't say whether the stolen laptop was encrypted, just that it had password protection). According to Friedlander, encryption adoption is much lower than firewall adoption because encryption historically has had performance issues (it slows the computer down) as well as usability issues (users are often confused about how to encrypt the right data). In a recent Forrester survey, 38 percent of respondents said they have no plans to deploy encryption tools. Ouch. The Solution | CIOs need to do some classic risk management, says Friedlander, and ask themselves: What is the information on the system that I care about the most? Who's connected to a network where I might be exposed? And then they should create or revise their security policies based on that assessment. For example, if a laptop has customer information on it that would kill the company if it got into a competitor's hands, then the CIO should ensure that encryption was turned on. Users need to understand "why these policies and technologies are in place that may seem inconvenient, but why they do matter," says Friedlander. "If they realize the implications, most people will want to act." If the information on another laptop is less critical, then more basic security measures, such as strong passwords, can be used, he says. Tales of the Tapes The Hole | Let's not forget the good ole data tape?in particular, CitiFinancial's now-infamous UPS shipment of unencrypted computer tapes that were lost in transit to a credit bureau. A whopping 3.9 million CitiFinancial customers' data was on those tapes, including their names, Social Security numbers, account numbers and payment histories. The Problem | CitiFinancial has stated it "[has] no reason to believe that this information has been used inappropriately." But on the other hand, there's no reason to believe that it won't be. There are companies that specialize in handling data tapes, Iron Mountain for one. But even Iron Mountain is not impervious to security snafus. In May, Time Warner announced that Iron Mountain had lost 40 backup tapes that had the names and Social Security numbers for 600,000 of its current and former U.S.-based employees and for some of their dependents and beneficiaries. Iron Mountain says it has recently suffered three other "events of human error" that resulted in the loss of customers' backup tapes?and these are the guys who supposedly are all about security and nothing else. The Solution | In July, Citigroup said it will start shipping customer information via direct, encrypted electronic transmissions. Though "you can squeeze a lot more data into a truck than you can over the wire," Couture of Gartner Research says, "[sending data electronically] could be cost-effective for smaller companies with small amounts of data." Citigroup's new shipping method will also take much of the people part out of the equation. "Any time you have to touch that tape and add a human element in the process, there's the potential [for] incompetence, malfeasance, and pure and simple stupidity," Couture says. (For more on solutions to identity theft, see "New Locks, New Keys.") How Much for a BlackBerry? The Hole | This tale has been told so often that it is teetering on the brink of urban legend status: Back in 2003, a former Morgan Stanley executive, apparently with no more use for his BlackBerry, sold the device on eBay for a whopping $15.50. The Problem | The surprised buyer soon found out that the BlackBerry still contained hundreds of confidential Morgan Stanley e-mails, according to a Forrester report. The Solution | First, users with handhelds, laptops and other devices need to be made to understand what's really at stake. "It's not the laptops that are the issue; it's what's on them," says For-rester's Friedlander. Second, CIOs need to institute a repeatable and enforceable policy for device and access management?even for high-powered executives. When someone leaves the company, he should have to turn in all of his corporate-issued devices, and IS should lock him out of all applications to which he had access. "If you have 1,000 users, there should be 1,000 accounts," says the CISO of a large Midwestern financial services company. "So why are there 1,400? Because people who have left still have authority to log in." According to the Forrester report, Morgan Stanley did have a policy that stated that mobile devices should be returned to IS for "data cleansing," but this exec must have slipped through the front door. Another huge problem is those longtime employees who move around the company and retain access to data associated with their previous jobs even though it's unrelated to their new position, says Jeffrey Margolies, lead for Accenture's security services and identity management practice. "They accumulate access over time, and they are an audit nightmare." A solution is to set up one place (whether it's a website or paper form) where employees can request access to applications, Margolies says. CIOs need a policy that states who has access to what systems and why, with IT, HR and security getting to make the decisions. "Over the last 10 years, we have built hundreds of applications, and every single application has its own way of [determining] access and managing that access," he says. "But just [giving people] one place to go and [saying] just fill out this form - even if it's paper - the level of confusion is reduced." IM Not OK The Hole | One of your top sales guys is a huge believer in instant messaging. In fact, he's been using a consumer-grade IM client (probably AOL Instant Messenger) to communicate with his customers for years. And this hypothetical salesman's IM name fits his personality perfectly: Big Bad Texan. The Problem | There are three, says Osterman of Osterman Research. First, security: A consumer-grade IM client used on a corporate system will bypass all antivirus and spam software. Second, compliance: Consumer-grade IM clients don't have auditing and logging capabilities for regulatory compliance. And third, name-space control: If Big Bad Texan takes a job at your competitor, rest assured he's taking his IM name - and your key customers - with him. "There's no clue to the outside world that he left," Osterman says. The Solution | The first step is for CIOs to admit to themselves that consumer-grade IM could be running rampant in their organizations. Osterman estimates that 30 percent of all e-mail users are instant messaging these days. Like e-mail, CIOs need to develop an acceptable-use policy and make sure everyone understands it. Then CIOs have two options: Allow consumer-grade IM to remain in place and deploy a system that will provide any number of security functions, such as blocking file transfers or mapping IM screen names to corporate identities, says Osterman. Alternatively, CIOs can replace consumer-grade IM tools with an enterprise-grade system. "This can be a more expensive and disruptive option, but it's one that many organizations are choosing," Osterman says. Unwired and Unsafe Workers The Hole | The CISO of the Midwestern financial services company shares this nightmare: An executive decides she wants to put a wireless access point in her house so she can work at home from anywhere in her house. Her son gets her up and running. She wirelessly logs into the network, and she uses the default password for the connection that came straight out of the box. The Problem | "Go to every single hacker site, and you can find every default password and user ID [for wireless routers]," says the CISO. "Home PCs are one of the greatest vulnerabilities." And once this executive authenticates, others can see how she did it, "then people are in," the CISO says. The Solution | Back to the basics with this one. CIOs need to make sure all employees who work from home know that they have to change all the default settings, and they can't forget about firewall, VPN, antivirus patching and authentication tools. That all takes an omnipresent security education program, but to this CISO, it's the cost of doing business today. "The struggle with security education is getting it so it becomes like breathing," the CISO says. "Users have to become smarter about how they do things." 40 Million "Served" The Hole | In June, MasterCard announced that CardSystems Solutions, a third-party processor of credit card transactions for MasterCard, Visa, American Express and Discover, allowed an unauthorized individual to infiltrate its network and access cardholder data. The Problem | Up to 40 million cardholders' information could have been exposed. It turns out CardSystems had violated its agreement with the credit card companies: It was not allowed to store cardholders' account information on its systems, and yet it did just that. The Solution | If a company has an agreement not to store another company's data on its systems, it shouldn't. And if for some strange reason it becomes necessary, the company had better ensure that it has the necessary controls. "All of those cases of breaches speak to the need for a good, old-fashioned defense, in-depth, with multiple layers of control," says PwC's Lobel. For example, he says, instead of just having a firewall, companies should have multiple layers of controls on their network. Or rather than just using SSL, companies need to use authentication too. "You get into the security versus ease-of-use trade-off and cost," he says. "That's the decision that businesses have to make with their eyes wide open." In the end, how a company views security and protects its customers' and employees' data will have a direct correlation to its longevity. In the case of CardSystems, in July both Visa and American Express said they no longer wanted to do business with the company. -=- Staff Writer Thomas Wailgum can be reached at twailgum at cio.com. Editorial Intern C.G. Lynch contributed to this report. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Oct 21 16:09:31 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:22:09 2005 Subject: [ISN] Negligence At MSU Exposes 9,100 Students to I.D. Theft Message-ID: http://www.themontclarion.org/media/paper374/news/2005/10/20/News/Negligence.At.Msu.Exposes.9100.Students.To.I.d.Theft-1028069.shtml By Jessica Havery October 20, 2005 Due to what Montclair State University officials are calling an "inadvertent error," the social security numbers of 9,100 Montclair State University students were made available online for nearly five months, putting each student at risk for identity theft and credit fraud. The error, discovered last Wednesday by junior political science major, Brian Gatens, was identified when Gatens stumbled over the information database after running a search for his name on a Google search engine. After making the discovery, and contacting Information Technology to report the issue, Gatens informed The Montclarion about the mishap. However, the paper decided to hold the story, originally meant to run on Oct. 13, in order to protect the confidential information of the students at risk. In response to Gaten's report, Jeff Giacobbe, director of Information Technology Networks, Telecommunications, Systems and Security, said that the information had been gathered by a University employee who had been authorized to do so. "This person inadvertently posted the files to an area of the campus web server that was subsequently read and 'cached' by the Google search engine," Giacobbe said. The employee, whose name has not been released by the University, placed the files onto the server so that the information could be retrieved by other University employees, who also had authorization to view the documents. According to Giacobbe, the individual failed to realize that, by placing the files in that location, the information was also visible to other parties, including internet search engines. While other media outlets have reported that the individual responsible made a mistake and would not be punished, Vice President of Student Development and Campus Life, Karen Pennington, said that the matter was still under a full investigation. When Gatens contacted Giacobbe about his findings, he was informed that the process of having the files removed from the Google search engine normally takes three to five business days. The University, in an effort to expedite the process, contacted the State Attorney General's office, which assisted with the removal of all files. Last Thursday, Pennington sent a campus-wide e-mail about the slip up, and urged undergraduate students with a declared major and an assigned academic advisor to take retroactive precautions to protect themselves and their credit reports. Pennington said that the University has received responses from parents and students regarding the announcement of the security concern. "There have been clarifying questions regarding the event," Pennington said. "Responses from students fall into three categories: clarifying whether [he or she] was specifically affected; clarifying how to get a free fraud alert versus having to pay and general concern regarding the incident." While students have sent letters and made phone calls as a way of expressing concerns, and complaints, they have also joined forces electronically by creating online blogs and groups through sites like Livejournal.com and Thefacebook.com. Mancine's post received 11 comments from other undergraduate students discussing the incident, and the possibility of taking legal action against the University. Another student, who could only be identified by the username 'ticklish721,' said "I may take legal action if I find something suspicious on my credit report." In addition to the Livejournal group, Montclair_State, 45 students have joined the "MSU Screwed Up and I Fell Victim to ID Theft" group, created by computer science major, James Ragucci. Students, such as music major Rosemary Topar, are using the group to unify any students interested in participating in a class-action lawsuit against the University. After reading about a bill signed by N.J. Governor Codey that would require colleges to stop using social security numbers as identification numbers, Topar asked, "Will someone please tell me why the University failed to halt the use of our social security numbers starting with this year?" Giacobbe said that Montclair State has been working to implement an alternate identification system for the past several months, and expects the system to be functional before the end of the year. "The campus-wide identification system is a unique eight-digit number for every student and University employee that will be used in place of a social security number for most University business and all online authentication," Giacobbe said. Pennington said that she was confident that the change will prevent unauthorized disclosers in the future. An information technology representative from Kean University said that their University has already made the change from social security numbers to an alternate form of identification. "While we have made the switch to an alternate number, students may choose whether they want to use their social security numbers, or not," she said. In some cases, according to Giacobbe, social security numbers will remain necessary. "Certain State and Federal processes, such as student financial aid, require social security information," Giacobbe said. "The numbers must remain a part of an individual's private ... record, but as of the end of the year, they will no longer be used as a primary indentifier or for logging into online services." From isn at c4i.org Fri Oct 21 16:09:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:22:24 2005 Subject: [ISN] Patch Deployment Problems Haunt Microsoft Again Message-ID: http://www.eweek.com/article2/0,1895,1874284,00.asp By Ryan Naraine October 20, 2005 For the second time in as many weeks, the MSRC has revised one of its "critical" security bulletins after some users complained of problems figuring out which patch to apply. It appears that Windows 2000 users running Microsoft DirectX 8.0 or DirectX 9.0 had problems sorting through the bulletin to find the appropriate patches. In the ensuing confusion, the incorrect patch was applied, leaving the PC vulnerable to code execution attacks. A spokesperson for the Microsoft Security Response Center acknowledged the information mix-up but stressed that only a small subset of Windows 2000 users were affected. "Microsoft is aware that a limited amount of customers, who may have obtained the wrong security update for their version of DirectX, may think they are protected, when in fact, they are not," the spokesperson said in a statement released to Ziff Davis Internet News. "This only affects users who have selected the wrong package manually," she added. The spokesperson said that PC users who obtained the security update automatically through all Microsoft distribution tools, or have followed the steps in the bulletin to obtain the update for their systems, "are protected from the associated vulnerability." The revised MS05-050 bulletin now contains a Knowledge Base article with new information clarifying the issue. In the article, Microsoft explained that if the individual update package for DirectX 7.0 was installed on a Windows 2000 computer that is running DirectX 8 or DirectX 9, the patch did not fix the underlying vulnerability. Additionally, in those scenarios, the user did not receive notification that the patch was not applied. The company also published additional information to help users verify the version of Quartz.dll associated with the DirectX version to determine whether a computer was correctly updated. The MS05-050 bulletin was one of three "critical" security updates shipped this month to cover Windows code execution holes. The bulletin contained patches for an unchecked buffer in Microsoft DirectShow, the default Windows component used for high-quality capture and playback of multimedia streams. DirectShow is integrated with other DirectX technologies. Malicious hackers could exploit the DirectShow bug to take complete control of an affected system, but the threat is mitigated because some user interaction is required. For example, the victim must be tricked into launching a specially crafted .avi multimedia file for an attack to be successful. Immediately after this month's Patch Tuesday, Microsoft acknowledged that one of the patches to cover a critical Windows 2000 worm hole was causing problems for some customers. The problems with that patch ranged from empty Network Connections folders to incorrect recommendations from the Windows Update Web site. A separate Knowledge Base article was published with workarounds for Windows XP, Windows 2000 Server and Windows Server 2003 customers with the patch deployment problems. From isn at c4i.org Fri Oct 21 16:10:02 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:22:41 2005 Subject: [ISN] Exploit circulating for newly patched Oracle bug Message-ID: http://www.networkworld.com/news/2005/102005-oracle-bug.html By Robert McMillan IDG News Service 10/20/05 Database administrators now have a little added incentive to install Oracle's latest security patches, released earlier this week. Malicious software is now circulating that can crash an unpatched database server, and one security expert predicted that more malware targeting the 89 recently patched vulnerabilities is on the way. On Thursday, code was published on the Full Disclosure security mailing list that exploits a buffer overflow vulnerability in certain versions of Oracle's databases. This code could be used by attackers to bring down a database, using a technique called an SQL injection attack, said Alexander Kornbrust, a business director at Red-Database-Security, in Neunkirchen, Germany. In SQL injection attacks, Web applications that work with the database are tricked into sending malicious database queries using the SQL language. The exploit could be used either by an attacker who had user credentials on an unpatched database or by a remote attacker, using an SQL injection attack over the Internet, Kornbrust said. "I tried the exploit and it's working," he said in an interview conducted via instant message. "I highly recommend customers to apply these patches as soon as possible." In a statement, Oracle said that versions 9i and 10g of the database software were vulnerable to the bug, but the exploit published on Full Disclosure affects only 10g users, according to Kornbrust. On Tuesday, Oracle released a bundle of critical security patches that fixed 89 bugs in its database and application servers, as well as some PeopleSoft and J.D. Edwards applications. Oracle releases security patches every three months as part of its security update program. Normally, a few exploits begin circulating after each Oracle security update, Kornbrust said. The buffer overflow vulnerability is described as vulnerability number DB27 on this page [1]. The Full Disclosure exploit code can be found here [2]. Oracle did not respond to requests for comment on this story. The IDG News Service is a Network World affiliate. [1] http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html#Appendix%20A [2] http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038061.html From isn at c4i.org Fri Oct 21 16:10:13 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 21 16:22:55 2005 Subject: [ISN] Dutch Say Suspects Hacked 1.5M Computers Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/10/20/AR2005102001133.html By TOBY STERLING The Associated Press October 20, 2005 AMSTERDAM, Netherlands -- Three suspects in a Dutch crime ring hacked 1.5 million computers worldwide, setting up a "zombie network" that secretly stole credit card and other personal data, prosecutors said Thursday. The three, who were arrested Oct. 6 and originally were estimated to have hacked 100,000 computers, have yet to enter a plea. A court in the town of Breda extended the custody of the 19-year-old main suspect and a 22-year-old accomplice for a month Thursday, and ordered the release of the third, aged 27, pending trial, prosecution spokesman Wim de Bruin said. The suspects' names have not been released. Prosecutors said, however, more arrests were likely as the investigation continues. The two still being held are accused of blackmailing a U.S. company by threatening it with a "denial of service" attack, in which thousands of computers that have been infected are used to bombard a target with e-mail. De Bruin said the company did not want its identity known. The software the hackers used, a variation of the worm known as "W32.Toxbot," was first detected this year. Antivirus software can remove it, but the hackers adjusted the program constantly to defeat protections. The existence of the "zombie network" of infected computers was first detected by Dutch Internet provider XS4ALL. The company noticed unusual activity coming from a handful of its users' infected computers, said the company's chief technical officer, Simon Hania. The company traced the network as far as it could, and then turned the matter over to prosecutors. De Bruin said prosecutors worked with computer crime experts to trace the network to its source and then installed taps on the suspects' computers. The taps showed the suspects manipulating the zombie network to steal passwords and credit card data, De Bruin said. They also are accused of stealing PayPal and EBay Inc. account information to order goods without paying for them, he said. Authorities have seized computers, a bank account, an undisclosed amount of cash and a sports car in the investigation. About 30,000 of the infected computers were in the Netherlands. When investigators dismantled the global network, they found more than 15 times the number of infected computers they originally estimated. XS4ALL's Hania said that although the zombie network may be the largest of its kind whose controllers were busted, it was only a "drop in the ocean." ? 2005 The Associated Press From isn at c4i.org Mon Oct 24 09:09:22 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 24 09:16:01 2005 Subject: [ISN] Bruce Schneier talks cyber law Message-ID: Forwarded from: Jeff Berner Over the last few months I have heard Mr. Schneier say some interesting things that deserve merit but his recent comments on hurricane relief and now this have made me wary of anything he might say in the future. Making the ISP liable for virus traffic is like making New York City liable for a mugger in Central Park. It isn't possible to protect every avenue, alley and jogging path from neer-do-wells and the same goes for the Internet. I would think a mathematical genius like Schneier would know the legislation he is asking for would stifle innovation especially for areas that don't even have Internet yet like many rural counties in the US much less any other third world country. Making it more expensive to provide to sparse areas doesn't help anyone. Maybe mathematical genius doesn't translate in to economic and social common sense sometimes? The idea is a nice dream and sounds good but in practice legislation to make the ISP liable is about as useful as the other types of cyber legislations that he blasts. Companies will offer "Clean Pipe" types of technology to everyone on their own to attract customers. Those that don't will over time disappear as they are not offering a 'better' service than their competitor. Some large ISP's in the US already do this for their home users. Please Mr. Schneier, Don't make the legal world any more of a mess than it already is, let capitalism eliminate the businesses that don't want to innovate. Don't encourage our legislatures to write superfluous laws that penalize the ISP when they only provide the means to connect. The real criminals are the folks that write the cyber vermin that you want to stop, not the ISP. God forbid you ever hit a deer with your car Mr. Schneier. I fear the County, City and State you do that in will be required to either remove their roads or eradicate all the deer. Commentary by Jeff Berner -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: Thursday, October 20, 2005 2:05 AM To: isn@attrition.org Subject: [ISN] Bruce Schneier talks cyber law http://www.theregister.co.uk/2005/10/19/schneier_talks_law/ By John Oates in Vienna 19th October 2005 RSA Europe 2005 ISPs must be made liable for viruses and other bad network traffic, Bruce Schneier, security guru and founder and CTO of Counterpane Internet Security, told The Register yesterday. He said: "It's about externalities - like a chemical company polluting a river - they don't live downstream and they don't care what happens. You need regulation to make it bad business for them not to care. You need to raise the cost of doing it wrong." Schneier said there was a parallel with the success of the environmental movement - protests and court cases made it too expensive to keep polluting and made it better business to be greener. Schneier said ISPs should offer consumers "clean pipe" services: "Corporate ISPs do it, why don't they offer it to my Mum? We'd all be safer and it's in our interests to pay. "This will happen, there's no other possibility." He said there was no reason why legislators do such a bad job of drafting technology laws. Schneier said short-sighted lobbyists were partly to blame. He said much cyber crime legislation was unnecessary because it should be covered by existing laws - "theft is theft and trespass is still trespass". But Schneier conceded that getting international agreements in place would be very difficult and that we remain at risk from the country with the weakest laws - in the same way we remain at risk from the least well-protected computer on the network. (r) From isn at c4i.org Mon Oct 24 09:08:27 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 24 09:16:34 2005 Subject: [ISN] Homeland Security mulls cyber czar nomination Message-ID: http://www.govexec.com/story_page.cfm?articleid=32619 By Greta Wodele National Journal's Technology Daily October 21, 2005 The Homeland Security Department on Oct. 1 created a new post for a cyber-security czar -- a post that the technology industry and Congress repeatedly have urged for two years -- but has yet to nominate a candidate for the job. An announcement in the coming days would coincide with the House and the department recognizing October as National Cyber Security Awareness month. Lawmakers on Monday approved a House resolution making that designation. House Homeland Security Economic Security, Infrastructure Protection and Cybersecurity Subcommittee Chairman Dan Lungren, R-Calif., said in a hearing Tuesday that the vote the day before indicated the government's efforts on cyber security. He said officials voting mid-month on the resolution showed how the government is trying to play catch-up on protecting the country from a cyber attack. "In an age where hackers and terrorists are using advanced technologies to attack our cyber infrastructure at an alarming rate," said Rep. Bennie Thompson, D-Miss., "the Department of Homeland Security is moving at dial-up speed in naming an assistant secretary for cyber security." The department announced late last month that it would work with key industry partners to "spread the word" throughout October about online safety by providing tips and resources for protecting computers. While industry groups are pleased with the government's efforts this month, several representatives and lawmakers are anxious for the appointment of the cyber-security assistant secretary that Homeland Security Secretary Michael Chertoff first proposed in July. "Anytime the term 'acting' is in your title, you lose the weight and authority necessary to truly do a job right," Rep. Bill Pascrell, D-N.J., said of Andy Purdy, the acting director of the National Cyber Security Division. "The fact that there is still no full-time entity within the department shows a glaring lack of foresight from this administration." Industry representatives share Pascrell's concerns, but they also said the department wanted to wait to nominate a candidate until after Congress approved Homeland Security's fiscal 2006 spending. The bill, which lawmakers approved earlier this month and President Bush signed into law Tuesday, put the official stamp on Chertoff's proposal to elevate the director of the cyber-security division to assistant secretary. "I hope a name is forthcoming soon," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "It's high time the person is named." Now that lawmakers have given Chertoff their blessing, Information Technology Association of America President Harris Miller said he hopes the secretary "has some people waiting in the wings." Adam Falkoff, executive director of the Republican Technology Council, said Purdy "has the skills to navigate through the bureaucracy of the department." Under Chertoff's plans, the cyber-security division will be removed from the old unit on information analysis and infrastructure protection, and the assistant secretary will be charged with protecting cyber and telecommunications systems. The assistant secretary will have a $93 million budget next year for cyber exercises and work with private and public entities. The cyber-security division also is responsible for coordinating and overseeing cyber-security activities across the government. From isn at c4i.org Mon Oct 24 09:08:49 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 24 09:17:00 2005 Subject: [ISN] Linux Advisory Watch - October 21st 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 21st, 2005 Volume 6, Number 43a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for Ruby, hylafax, Mozilla, module-assistant, Lynx, phpMyAdmin, AbiWord, netpbm, gdb, xloadimage, and openldap. The distributors include Debian, Gentoo, and Red Hat. --- Local User Security By: Dave Wreski Getting access to a local user account is one of the first things that system intruders attempt while on their way to exploiting the root account. With lax local security, they can then "upgrade" their normal user access to root access using a variety of bugs and poorly setup local services. If you make sure your local security is tight, then the intruder will have another hurdle to jump. Local users can also cause a lot of havoc with your system even (especially) if they really are who they say they are. Providing accounts to people you don't know or for whom you have no contact information is a very bad idea. You should make sure you provide user accounts with only the minimal requirements for the task they need to do. If you provide your son (age 10) with an account, you might want him to only have access to a word processor or drawing program, but be unable to delete data that is not his. Several good rules of thumb when allowing other people legitimate access to your Linux machine: * Give them the minimal amount of privileges they need. * Be aware when/where they login from, or should be logging in from. * Make sure you remove inactive accounts, which you can determine by using the 'last' command and/or checking log files for any activity by the user. * The use of the same userid on all computers and networks is advisable to ease account maintenance, and permits easier analysis of log data. * The creation of group user-id's should be absolutely prohibited. User accounts also provide accountability, and this is not possible with group accounts. Many local user accounts that are used in security compromises have not been used in months or years. Since no one is using them they, provide the ideal attack vehicle. Read more from the Linux Security Howto: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Ruby 1.8 packages fix safety bypass 13th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120589 * Debian: New hylafax packages fix insecure temporary files 13th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120590 * Debian: New Mozilla packages fix several vulnerabilities 20th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120623 * Debian: New module-assistant package fixes insecure temporary file 20th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120624 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: KOffice, KWord RTF import buffer overflow 14th, October, 2005 KOffice and KWord are vulnerable to a buffer overflow in the RTF importer, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120596 * Gentoo: SPE Insecure file permissions 15th, October, 2005 SPE files are installed with world-writeable permissions, potentially leading to privilege escalation. http://www.linuxsecurity.com/content/view/120600 * Gentoo: Perl, Qt-UnixODBC, CMake RUNPATH issues 17th, October, 2005 Multiple packages suffer from RUNPATH issues that may allow users in the "portage" group to escalate privileges. http://www.linuxsecurity.com/content/view/120605 * Gentoo: Lynx Buffer overflow in NNTP processing 17th, October, 2005 Lynx contains a buffer overflow that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/120607 * Gentoo: phpMyAdmin Local file inclusion vulnerability 17th, October, 2005 phpMyAdmin contains a local file inclusion vulnerability that may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120608 * Gentoo: AbiWord New RTF import buffer overflows 20th, October, 2005 AbiWord is vulnerable to an additional set of buffer overflows during RTF import, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120625 * Gentoo: Netpbm Buffer overflow in pnmtopng 20th, October, 2005 The pnmtopng utility, part of the Netpbm tools, contains a vulnerability which can potentially result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120626 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: openldap and nss_ldap security update 17th, October, 2005 Updated openldap and nss_ldap packages that correct a potential password disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120602 * RedHat: Moderate: openldap and nss_ldap security update 17th, October, 2005 Updated openldap and nss_ldap packages that correct a potential password disclosure issue and possible authentication vulnerability are now available. http://www.linuxsecurity.com/content/view/120603 * RedHat: Critical: lynx security update 17th, October, 2005 An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120604 * RedHat: Moderate: netpbm security update 18th, October, 2005 Updated netpbm packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120613 * RedHat: Low: gdb security update 18th, October, 2005 An updated gdb package that fixes minor security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120614 * RedHat: Low: xloadimage security update 18th, October, 2005 A new xloadimage package that fixes bugs in handling malformed tiff and pbm/pnm/ppm images, and in handling metacharacters in file names is now available. http://www.linuxsecurity.com/content/view/120615 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Oct 24 09:09:05 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 24 09:17:27 2005 Subject: [ISN] Oracle fixes bugs with mega patch Message-ID: Forwarded from: The Unknown Security Person... > Oracle has been criticized for dragging its heels on fixing security > flaws and being unresponsive to researchers who find bugs. Oracle's > Chief Security Officer, Mary Ann Davidson, in response said security > researchers can be a problem when it comes to product security. How exactly? Oh yeah, they point out the flaws in the products. Don't shoot the messenger here folks. Let's remember who created this "unbreakable" (anyone remember those commercials?) software with several hundred bugs patched per year (and who knows how many are found and not yet patched. Yikes). Can anyone imagine another database vendor doing such a bad job as Oracle is? Last I heard DB2, PostgreSQL and MySQL and heck even MS-SQL all have significantly happier customers and better security experiences. P.S. 60 bugs patched per quarter it seems on average, many of which are months or years old, this means we can expect 60 more patches a quarter for a LONG time from Oracle folks, unless of course those pesky security researchers stop reporting flaws in which case we only have 1-2 more years of 60 bugs fixed per quarter. Ain't it great? From isn at c4i.org Mon Oct 24 09:09:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 24 09:17:55 2005 Subject: [ISN] Security fix assures long election nights Message-ID: Forwarded from: matthew patton Diebold couldn't have gotten a more sympathetic article. Now we'll have votors demanding that security be tossed to the wind because they can't wait 8 let alone 48 hours to get a tally. And all those blathering TV pundits will be denied their right to mindlessly repeat "we have no new news, but this is what we know" for 8 hours straight. > "The fact we now have a slight delay over what we had two years ago > is, I think, a worthy trade-off for enhanced security," Cox says. At least Cox has a little perspective. > - but there ought to be a balance between security and speed so we > can enjoy the excitement of election night." some people need a reality checkup. > The software was added to all voting machines last spring. It > encrypts the transmission of election data from precincts to county > election headquarters, making electronic vote tampering, internally > or externally, more difficult. > > Votes from machines are now coded onto a data card. Then, those > cards have to be decoded and counted by a computer before the vote > is official. Ok, the above is probably the result of a jouno who simply doesn't comprehend the subject material. But even so, since when is the lack of encryption on the card anywhere CLOSE to being the problem that has blasted Diebold (and other) machines? A 'vote' is but 1KB of data if even that much. You mean to tell me Diebold machines run on 8086 CPU's and are trying to crunch a 1024bit AES key be it symetric or asymetric encryption? > "I'm sure you will talk to people in this state who think we can > never have too much security," she says. "Certainly I think this > enhancement was a good thing for our machines." How exactly? Where is the audit trail on the software itself? Where is the resolution of the multiple ledger issue? Where is the verification that votes are even counted right? While it may be 'nice' to know that the card is encrypted as it is transfered 10ft over the air-gap between voting station and the counting machine, or that purhaps the counting machine won't honor an "illegal" card, physical security was never the issue. > Even though there hasn't been a recorded incident of fraud involving > the system, some people simply don't trust it. and why shouldn't EVERYbody not be leary? Heck, I wouldn't trust the punchcard/optical machine either if it's summation software were not available for inspection. > To pacify uneasy voters, the state is considering retrofitting the > machines with printers so voters could double-check their on-screen > choices. Creating a paper trail could slow the vote count even more > - if those ballots were used in the official count, says Cox's printing the screen does NOTHING to legitimize the software or the process. The computer could have written one thing to disk/card and another to the printer. And the counting machine could take the vote (card, barcode, OCR scan) and muck with it all it wants to while doing the tabulation process. The point is that every step of the process has to be fully disclosed and beyond reproach. Frankly I think every voting station should have a 2nd vote-counter from a different supplier that uses the nation-wide open-vote format to independently tabulate votes. As somebody wrote a year or so ago, why are the slot machines under vastly better security than the voting infrastructure? The financial rewards of tampering with an election FAR exceed mucking with betting machines. From isn at c4i.org Mon Oct 24 09:09:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 24 09:18:26 2005 Subject: [ISN] Navy Improves Network Security by Blocking Access to Commercial Webmail Message-ID: http://www.news.navy.mil/search/display.asp?story_id=20684 By Chief Journalist (SW/AW) Joseph Gunder Naval Network Warfare Command Public Affairs Story Number: NNS051020-17 Release Date: 10/20/2005 NORFOLK, Va. (NNS) -- The Navy has begun enforcing policies set forth in its Information Technology User Acknowledgement Form by blocking access to Web-based commercial e-mail sites (webmail) from Department of the Navy-funded networks. That means it's no longer possible for anyone using Navy information technology to access commercial webmail from providers such as Yahoo, Hotmail, AOL and others. The new policy enforcement has taken effect throughout the Navy and applies to computer systems on ships and ashore, both in the United States and overseas. ONE-NET (OCONUS Navy Enterprise Network) started blocking webmail access Oct. 18 for overseas users. Both NMCI (Navy/Marine Corps Intranet) for U.S.-based users and IT-21 for afloat users have been blocking since Oct. 12. "Navy Networks are a weapon system and must be defended with the same rigorous standards as other weapon systems," explained Vice Adm. James P. McArthur, commander, Naval Network Warfare Command (NETWARCOM). "People and mission are at risk without access to assured, secure, complete, accurate and timely information." The restrictions on commercial webmail are necessary to protect the Navy's networks from multiple threats while maintaining operational security on all of its systems that are connected to the Department of Defense's Global Information Grid. According to Chief Warrant Officer Karen Williams, an Information Assurance implementation policy writer for NETWARCOM, webmail could provide a window for malicious software to enter a government computer system. "Any pop-up ad that appears in a webmail message could potentially contain a virus when it opens," she said. "An attachment that comes in from a webmail message could possibly bypass all the safeguards all the way to the user's computer." In addition, just opening a Web browser window to these commercial webmail sites can leave a computer open to outside attack. The policy was put into effect July 16 through a message from the Department of the Navy's Chief Information Office about "Effective use of Department of Navy Information Technology Resources." A Navy Telecommunication Directive issued July 25 directed that every Navy network user must fill out, sign and date a Navy Enterprise Information Technology User Acknowledgement Form prior to receiving access to government-provided IT services and systems (i.e., being granted a network account with e-mail). This User Acknowledgement form was to be completed for all Network users by Oct. 1. An educated user base is an essential part of Navy's defense-in-depth strategy. "Everybody was supposed to have had Information Assurance (IA) training by Oct. 1 to ensure we have smart users," Cathy Baber, branch head for policy and procedures at NETWARCOM said, "and no one else will be allowed access to the network until they have gone through a minimum level of training." "As for popular commercial Web sites and search engines, the only part of those sites that are being blocked are the commercial Web-based e-mail elements," explained Neal Miller, deputy director of the Enterprise Management Directorate at NETWARCOM. "And it's only from government-provided official business networks. It's exclusively about securing our shared asset, the government enterprise network." "You can still go to a search engine to look on the web and surf," said Baber. "This won't prevent any of that." Ships have had various levels of protection in place since 1999, but they were largely based on managing bandwidth and were set at the discretion of commanding officers. Some ships have been blocking webmail for years for bandwidth and operational security reasons. The Marine Corps has been prohibiting access to commercial webmail since December 1999 on the Marine Corps Enterprise Network. Sailors will still be able to send e-mail from their military accounts to a commercial account. But Baber stressed that users should never have their military e-mail set up to autoforward messages to their personal account. Autoforwarding to a personal account is a major operational security risk. Baber said the policy prohibiting autoforwarding was put in the User Acknowledgement Form to ensure all users were aware of their responsibilities. Network users are the first line of network cyber defense. Though many commercial webmail providers claim to use the latest up-to-date anti-virus protection, Baber said that there's no assurance that everything is safe or meets the Navy's security standards. There are options to help minimize the impact of not having access to commercial webmail, according to Baber. "Sailors on some large-deck ships may have access to certain computers in the ship's library that aren't connected to the Navy backbone that will allow commercial e-mail to be viewed," Baber said. "This lessens risk to our official business networks. Baber said that any legacy networks are required to comply with the Navy's new policy. "If there is a legacy network that has its own DNS (domain name system) server, it is required to implement blocking of these addresses, as well." For more information, please contact your local Information Assurance Manager (IAM), or go to https://infosec.navy.mil. For related news, visit the Naval Network Warfare Command Navy NewsStand page at www.news.navy.mil/local/nnwc/ From isn at c4i.org Mon Oct 24 09:10:08 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 24 09:21:02 2005 Subject: [ISN] DOD computer hacker sentenced to 7 months Message-ID: http://rockymountainnews.com/drmn/state/article/0,1299,DRMN_21_4178132,00.html By Karen Abbott Rocky Mountain News October 22, 2005 A computer hacker from Venezuela known as "RaFa" was sentenced Friday to the seven months he already has spent behind bars for breaking into a U.S. Air Force training computer in 2001. Colorado U.S. District Judge Walker Miller imposed the sentence on Rafael Nunez-Aponte, 26. Immigration officials are expected to deport him soon. Court documents said the man belonged to a computer hacking club called World-of-Hell. The group and Nunez-Aponte are featured in a chapter of the book, The Hacker Diaries: Confessions of Teenage Hackers, by Dan Verton [1]. U.S. Immigration and Customs Enforcement agents arrested Nunez-Aponte in April when he arrived by plane in Miami to attend a conference. On June 11, 2001, personnel of the Defense Information Systems Agency in Denver discovered its Web-based server network was inoperable. When the servers were restarted, a new home page appeared with the message, "woh is Back . . . and kiss my a-- cause I just Owned yours!" and was signed "RaFa." The incident, which Nunez- Aponte admitted to earlier this year, cost the Defense Department $10,548. About $5,170 in traveler's checks seized when Nunez-Aponte was arrested will be applied to that cost. [1] http://www.amazon.com/exec/obidos/ASIN/0072223642/c4iorg From isn at c4i.org Tue Oct 25 02:20:01 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 25 02:24:35 2005 Subject: [ISN] Kentucky lands grant to protect bingo halls from terrorists Message-ID: http://www.kentucky.com/mld/kentucky/news/state/12984493.htm Oct. 24, 2005 Associated Press FRANKFORT, Ky. - Kentucky has been awarded a federal Homeland Security grant aimed at keeping terrorists from using charitable gaming to raise money. The state Office of Charitable Gaming won the $36,300 grant and will use it to provide five investigators with laptop computers and access to a commercially operated law-enforcement data base, said John Holiday, enforcement director at the Office of Charitable Gaming. The idea is to keep terrorists from playing bingo or running a charitable game to raise large amounts of cash, Holiday said. But to some, the idea of protecting bingo halls from terrorists is nonsensical. "It's almost ludicrous," said Rick Bentley, a Henry Clay High School sports booster as he volunteered last Thursday at a noisy, smoke-filled Lexington bingo parlor. "The thought would never even enter my mind." Holiday, who applied for the grant, said that terrorists do not currently profit from charitable gaming in Kentucky to the best of his knowledge. "But the potential there, to me, is just huge," he said. "You can earn a lot of money very fast and deal entirely in cash." With more than 1,300 organizations licensed to raise money through gambling, charitable gaming raised $51 million in 2003. Holiday said if the grant stretches far enough, he also wants to offer forensics accounting training to his 10 auditors. From isn at c4i.org Tue Oct 25 02:20:28 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 25 02:28:30 2005 Subject: [ISN] Squabble continues over credit card breach Message-ID: http://news.com.com/Squabble+continues+over+credit+card+breach/2100-1029_3-5912010.html By Joris Evers Staff Writer, CNET News.com October 24, 2005 SAN FRANCISCO -- A judge in a case over a high-profile data security breach at payment processor CardSystems Solutions told parties on Monday to stop squabbling and be productive. San Francisco Superior Court Judge Richard Kramer told the plaintiffs--who seek to represent classes of California consumers and merchants--and defendants Visa and MasterCard to exchange information about their relationship with CardSystems. Kramer gave similar instructions a month ago, but parties in a hearing Monday said they have been unable to agree on the type of information that should be shared. "You folks maybe can't agree on anything, except maybe on what day you should be here," Kramer said. He told Visa and MasterCard again to disclose details about their relationship with CardSystems and instructed the plaintiffs not to ask for an overly broad release of information. Visa and MasterCard during the Monday afternoon hearing accused the plaintiffs of asking for too much information. The information, such as contracts between the companies, should help determine whether the credit card companies have responsibility under California law to notify consumers whose personal details were exposed in the CardSystems breach. Visa, MasterCard, Merrick Bank and CardSystems were sued in June on behalf of California credit card holders and card-accepting merchants. The suit seeks to test a state law that requires consumer notification after personal information stored on computers is lost, stolen or breached. The digital break-in at CardSystems was publicly disclosed by MasterCard on June 17. Intruders got access to details on about 40 million credit cards. Visa and MasterCard maintain that notification responsibility falls with the banks that issue credit cards because they have direct relationships with the affected customers. Kramer has said he wants to determine which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to entities that "own or license" personal information about Californians. Plaintiffs in the case say the statute covers Visa, MasterCard, CardSystems and Merrick, while defendants MasterCard, Visa and Merrick have argued that the statute does not apply to them. Another hearing in the case has been scheduled for Jan. 9. From isn at c4i.org Tue Oct 25 02:20:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 25 02:29:24 2005 Subject: [ISN] Most DNS servers 'wide open' to attack Message-ID: http://www.theregister.co.uk/2005/10/24/dns_security_survey/ By John Leyden 24th October 2005 Four in five authoritative domain name system (DNS) servers across the world are vulnerable to types of hacking attacks that might be used by hackers to misdirect surfers to potentially fraudulent domains. A survey [1] by net performance firm the Measurement Factory commissioned by net infrastructure outfit Infoblox of 1.3m internet name servers found that 84 per cent might be vulnerable to pharming attacks. Others exhibit separate security and deployment-related vulnerabilities. Pharming attacks use DNS poisoning or domain hijacks to redirect users to dodgy urls. For example widespread attacks launched in April attempt to fool consumers into visiting potentially malicious web sites by changing the records used to convert domain names to IP addresses. These particular pharming attacks exploited name servers that allow recursive queries from any IP address. Recurssive queries are a form of name resolution that may require a name server to relay requests to other name servers. Providing recursive queries to arbitrary IP addresses on the internet exposes a name server to both cache poisoning and denial of service attacks. Such requests should be restricted to trusted sources. But the study found that up to 84 per cent of the name servers investigated relayed requests from world + dog, violating best practices and opening the door to possible hacking attack. The survey also revealed that more than 40 per cent of the name servers investigated provide zone transfers to arbitrary queries. Like recursive name services, zone transfers, which copy an entire segment of an organization's DNS data from one DNS server to another, should only be allowed for a designated list of trusted, authorised hosts. Network configuration errors in setting up redundant servers for extra availability were also uncovering during the study, which involved using a series of carefully designed queries in order to gauge the relative vulnerability of each name server to attacks or failures. Cricket Liu, vice president of architecture at Infoblox and author of O'Reilly & Associates' DNS and BIND, DNS & BIND Cookbook, and DNS On Windows Server 2003, said "Given what enterprises are risking - the availability of all of their network services - these results are frightening, especially since there are easy ways to address these issues." Infoblox has come up with a list of 'top tips' designed to help enterprises to guard against DNS vulnerabilities: 1. If possible, split external name servers into authoritative name servers and forwarders. 2. On external authoritative name servers, disable recursion. On forwarders, allow only queries from your internal address space. 3. If you can't split your authoritative name servers and forwarders, restrict recursion as much as possible. Only allow recursive queries if they come from your internal address space. 4. Use hardened, secure appliances instead of systems based on general-purpose servers and operating software applications (such as InfoBlox's appliance for DNS, we guess the firm is saying here, well it had to get a product pitch in there somewhere). 5. Make sure you run the latest version of your domain name server software. 6. Filter traffic to and from your external name servers. Using either firewall or router-based filters, ensure that only authorized traffic is allowed between your name servers and the Internet. ? [1] http://dns.measurement-factory.com/surveys/sum1.html From isn at c4i.org Tue Oct 25 02:19:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 25 02:30:22 2005 Subject: [ISN] DHS to State Its Case to Business Message-ID: http://www.eweek.com/article2/0,1895,1876550,00.asp By Caron Carlson October 24, 2005 Improving cyber-security may be in the public interest, but to persuade the commercial owners of the country's critical infrastructure to invest in more secure networks, the Department of Homeland Security next year plans to show them the bottom line. Echoing what has become a mantra on Capitol Hill, lawmakers chided the DHS last week for not making greater strides in developing a plan to protect the cyber-networks that gird the country's transportation, power, water, telecommunications, oil and gas pipeline, and chemical processing systems, as well as other critical infrastructure. Andy Purdy, acting director of the DHS' National Cyber Security Division, told legislators that next year the department is going to present the business case for investing in the security of SCADA (supervisory control and data acquisition) systems. Because private companies own most critical infrastructure facilities, DHS will encourage the deployment of security measures by providing a cost-benefit analysis, Purdy told lawmakers last week at a hearing of the House Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity. The plan has the support of some security experts, who say businesses are not inclined to invest in security for an abstract threat but will do so for a specific threat, as demonstrated in the preparations for Y2K. "We must help industries develop a business case for their investment in SCADA security," Samuel Varnado, director of the Information Operations Center at Sandia National Laboratories, in Albuquerque, N.M., told the subcommittee. "Although we know that many threats exist, specific details are elusive." Resistance to sharing information about vulnerabilities and breaches has made it difficult to define the current risks to SCADA systems, Varnado said. To present the business case, officials might have to take a different approach. Rather than discuss threats, they may need to discuss the consequences and show what the disruption of network systems is costing businesses financially. "This approach would involve identification of specific portions of information systems affected by specific attacks," Varnado said. "It would require vulnerability assessments, analyzing the consequences of disruptions in economic terms, and defining and implementing optimized protection strategies based on risk assessments." Over the next three months, the Idaho National Laboratory will work with the government to implement a cyber-security self-assessment framework, according to K.P. Ananth, associate laboratory director at the INL, in Idaho Falls. The assessment will include a risk reduction tool to help companies prioritize the vulnerabilities they find. Next year, the lab will pilot the framework with several key infrastructure sectors, Ananth said. Some in the industry say there are better ways the government can reduce the vulnerabilities confronting SCADA systems. Alan Paller, director of research at The SANS Institute, in Bethesda, Md., told the subcommittee that federal agencies should use their buying power to force SCADA system vendors to build security into their products. "Procurement leverage is effective because it places the responsibility for securing systems in the only place that security tasks can be done cost-effectively.in the hands of the system vendor that created the systems," Paller said, adding that only vendors know the technology well enough to ensure it is secure and that they can provide the security for all users. "If you try to force every user to secure their systems, every user would have to study every system they buy and become a security expert on every system, and then they would do the same job the vendor could have done one time," Paller said. "Allowing vendors to foist the security configuration job onto their users is what got us into this vulnerable status." From isn at c4i.org Tue Oct 25 02:19:32 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 25 02:31:14 2005 Subject: [ISN] Appeals court shelves shutdown of Interior computers Message-ID: http://www.fcw.com/article91191-10-24-05-Web By Aliya Sternstein Oct. 24, 2005 An appellate court postponed a federal judge.s order Oct. 21 to disconnect all Interior Department information technology systems that access Indian trust fund data. U.S. District Judge Royce Lamberth said he ordered the shutdown because the systems are vulnerable to hacker attacks. Interior officials then requested an administrative stay to temporarily suspend the shutdown, pending appeal. Lamberth originally granted American Indian plaintiffs a motion for a preliminary injunction to shut down any computers, networks, handheld computers and voice-over-IP equipment that access trust fund data. The injunction, which he issued Oct. 20, prohibits Interior employees, contractors, tribes and other third parties from using those systems. It is not known when or if a shutdown will occur. "When the court takes it up, they'll let us know what our status is," Interior spokesman John Wright said today. Depending on interpretations of the order, Interior could be forced to disconnect 5 percent to 10 percent of its computers, he said. Although this would not harm the general public, "it would cause significant harm to Indian [communities], given that we process a lot of data by way of computers," Wright added. Interior's IT security has been the focus of a nine-year class-action lawsuit that criticizes the department's oversight of Indian trust funds. Indian plaintiffs have accused Interior officials of failing to properly protect data. The plaintiffs are expected to contest the delay. Bill McAllister, their spokesman, said the brief will state that Judge Lamberth scrupulously followed the instructions of the court. "He found the evidence overwhelming that the conditions were not safe in their computer systems," McAllister said. "This is another attempt by the Justice and Interior departments to evade [their] responsibilities to" American Indians. Department officials took the Bureau of Land Management.s Web sites off-line for two months this spring after Interior's inspector general issued a report warning that its IT systems are vulnerable to cyberattacks. In 2001 Lamberth ordered Interior to disable Internet connections on all computers that employees - and hackers -- could use to access trust fund data. He ordered two subsequent shutdowns, although Internet access returned to the department following a federal appeals court ruling that blocked the second order. Most recently, lapses in Interior.s oversight allowed government-hired hackers to infiltrate the agency's systems, according to a Sept. 6 memo from Earl Devaney, Interior's IG. From isn at c4i.org Tue Oct 25 02:19:47 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 25 02:32:21 2005 Subject: [ISN] Hyundai falls victim to industrial espionage Message-ID: http://joongangdaily.joins.com/200510/24/200510242155399109900090509051.html by Kim Tae-jin, Lee Chul-jae October 25, 2005 Hyundai Motor Co. said yesterday that one of its subcontractors leaked crucial information on new car models to a Chinese car manufacturer. Cutting-edge Korean technologies in fields such as computer chips, liquid crystal displays and mobile phones have been cribbed by Chinese companies in the past. However, this marks the first time that Korean autmotive technology has fallen prey to such practices. Hyundai Motor said a Korean subcontractor, whose name it did not disclose, reportedly made contacts with several Chinese automobile companies from 2002 and unwittingly passed on test data on engines. The company's actions were revealed through an investigation that the Korean car maker conducted from August into 20 subcontractors following a tip from the Korean National Intelligence Service and Hyundai Motor's Beijing office. The subcontractor in question has been involved in developing new vehicles with Hyundai Motor for 10 years. Prior to this incident, the company had enjoyed a reputation as being one of the best in the business. "The subcontractor introduced a computer program based on Hyundai Motor data at an electronic industry exhibition held in China and even made contacts with Chinese automotive companies," said a Hyundai Motor executive, who declined to be identified. "There is a high possibility that core data regarding our Sonata and Grandeur have been leaked." Hyundai Motor said it has stopped dealing with the subcontractor. "Not only did the company keep us in the dark about its contacting our competitors, but also kept vital information that should have been deleted," said a member of the Hyundai Motor investigation team. Although the subcontractor has admitted to keeping the information, it said it only did so to help boost its own business in future dealings with Chinese companies. "Although it's true we made contact with Chinese companies, it was never our intention to pass on technologies or sell them," said the subcontractor's president. Hyundai Motor said it has accepted its erstwhile subcontractor's explanation that the leak was accidental, and so it has decided against filing a lawsuit in Korea. In the same investigation, former employees of another Hyundai Motor subcontractor were found guilty of trying to sell compact vehicle technologies to Chinese companies. The Korean automaker has been aggressively expanding its business in China since 2001, raising production capacity from 50,000 units in 2002 to 300,000 this year. With the recent introduction of two new models, Hyundai Motor has emerged as the second-biggest auto seller in the country after General Motors Corp. "Recent technology leaks in many cases are not the result of industrial espionage but just sheer carelessness on the part of subcontractors or company employees," said Kang Chul-koo at the Korea Automobile Manufacturers Association. "Of course, any intentional leaks should face severe punishment to prevent a repetition." From isn at c4i.org Tue Oct 25 02:20:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 25 02:34:10 2005 Subject: [ISN] Hole punched in UK bank's security Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4641 By John E. Dunn Techworld 24 October 2005 Only days after trumpeting [1] a state-of-the-art online security trial, UK bank Lloyds TSB has had its security systems beaten by no more than a fake passport and a forged signature. The identity fraud against an unnamed woman, reported at the weekend by The Guardian newspaper [2], saw criminals empty her savings account of a staggering ?250,000 ($450,000) after presenting branch staff with the fake documents. The bank compounded this security disaster by refusing to explain to her how such a fraud could have taken place. When she tried to open another account at the same bank, she then discovered that her rating had been "damaged" by the fraud, resulting in her request being refused. When Techworld spoke to the company's Internet banking director Matthew Timms at the time of the BankSecure [3] authentication announcement, he admitted that Lloyds TSB had seen increasing levels of fraud in recent months. Maintaining customer confidence was essential, he said, and "layering" security was one way to achieve that objective. Such a fraud demonstrates how despite these assurances the bank.s security systems can still fail calamitously. Although the theft did not compromise the online banking security directly - of which the BankSecure authentication system announcement is an experimental part - that such a fraud can occur elsewhere in the bank's systems is bound to undermine [4] the effectiveness of such projects. In another case reported to The Guardian at the same bank, a customer had ?1,414 ($2,500) stolen from his current account via debit card fraud, despite the fact the theft occurred across 20 to 30 separate transactions. Again, although the BankSecure authentication was not involved in this fraud, it raises more questions about the security practices of Lloyds TSB. Banks are supposed to have fraud detection systems, whether software-based or using staff monitoring, to pick up unusual spending patterns. In this instance, they clearly didn.t. Lloyds TSB were asked for comment but had not done so at the time of going to press. [1] http://www.techworld.com/security/news/index.cfm?NewsID=4583 [2] http://money.guardian.co.uk/weekly/story/0,16520,1597693,00.html [3] http://www.lloydstsb.com/security.asp [4] http://www.techworld.com/security/features/index.cfm?FeatureID=1878 From isn at c4i.org Wed Oct 26 02:23:54 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 26 02:28:03 2005 Subject: [ISN] Homeland Security IG raps Secret Service's network security Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37409-1.html By Alice Lipowicz Contributing Staff Writer 10/25/05 The Secret Service is falling short in its efforts to protect sensitive online data about its operations and in securing its IT networks, according to two new reports from Homeland Security Department inspector general Richard L. Skinner. The IG's audit found inadequacies in the security controls for sensitive data about protective operations contained in the Secret Service Web System (SSWeb). A redacted copy [1] of the audit is available on the IG's Web site. Vulnerabilities were discovered in access controls, configuration management procedures and continuity-of-operations safeguards, the report said. In some cases, default passwords were not changed at the time new software was installed. "Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical Secret Service database resources and compromise the confidentiality, integrity and availability of sensitive SSWeb data," the report said. "Further[more], the Secret Service may not be able to recover SSWeb following a disaster". Skinner recommended that the Secret Service ensure adequate controls for user access, review systems to facilitate the detection of inappropriate access, complete a configuration management plan and develop an IT contingency plan. The Secret Service generally agreed with the findings. In a second report, the IG examined the Secret Service's security controls for selected wire-based, sensitive but unclassified networks and judged them to be ineffective. "The Secret Service has not developed adequate policies and procedures or fully implemented processes that address security testing, monitoring network activities with audit trails and configuration and patch management," according to this second report [2]. As a result, there is increased risk for unauthorized access to the service's sensitive resources and data, the IG wrote. In a third report [3] released today, the IG reviewed Customs and Border Protection agency policies and procedures to secure its networks and concluded that they were inadequate with respect to security testing, monitoring network activities with audit trails and patch management. In addition, controls are lacking "to ensure that data residing on and traveling through its network resources is properly protected," the report said. -=- Alice Lipowicz is a staff writer for Government Computer News. sister publication Washington Technology. [1] http://www.dhs.gov/interweb/assetlibrary/OIGr_05-37_Sep05.pdf [2] http://www.dhs.gov/interweb/assetlibrary/OIGr_05-38_Sep05.pdf [3] http://www.dhs.gov/interweb/assetlibrary/OIGr_05-37_Sep05.pdf From isn at c4i.org Wed Oct 26 02:24:06 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 26 02:29:22 2005 Subject: [ISN] Extortion virus makes rounds in Russia Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105706,00.html By Jeremy Kirk OCTOBER 25, 2005 IDG NEWS SERVICE Two new versions of a virus first reported in May are staging renewed attacks against computers in Russia, encrypting files and then extorting money from victims to decode the files. After an infection, the Russian-language instructions let victims know how many of their files have been encrypted. Translated, the warning says, "If you want to get these damn files in the decrypted format" then write to the e-mail address given. The message goes on to say, "P.S. And be thankful that they were not completely erased!" The viruses, called JuNy.A and JuNy.B, search for more than 100 file types by extension, according to a warning issued by Websense Inc. The renewed attack was first reported on a weblog published by Kaspersky Lab Ltd. So far, the viruses appear to be limited to Russia, and it's not known how many computers have been affected. The viruses are similar to one that struck in May called "gpcode," said David Emm, senior technology consultant for Kaspersky in the U.K. The gpcode included an e-mail address where presumably a fee for the decoder would be negotiated, he said. "As I understand, this thing was progressive, and it would gradually encrypt more and more stuff," Emm said. Left alone, the virus would encrypt everything but a text file, Emm said. It's suspected that the virus enters a computer after a user visits a certain Web site and then exploits a vulnerability, Emm said. Another theory is the virus is activated after a user runs some type of executable code containing the virus, Emm said. But it isn't easy tracing the origins of the viruses because "by the time you get to hear of these things it's kind of erasing information on the host machine," Emm said. Virus writers who seek to extort money from victims are nothing new and have been around since at least 1989, Emm said. In the last couple of years, however, virus writers have moved away from writing malicious code simply to display their skills and are increasingly trying to make money, he said. From isn at c4i.org Wed Oct 26 02:24:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 26 02:29:52 2005 Subject: [ISN] From Hacker to Protector Message-ID: http://www.businessweek.com/technology/content/oct2005/tc20051025_346219.htm By Arik Hesseldahl Young Entrepreneurs of Tech OCTOBER 25, 2005 For many technically talented teens, computer hacking brings about a first brush with law enforcement. For Ejovi Nuwere, it was a ticket out of the poverty-ridden, sometimes violent streets of New York's Bedford-Stuyvesant neighborhood. What started as a hobby at the age of 15 led in time to a computer security job with Lehman Brothers, and later with @Stake, the fabled security consulting firm that grew out of L0pht Heavy Industries, the Boston-based hackers collective, now a unit of Symantec (SYMC ). BOOK DEAL. The story of how he got from the streets of Bed-Stuy to working the edge of the computer-security world formed the basis of an autobiography he published in 2001 entitled Hacker Cracker with HarperCollins. The book, like so many other things in his life, happened unexpectedly. "I was working for a startup company, and they couldn't afford to pay me any cash," he says. "It was run by a husband and wife team, and one was a former book editor, and the other was a food writer, and so they had contacts in the publishing business. They made one phone call, and two weeks later I had a book deal." Now the hacker who escaped from the streets has started his own outfit. As many companies ditch their old circuit-switched phone systems in favor of less expensive Internet-based telephony, Nuwere's SecurityLabs Technologies is dedicated to helping them make sure those calls are secure. POORLY WRITTEN. Nuwere started the firm as a one-man shop with $10,000 in cash and took on some credit-card debt. First came consulting work, with five companies. "I spun the money from consulting into product development," he says. Now the company has grown to three people, with three companies interested in its software. The problems related to VoIP (voice over Internet protocol) aren't as simple as they at first appear, Nuwere says. Sure, there are concerns about spam and call interception, but the VoIP programs themselves can also be hacked. Those applications, he says, sometimes have the same holes that have plagued other programs in the past. In one case, he showed how poorly written software code in a VoIP application can allow a hacker to take over a desktop PC -- a bug previously found in programs like instant messaging. MAD RUSH. "There are a lot of fundamental security flaws in the way many of these applications are written," he says. "There's a mad rush among companies to deploy VoIP and make it work, and I can't fault them for that. But no one is looking at the software for security. Well, hackers are. I think in the next six months to a year we'll see a lot more vulnerabilities being publicized." Initially his product will be software installed on a network appliance that companies will install on their internal networks. But eventually, Nuwere plans to convert to an application service provider model -- in which customers rent software that runs on the vendor's servers -- somewhat like what Salesforce.com (CRM ) does. "We'll market it like an ASP, and that will eliminate the need for hiring additional personnel to monitor security of VoIP calls," he says. "We'll deliver updates for the latest security threats in real time and make the job of the chief security officer easy." Spoken like a true entrepreneur. From isn at c4i.org Wed Oct 26 02:24:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 26 02:30:29 2005 Subject: [ISN] ITL Bulletin for October 2005 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN, OCTOBER 2005 NATIONAL VULNERABILITY DATABASE: HELPING INFORMATION TECHNOLOGY SYSTEM USERS AND DEVELOPERS FIND CURRENT INFORMATION ABOUT CYBER SECURITY VULNERABILITIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The National Vulnerability Database (NVD) is a comprehensive database of cyber security vulnerabilities in information technology (IT) products that was developed by the National Institute of Standards and Technology (NIST) with the support of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. Integrating all publicly available U.S. Government vulnerability resources and including references to industry resources, the NVD is updated hourly to provide the latest information about vulnerabilities in IT products. The NVD is based on and is synchronized with the Common Vulnerabilities and Exposures (CVE), a vulnerability naming standard that was jointly developed by government, industry and research organizations. NVD provides a fine-grained search engine and database for assisting those using the CVE standard. Vulnerabilities are software or system implementation flaws that can cause serious weaknesses in the security of systems. These weaknesses help to make systems attractive targets for attacks that can seriously change or harm the confidentiality of data, the integrity of data and the availability of systems. The NVD provides valuable information to system managers, users, system administrators, and other security professionals to help them learn about vulnerabilities and take steps to correct them. Features of the NVD The National Vulnerability Database (NVD) is available on NIST's web site at http://nvd.nist.gov. In mid-October, the NVD contained information on more than 12,800 vulnerabilities. About ten new vulnerabilities are discovered every day. The NVD can be used to research the vulnerability history of a product and to view vulnerability statistics and trends. The NVD complements the suite of vulnerability management services that the NCSD has made available by including all publicly known vulnerabilities. NCSD's other vulnerability management products focus only upon the most critical subset of vulnerabilities. For each vulnerability, NVD provides reference information and links to other government and industry resources. NVD also integrates all publicly available U.S. Government vulnerability resources and includes references to many industry resources as well. The NVD provides direct access to United States Computer Emergency Readiness Team (US-CERT) vulnerability resources, including US-CERT Technical Alerts and Vulnerability Notes. It also provides a search engine for the Open Vulnerability and Assessment Language (OVAL). The entire NVD database can be downloaded for public use as an XML feed from the NVD Download and Product Integration Page. This feature enables developers to easily include this information within their IT security products. NVD information, from the NIST site, is available with no licensing restrictions. However, NIST appreciates credit when appropriate within products, services, and reports that use the data, and NIST welcomes information about how users are employing the data. Users can search the NVD by employing different vulnerability characteristics, including: * vulnerability severity, * software name and version number, * vendor name, * vulnerability type, * vulnerability impact, and * related exploit range. In their searches, users may ask for those alerts that have been the subject of US-CERT Technical Alerts, US-CERT Vulnerability Notes, and OVAL queries. Another useful feature of the NVD is support for generating statistics. The database can be used to graph and chart vulnerabilities discovered within a product or to graph and chart sets of vulnerabilities containing particular characteristics, such as remotely exploitable buffer overflows. NIST contact information for the NVD is available at http://nvd.nist.gov/contact.cfm. Vulnerabilities and the CVE Vulnerabilities are flaws that can be exploited by a malicious entity to gain access or privileges that are greater than those that are authorized on an information system. Many organizations use commercial off-the-shelf security products and services to track, detect, or counter known vulnerabilities. If these products use different names for the same vulnerabilities, it is difficult to share information about vulnerabilities between the databases and tools of the different products and services. The CVE helps to overcome this problem by providing a standard name and standard description for each vulnerability or exposure. Currently identified compatible products and services are listed on the Compatible Products pages on the CVE website: http://cve.mitre.org/compatible/ NIST recommends that CVE data be accessed from within NVD as more information is available about vulnerabilities from within NVD. CVE standards information is available at http://cve.mitre.org. NIST Guidance on Use of CVE NIST Special Publication 800-51, Use of the Common Vulnerability and Exposures (CVE) Vulnerability Naming Scheme, by Peter Mell and Tim Grance, September 2002, provides guidance on the use of the CVE within the federal government. This and other NIST publications are available at the NIST website: http://csrc.nist.gov/publications/nistpubs/index.html. NIST SP 800-51 advises agencies to acquire and use security-related IT products that are compatible with the CVE vulnerability naming scheme. CVE-compatible products and services include vulnerability scanners, vulnerability databases, vulnerability advisory services, vulnerability patch services, most intrusion detection systems, and some firewalls. CVE compatibility is one important consideration among other requirements such as functionality, cost, performance, and architecture. Secondly, agencies are also advised to periodically monitor their systems for applicable vulnerabilities listed in the CVE vulnerability naming scheme, using automated software tools. Since these tools may not detect all CVE vulnerabilities, system and security administrators now can use the NVD to check for new vulnerabilities. Further, agencies are advised to use the CVE naming scheme in their descriptions and communications on vulnerabilities with agency staff, industry, and the public. Common names for vulnerabilities can help to reduce confusion and improve accuracy of communications. Related Guidance Additional supporting guidance on managing vulnerabilities is available in NIST Special Publication 800-40, version 2.0, Creating a Patch and Vulnerability Management Program. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Wed Oct 26 02:23:13 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 26 02:31:33 2005 Subject: [ISN] Scramble to fix Skype security bug Message-ID: http://www.theregister.co.uk/2005/10/25/skype_vuln/ By John Leyden 25th October 2005 Security researchers have identified two groups of potentially serious security vulnerabilities involving Skype, the popular VoIP client software. Both create a means for hackers to run hostile code on systems running vulnerable versions of Skype. Skype has issued patches for the "critical" security bugs. In the first case, a security bug in the Skype for Windows means the software can be crashed and forced to execute arbitrary code through a buffer overflow when presented with malformed URLs in the Skype-specific URI format callto:// and skype://. Skype can also be made to execute arbitrary code via the importation of a maliciously formated VCARD (an electronic business card format). A second security vulnerability is not restricted to Windows PCs and hits Skype across all supported platforms. Here a heap-based buffer overflow security is the culprit but the upshot is the same as the Windows specific bug - hackers might be able to take over vulnerable systems, at least in theory. At the time of writing, neither of the security bugs is subject to either publicly available exploits or malicious code. Nonetheless users are urged to upgrade to Skype for Windows release 1.4.*.84, Skype for Mac OS X 1.3.*.17 or Skype for Linux 1.2.*.18 or later to guard against attack. No patch for Skype for Pocket PC has been released. The vulnerabilities were discovered by Pentest and EADS Corporate Research Center. A bulletin from Secunia [1] provides links to relevant advisories and patches. Advisories from Skype can be found here [2] and here [3]. The scope - and cross-platform reach - of the vulnerabilities has security researchers worried. "Skype's ubiquity and the closed nature of their protocol means that all clients are based on the same code . Windows, Linux, business and home users all share the same, equally vulnerable client, a fecund breeding ground for worms and other malicious code," said Tom Newton, product manager for firewall vendor SmoothWall. "Skype's ease of use is partially facilitated by the port-agile firewall-dodging protocol used . this poses further danger to unsuspecting administrators who may not realise the scope of VoIP activity on their network." No-one from Skype was available for comment at the time of going to press. ? [1] http://secunia.com/advisories/17305/ [2] http://www.skype.com/security/skype-sb-2005-02.html [3] http://www.skype.com/security/skype-sb-2005-03.html From isn at c4i.org Wed Oct 26 02:23:26 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 26 02:32:13 2005 Subject: [ISN] Airline hacker all too frequent Message-ID: http://www.smh.com.au/news/national/airline-hacker-all-too-frequent/2005/10/24/1130006061385.html By Daniella Miletic October 25, 2005 An airline employee who hacked into Qantas's mainframe computer was able to amass more than 17 million frequent flyer points without catching a plane, a court has heard. Austin Perrott, who has more than 15 years' experience in the airline industry, yesterday admitted that he had created frequent flyer accounts under fictitious names after he discovered a loophole in the computer system. Perrott found he could add false names to passenger lists once planes had landed in Melbourne. The County Court heard that Perrott, 45, was a customer services supervisor with Singapore Airlines when the scam was hatched in February 1996. It ended in 2002. Prosecutor Chris Beale told the court that the points were worth almost $790,000 . with more than $200,000 worth redeemed. Nine airlines were affected. Mr Beale said Perrott used the points for accommodation on a trip to the US with his wife and children, as well as on domestic flights. Family and friends also paid him for air tickets. Perrott's deceit was revealed when an Air New Zealand investigation discovered he was a Gold Elite member and that many points had been gained from planes landing in Melbourne. Mr Beale said Perrott asked friends at Qantas for the password to the computer system, telling them it was so he could gain access to cheap or free seats for staff at other airlines. Once he had the password, he was able to access other airlines. Yesterday Perrott, from the Melbourne suburb of Middle Park, pleaded guilty to nine counts of obtaining financial advantage by deception. His lawyer, Greg Lyon, said that his client was desperately trying to maintain a lifestyle that he and his family had previously enjoyed. Mr Lyon said Perrott was remorseful and had stopped the scam by his own volition. His last offence was in October 2002, five months before he was interviewed by police. The plea hearing, before Judge Roy Punshon, continues. From isn at c4i.org Wed Oct 26 02:23:38 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 26 02:33:00 2005 Subject: [ISN] BBC suspends BlackBerry service Message-ID: http://media.guardian.co.uk/broadcast/story/0,7493,1600389,00.html Jason Deans October 25, 2005 The BBC has suspended the BlackBerry personal digital assistant service used by more than 300 senior executives, including director general Mark Thompson, after people started receiving emails not intended for them. BBC executives are having to revert to phones and computers to run their fiefdoms, instead of the BlackBerry handheld devices, which provide a combined mobile phone, email, internet and personal organiser service. The BBC BlackBerry service was suspended after some staff began receiving fragments of emails intended for other users. "It was brought to our attention by a BlackBerry user that they were receiving portions of other people's emails in the body of other emails," a BBC spokesman said. "We immediately suspended the BlackBerry service and it remains suspended." The service will continue to be suspended "until we can receive an absolute guarantee of security from our supplier" a senior BBC insider added. BBC executives are said to be "alarmed" that private or commercially sensitive information could potentially be sent to the wrong people within the corporation. BlackBerrys are used by more than 300 senior BBC staff, including Mr Thompson and his executive board, but also by programme-makers who need to stay in contact with the office while away filming on location. BlackBerry users at the BBC are understood to have been without the service for at least a week, and Siemens, the corporation's IT contractor, sent round a message saying it would be down for at least another fortnight. The BBC's service is supplied by Siemens, BlackBerry and mobile phone operator Vodafone. Siemens had not responded to MediaGuardian.co.uk when this article was published. In the past couple of years the BlackBerry has established itself as a ubiquitous symbol of corporate status in the media and other sectors, with only senior echelons of management within each organisation being issued with the handheld mobile devices. However, the BlackBerry has proved a double-edged sword, meaning that a manager can always be in phone and email contact with their staff, and vice versa. From isn at c4i.org Thu Oct 27 03:09:55 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 27 03:16:40 2005 Subject: [ISN] Ex-employee of firm that opened shop on Rakuten Internet mall busted for leaking info Message-ID: http://mdn.mainichi-msn.co.jp/national/news/20051027p2a00m0na001000c.html Mainichi October 27, 2005 A former employee of an imported goods company that had an on-line shop on Rakuten's Internet mall has been arrested for leaking personal information on a large number of customers, Tokyo police said. Yasuhiro Hashimoto, 33, is accused of violating the anti-hacking law. Metropolitan Police Department (MPD) investigators are grilling him, suspecting that he stole personal information on as many as 90,000 customers. Between May and July this year, Hashimoto used personal computers to hack into the server computer managed by Rakuten on a number of occasions to steal personal information on customers of the company where he had previously worked, MPD investigator said. He is suspected of using the ID number and password that Rakuten had given to the imported goods company to make his hacking look as if it was legitimate access. He also is accused of downloading personal information on customers. Hashimoto had resigned from the company in December last year. It came to light in July that personal information on a large number of customers of the imported goods company's on-line shop, including their names, addresses, birth dates, phone numbers and 16-digit credit card numbers, had been leaked. The following month, Rakuten announced that 36,239 pieces of personal information, including more than 10,000 pieces of credit card information, had leaked to outsiders. Police analysis of access records to the Rakuten server found that someone had hacked into it. After tracing the route of the illegal access, investigators tracked down the former employee. Customers can buy goods and services at more than 10,000 on-line shops opened on the Rakuten Internet mall. Rakuten operates the mall by collecting fees from on-line shop operators. From isn at c4i.org Thu Oct 27 03:10:13 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 27 03:17:11 2005 Subject: [ISN] Snort Bug Exploit Shows Up Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=172900617 By Gregg Keizer TechWeb News Oct. 26, 2005 A working exploit for last week's Snort vulnerability has been released, a security vendor said Wednesday, but any attack should be short-lived and probably feeble. The vulnerability in Snort, an open-source intrusion detection system (IDS) used by more than 100,000 companies and government agencies to defend networks, was unveiled last Wednesday, and simultaneously patched. Because Snort's ubiquitous in enterprises -- and used in nearly four dozen commercial IDS products -- experts cautioned companies to patch as soon as possible, because and exploit might spread very quickly, and resemble some of the worst worms ever, including 2003's Slammer. According to a bulletin issued by Symantec, an exploit targeting Snort running on Linux with the 2.6 kernel has been published by The Hacker's Choice (THC); Symantec's research team has also confirmed that the exploit works. Not all is doom and gloom, however. "The return addresses used by the exploit will probably only bind the shell on a limited number of systems; causing a denial of service condition on others," read Symantec's warning. "It required system specific return addresses to be supplied to successfully exploit the vulnerability," Symantec said. From isn at c4i.org Thu Oct 27 03:10:25 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 27 03:17:37 2005 Subject: [ISN] U.S. cybersecurity test shelved until 2006 Message-ID: http://news.com.com/U.S.+cybersecurity+test+shelved+until+2006/2110-7348_3-5915943.html By Anne Broache Staff Writer, CNET News.com October 26, 2005 A national exercise designed to test the government's readiness to handle cyberemergencies won't happen until February, a Department of Homeland Security spokesman confirmed Wednesday. The department, which is headed toward a cybersecurity makeover of sorts, originally planned to run the mock attack-and-response game--known as Cyberstorm--in November. "While this exercise will be an important test of our readiness to respond to and mitigate a significant cyberattack, our first priority as a department is responding to real world events," spokesman Kirk Whitworth said in an e-mail to CNET News.com. "As a result of Hurricanes Katrina and Rita, many of the department's resources, as well as those of the private sector which would have been involved in the Cyberstorm exercise, were reallocated to deal with the disasters in the Gulf." From isn at c4i.org Thu Oct 27 03:10:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 27 03:18:03 2005 Subject: [ISN] FISMA guidance nearly complete Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37422-1.html By William Jackson GCN Staff 10/26/05 The National Institute of Standards and Technology is nearly finished developing guidance documents for compliance with the Federal Information Security Management Act. "Special Publication 800-53A [1] is the last of the guidelines we will be providing," said Pat Toth of NIST.s computer security division. Toth updated attendees on NIST's work at the Federal Information Assurance Conference at the University of Maryland today. The publication, titled "Guide for Assessing Security Controls in Federal Information Systems," was released for comment in July. A second draft is expected to be released in March 2006. NIST expects to complete its final FISMA standard, FIPS 200, which governs selection of security controls for information systems, in January or February 2006. NIST was required to produce standards and implementation guidance for FISMA. The agency's next step will be to begin certification of agencies to perform security assessments for government IT systems. NIST's work on FISMA guidance was divided into two areas: Federal Information Processing Standards and guidance published in the 800 series of Special Publications. Compliance with both guidelines and standards is mandatory. Technology-specific requirements are included in guidelines rather than standards because they can be more easily updated. SP800-53A is intended to standardize security assessment practices across government, so they can produce consistent, comparable and repeatable results. This will enable trust relationships between organizations. "Before you enter into any kind of relationship, it is critical to know where [organizations] stand in regard to security," Toth said. The public comment period on SP800-53A ended Aug. 31. "We are going through the comments now," Toth said. "We may not have satisfied anyone, so we're probably on the right track." Concerns expressed about the guidelines included that they are too high-level and are not specific enough for implementation, according to Toth. One change that will definitely be made in the second draft of the publication will be its expanded scope. The first draft covered assessment of only five of the 12 security control areas identified in SP800-53. "They were the five we felt we could adequately address within the time frame for getting it released," Toth said. .It was felt those areas would address the bulk of agencies' concerns. They were a good starting point." [1] http://csrc.nist.gov/publications/drafts/sp800-53A-ipd.pdf From isn at c4i.org Thu Oct 27 03:10:58 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 27 03:20:27 2005 Subject: [ISN] German security agency warns of VoIP security risks Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105728,00.html By John Blau OCTOBER 26, 2005 IDG NEWS SERVICE Germany's Federal Office for Security in Information Technology (BSI) is warning businesses of potential security risks with voice-over-IP (VoIP) technology, in a study presented at the Systems IT exhibition and conference in Munich. The VoIPSec report, released Monday at the opening of Systems, appeared one day before Skype Technologies SA, one of the world's largest providers of VoIP service, acknowledged critical flaws in its software and urged users to upgrade to the latest version. In its report, the BSI warned that although no spectacular attacks in the business world have been reported yet, it's only a matter of time before problems emerge. The report lists 19 varieties of attacks on VoIP systems that can lead to a number of security threats, such as identity theft, data manipulation, transmission errors and incorrect billing. Also, VoIP opens the door to the various forms of malicious software that can spread wildly in data networks, such as viruses, worms and Trojan horses, according to the report. Authors of the VoIPSec study are urging companies to analyze where they plan to implement VoIP, how crucial secure communication is to that particular business process and what level of security can be ensured. And although one of the biggest sales pitches of companies supplying VoIP systems is the convergence of voice and data networks, the authors are recommending a separation of IP voice and IP data networks." The study is available online in German [1]. In a panel discussion at the Systems conference, Manfred Fink, president of Manfred Fink Security Consulting, urged businesses to be aware of the hype surrounding VoIP. "Manufacturers are telling businesses how they can save money by converging their voice and data networks," he said. "But IT managers should be aware that the money they may save in combining their IP voice and data networks could be offset by the money they will need to spend to make these networks secure." Detlev Henze, a security expert in the IT security unit of the safety control agency TUV Rheinland Group, urged users to move "very carefully" in deploying VoIP technology, especially on a global basis. "It's best to start in small, closed user groups and to work closely with security experts who are aware of the many potential risks involved in VoIP," he said. "This is a moving target." The Systems event runs through Friday. [1] http://www.bsi.de/literat/studien/VoIP/index.htm From isn at c4i.org Thu Oct 27 03:12:15 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 27 03:21:15 2005 Subject: [ISN] Security UPDATE -- Add VMware Player to Your Security Toolkit -- October 26, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. CDW. The Technology You Need When You Need It. http://list.windowsitpro.com/t?ctl=179A6:4FB69 Bindview http://list.windowsitpro.com/t?ctl=17987:4FB69 ==================== 1. In Focus: Add VMware Player to Your Security Toolkit 2. Security News and Features - Recent Security Vulnerabilities - Exchange Server 2003 SP2 Improves Security - Multiple Vulnerabilities in Oracle Products - Buffer Overflow Vulnerability in Snort and Sourcefire - Secure Your Wireless Network 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Secure IM for Mobile Users ==================== ==== Sponsor: CDW ==== CDW. The Technology You Need When You Need It. It takes a lot to keep up with today's business. Starting with today's technology. Our account managers and product specialists can get you quick answers to any questions you might have. So visit us online and find out first hand how we make it happen. Every order, every visit, every time. No matter what you need in technology, you can count on CDW for the right technology, right away. http://list.windowsitpro.com/t?ctl=179A6:4FB69 ==================== ==== 1. In Focus: Add VMware Player to Your Security Toolkit by Mark Joseph Edwards, News Editor, mark at ntsecurity / net VMware is a tool that lets you run various OSs as virtual machines (VMs) on a single computer. The Windows IT Pro Web site has many articles about VMware, which you can find listed at http://list.windowsitpro.com/t?ctl=1798C:4FB69 I've been testing VMware Workstation lately, and last week I woke up to a pleasant surprise. While doing a little early morning blog surfing, I came across a blog I hadn't read before called Wubble. As it turns out, the blog author, Philip Langdale, works at VMware. In a blog entry, "VMs for Everyone!" (at the first URL below), I learned that during the VMworld 2005 conference in Las Vegas (Oct. 18- 20), VMware released a new standalone tool, VMware Player (at the second URL below). If you've used VMware Workstation, the VMware servers, or VMware ACE (Assured Computing Environment), then you know how incredibly useful VMware is. The new Player (which will also ship with the upcoming VMware Workstation 5.5) is equally useful for two particular reasons. First, it lets you run existing VMs created by other VMware tools and supports VMs created with Microsoft Virtual Server as well as Symantec LiveState Recovery snapshots. Second, it's free. http://list.windowsitpro.com/t?ctl=179A4:4FB69 http://list.windowsitpro.com/t?ctl=179A2:4FB69 As with many free tools, VMware Player has some limitations. For example, you can't create new VMs and you can't add new hardware to a VM. You can learn about other limitations in VMware's comparison chart. http://list.windowsitpro.com/t?ctl=17996:4FB69 Even with some limitations, VMware Player is a great offering. As you might suspect, you can use it to run Windows, Linux, Novell NetWare, Sun Microsystems Solaris, and FreeBSD as guest OSs. Another nice thing is that if you don't have a VM to run in VMware Player or don't want to create one, you can download one from VMware's Web site. Available are VMs for Novell Linux Desktop, Novell SUSE Linux Enterprise Server, and Red Hat Enterprise Linux, plus several other VMs provided by various application vendors. VMware also provides a VM based on Ubuntu Linux that's configured as a Browser Appliance and designed to let you surf the Internet while protecting your underlying OS from malware. http://list.windowsitpro.com/t?ctl=179A5:4FB69 If you've run a honeypot or a honeymonkey or had to test various software and tools, you probably know (or can imagine) how using a VM can be of great benefit. For example, you can build your honeypot on any supported OS and run it inside a VM. Then if the honeypot is compromised, it's not a problem--just shut down the VM and restart it again, and any changes made by an intruder are gone. The same goes for running a honeymonkey or testing spyware and other forms of malware. Plus, you can run Linux-based security tools on a Windows desktop by loading them into a Linux-based VM. With VMware Player, you can extend your use to other systems quickly and easily--and that's what makes VMware Player a great addition for your security toolkit. Check it out. ==================== ==== Sponsor: Bindview ==== Learn To Sort Through Sarbanes-Oxley, HIPAA And More Legislation Quicker And Easier! In this free white paper, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance-related tasks that reduce IT efficiency. Turn these mandates into automated and cost effective solutions--Download your copy today! http://list.windowsitpro.com/t?ctl=17987:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=17991:4FB69 Exchange Server 2003 SP2 Improves Security Microsoft released Exchange Server 2003 Service Pack 2 (SP2), which includes a number of new features, including some security enhancements. Learn about the new features in a news story on our Web site (at the first URL below), in Paul Robichaux's article "Exchange Server 2003 SP2 Ships" (at the second URL below), and in Tony Redmond's article "Exploring Exchange 2003 Service Pack 2" (at the third URL below). http://list.windowsitpro.com/t?ctl=1799D:4FB69 http://list.windowsitpro.com/t?ctl=17999:4FB69 http://list.windowsitpro.com/t?ctl=1799C:4FB69 Multiple Vulnerabilities in Oracle Products Multiple high-risk vulnerabilities exist in Oracle9i Database Server, Oracle Database Server 10g, and many other Oracle products. They consist of one buffer overflow condition and numerous possible SQL injection attacks, many of which could be exploited by an intruder to gain complete control of the products. Oracle released a Critical Patch Update (at the URL below) to correct many (but not all) of the problems. http://list.windowsitpro.com/t?ctl=17990:4FB69 Buffer Overflow Vulnerability in Snort and Sourcefire Internet Security Systems (ISS) X-Force discovered a buffer overflow vulnerability in Snort, which according to ISS also affects Sourcefire--the commercial version of Snort. The vulnerability exists in the Back Orifice preprocessor; systems that don't use Back Orifice aren't affected. Snort 2.4.3 was released to correct the problem. For more details about the problem in Snort, read the announcement on the Snort.org Web site (first URL below) and ISS's advisory at the second URL below. At the time of this writing, no information was available about updates to Sourcefire. http://list.windowsitpro.com/t?ctl=1799F:4FB69 http://list.windowsitpro.com/t?ctl=179A1:4FB69 Secure Your Wireless Network Along with the benefits of wireless networks comes a need to keep them secure. John Howie gives you a look at some practical steps you can take to secure your wireless networks, methods to automate configuration-setting deployment, and tools you can use to probe for unsecured and unauthorized wireless networks. http://list.windowsitpro.com/t?ctl=1799A:4FB69 ==================== ==== Resources and Events ==== Get Ready for the SQL Server 2005 Roadshow in Europe--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now. http://list.windowsitpro.com/t?ctl=1798B:4FB69 Exploit the Opportunities of a Wireless Fleet With the endless array of mobile and wireless devices and applications, it's hard to decide what you can do with the devices beyond providing mobile email access. It's even tougher to know how to keep it all secure. Join industry guru Randy Franklin Smith in this free Web seminar and discover what you should do to leverage your mobile and wireless infrastructure, how to pick devices that are right for you, and more! http://list.windowsitpro.com/t?ctl=1798A:4FB69 Get the Most from Your Infrastructure by Consolidating Servers and Storage Improved utilization of existing networking resources and server hardware let you allocate money and time where they're needed most. In this free Web seminar, learn to optimize your existing infrastructure with the addition of server and storage consolidation software and techniques. You'll get the jumpstart you need to evaluate the suitability and potential of your computing environments for the added benefits that consolidation technology can provide. http://list.windowsitpro.com/t?ctl=17989:4FB69 Deploy VoIP and FoIP Technologies--Win a Starbucks Gift Card Voice over Internet Protocol (VoIP) is the future of telecommunications and many companies are already enjoying the benefits of using voice over IP networks to significantly reduce telephone and facsimile costs. Join industry expert David Chernicoff for this free Web seminar to learn the ins and outs of boardless fax in IP environments, tips for rolling out fax and integrating fax with telephony technologies, and more. Attend, and you could win a Starbucks gift card! http://list.windowsitpro.com/t?ctl=1798F:4FB69 What Does It Mean to Be Compliant? We've all heard about legal and regulatory requirements, but there are other types of compliance that might also affect you--specifically email compliance. In this free Web seminar, you'll get insights into compliance and policy issues that you need to know about, as well as suggestions on what to look for when implementing your compliance strategy and more! Register today! http://list.windowsitpro.com/t?ctl=1798E:4FB69 All High Availability Solutions Are Not Created Equal--How Does Yours Measure Up? In this free, on-demand Web seminar you'll get the tools you need to ensure your systems don't go down. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, that perform a nondisruptive, automatic switchover to a secondary server in extreme cases. http://list.windowsitpro.com/t?ctl=17988:4FB69 ==================== ==== Featured White Paper ==== Dashboard Development and Deployment--A Methodology for Success Business information carries little value unless it reaches the right person at the right time. This free white paper tells you what you need to know to remain competitive while improving the speed and quality of decision-making. Learn how a well-designed dashboard can provide critical information to decision makers, enable them to monitor the health of your organization and bring immediate ROI to your business. http://list.windowsitpro.com/t?ctl=1798D:4FB69 ==================== ==== Hot Release ==== Audit your Network for Security Weaknesses Are you confident your network is secure? Get a free network security check from Qualys and find out the necessary fixes to proactively guard your network. No software downloads required. Make sure your network is secure. Get a Free Trial today! http://list.windowsitpro.com/t?ctl=17997:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: New Linksys Wireless Adapter Puts a Wi-Fi Scanner in Your Pocket by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=179A0:4FB69 The new Linksys Wireless-G USB Network Adapter with Wi-Fi Finder is a really slick and innovative product. It has a built-in wireless scanner to detect available networks, and it works as a standalone unit so you can detect 802.11b/g networks before you power up your laptop. Having one of these is sort of like having NetStumbler in a device the size of a pack of gum! Check it out in this blog entry. http://list.windowsitpro.com/t?ctl=1799B:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1799E:4FB69 Q: How can I redirect Microsoft Outlook profiles during cross- Administrator group mailbox migrations? Find the answer at http://list.windowsitpro.com/t?ctl=17998:4FB69 Security Forum Featured Thread: Automate Setting ACLs on Folders A forum participant wants to know how to configure a Linksys router, which is connected to a Zyxel DSL modem, so that it will work with a proxy server to filter unwanted sites. The writer has built a similar configuration before, but now an application keeps presenting a connection error. Join the discussion at: http://list.windowsitpro.com/t?ctl=17986:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Become a VIP Subscriber! Get inside access to ALL the articles, tools, and helpful resources published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security-- that's more than 26,000 articles at your fingertips. Your VIP subscription also includes a valuable one-year print subscription to Windows IT Pro and two VIP CDs (includes the entire article database on CD). Sign up now: http://list.windowsitpro.com/t?ctl=17993:4FB69 The Windows IT Security Newsletter We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue features in- depth product coverage of the best security tools available, including expert advice on the best way to implement various security components. Plus, paid subscribers now get online access to our entire online security article database (more than 1900 articles). Order now: http://list.windowsitpro.com/t?ctl=17994:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Secure IM for Mobile Users Akonix Systems announced L7 Remote User Agent, which provides IM security and logging capabilities for mobile employees. When deployed on a laptop, L7 Remote User Agent monitors IM use and ensures that all IM activity is secured and logged by Akonix L7 Enterprise, minimizing risks of attack or noncompliance through unsecured IM access. L7 Remote User Agent supports all public IMs--AOL's AIM, Yahoo! Messenger, MSN Messenger, ICQ, and Google Talk--and Windows Server 2003/XP/2000. For more information, go to http://list.windowsitpro.com/t?ctl=179A7:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=179A3:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=17995:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Oct 28 02:32:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 28 02:51:02 2005 Subject: [ISN] Flaw hunters pick holes in Oracle patches Message-ID: http://www.zdnet.com.au/news/security/soa/Flaw_hunters_pick_holes_in_Oracle_patches/0,2000061744,39219523,00.htm By Joris Evers Special to ZDNet 28 October 2005 Oracle, the business software maker that has marketed its products as "unbreakable," faces mounting criticism over its security practices. A quarterly patch update sent out by the company last week contained fixes for a laundry list of flaws affecting much of its lineup. But it left out some vulnerabilities that prominent security researcher David Litchfield expected to be tackled -- leading him to call for a security overhaul at Oracle, including the resignation of its chief security officer. "That was the last straw," said Litchfield, a security researcher and co-founder of UK-based Next Generation Security Software. "I was extremely disgusted and upset, and I think their customers should take umbrage too. Oracle needs to re-address their security philosophies -- their understanding of what security is and what it means." Litchfield is not alone in his critique of the database giant. Other security researchers have joined him in accusing Oracle of plugging holes too late, of delivering low-quality patches that need their own updates, and of not actually fixing vulnerabilities but merely applying a Band-Aid to block the sample attack code provided by researchers. "Oracle is years behind Microsoft and other companies on security," said Cesar Cerrudo, CEO at information security services company Argeniss in Argentina. "I think Oracle is an amateur when it comes to security right now." Oracle chose not to comment for this story. With Microsoft, once the object of bug-related complaints, now earning kudos from researchers and analysts for its security efforts, the spotlight is turning elsewhere. Oracle is a likely target. The Redwood Shores, California, company's enterprise software portfolio has grown fast in recent years as it has picked up rivals in an acquisition spree. While Oracle has been moving away from using the term "unbreakable" in its marketing, the company still likes to boast about the security of its products. In a meeting with reporters at Oracle OpenWorld in San Francisco last month, CEO Larry Ellison boldly stated his software does not have flaws. He did acknowledge, however, that problems do arise -- but only when people customise the products, he said. Some professional flaw-finders are not convinced. As a case in point, Litchfield referred to Oracle's August 2004 security release, which included patches for issues he had reported to the company eight months earlier. The repairs didn't really work, he said. With a slight modification, the sample attack he had submitted worked again. "It looks like they attempted to stop the exploit as opposed to fixing the bug," he said. Litchfield, who has been scrutinising Oracle's security for some time, was hoping Oracle would finally put the issue right in its bulletin last week, but it did not. The bugs could be exploited by a user with low-level privileges to gain full access to an Oracle database, he said. What's unclear is whether the bugs have resulted in any data theft or corruption. Big companies -- the bulk of Oracle's customer base -- rarely discuss such issues in public. Timely response How much time there should be between the identification of a vulnerability and the availability of a patch has long been the subject of debate between researchers and software vendors. It depends on many variables, including whether details of the flaw are public and the quality and complexity of the code involved. In general, researchers who find software bugs report those to the vendor, following "responsible disclosure" guidelines favoured by the software industry. They then keep the vulnerability details private until a fix is provided and expect a credit in the vendor's security notice. Often researchers urge software makers to issue a fix soon, arguing that if they can find the bug, criminal hackers could too and start creating a worm or other threat. The ideal is not to have to deal with a time lag or even vulnerabilities at all, said Ed Amoroso, chief information security officer at AT&T. "Vendors should be selling software without bugs," he said. If there are flaws, they should be fixed right away, he added. Some researchers will put pressure on software makers by saying they will release details of a vulnerability within a certain number of days. eEye Digital Security, for example, regards a patch as "overdue" 60 days after it has reported a vulnerability, said Steve Manzuik, security product manager at the Aliso Viejo, California-based company. On its Web site, eEye lists flaws in Microsoft, RealNetworks and Macromedia products that it believes should have been put right by now. "But Oracle is definitely worse," Manzuik said. "They have taken over 600 days to release patches. The worst we have seen Microsoft do is in the 300-day range." Alexander Kornbrust, who specialises in Oracle security, said there are 20 bugs in Oracle products found by him that are still outstanding. By comparison, eEye lists seven unresolved Microsoft flaws. Kornbrust, who runs Germany's Red Database Security, said there are at least 30 Oracle issues found by other researchers that remain to be addressed. Quality control Beyond time to patch, Oracle is under fire for the quality of its software updates. Often users run into installation trouble, and the patches regularly need their own fixes, Kornbrust said. Those problems indicate that Oracle does not do enough testing, he said. In the entire process of putting out a patch, testing typically eats up the most time, experts said. The actual identification of the security issue and replication of it are usually done quickly. The fix then needs to be tested for compatibility, to ensure it doesn't break anything. Oracle's chief security officer, Mary Ann Davidson, said in July that the time needed to complete that testing was one of the reasons why it might take a software maker a while to deal with a security issue. She also pointed to the need to dovetail a range of fixes and the need to patch for multiple platforms as other drags on the process. "A two-line code change can take five minutes, but getting a fix into customers' hands in such a way that they will apply it takes way more than a few minutes," she said. Even so, the recent history of Oracle's security updates suggest that the company does not pay attention to security throughout its development process, said Michael Gavin, a senior analyst at Forrester Research. "Far too many software development companies give short shrift to the maintenance of existing products. The problems with Oracle patches this year indicate that Oracle is one such company," he said. If Oracle wants to be taken seriously when it comes to security, it needs rigorous security processes at every stage in software development, Gavin said. He pointed to Microsoft as an example of a manufacturer that has its security ducks in a row. "It seems that Microsoft has learned this lesson. Oracle has not," he said. "Oracle has talked the talk without walking the walk, while Microsoft has spent a fortune in time and money to improve the security of its software and has made incredible headway." Since launching its Trustworthy Computing Initiative three years ago, Microsoft has changed the way it develops software in order to make its technology more secure. It has a "security development lifecycle process" aimed at vetting code before pushing out products, for example. Customer discontent helped push Microsoft into cleaning up its act, but outside of some minor grumbling, a similar groundswell has yet to be seen with Oracle. One customer, Daniel Morgan, a member of the Puget Sound Oracle Users Group in Mercer Island, Washington, said he is happy with the company's security practices. "Of course we would like the patches faster," said Morgan, the education chair of the PSOUG and an Oracle instructor at the University of Washington. However, users understand that Oracle technology is mature and that patch testing takes time, he said. "We also know that our vulnerabilities are not like the vulnerabilities at the operating-system level. Our databases are almost universally behind firewalls, running on Unix-based servers and not really vulnerable to the horde of (hacking) teenagers," he added. Community chest In the past, Oracle has had a rocky relationship with the community of security researchers. In her perspective piece, Davidson described as a "problem" those who threaten vendors with disclosure of bugs. For their part, researchers said that unlike other major software houses, Oracle seems to view reports of vulnerabilities as unwanted criticism rather than useful feedback. "Oracle says that life would be much better without us. That is not true -- we are not the enemy," Kornbrust said. But Pete Lindstrom, a director at research firm Spire Security, believes flaw finders are at the root of the conflict, not Oracle. "I really question the motives of the security researchers," he said. "They are techno-elitists requiring ego-stroking, and the end-users are caught in that crossfire." Security researchers are purists who want every bug squashed, Lindstrom said. "Everyone else wants software that is secure enough -- simply, that you have no compromises against vulnerabilities in the software. It is not that you eliminate all vulnerabilities from all software everywhere," he said. Instead of helping security become more secure, the bug hunters are a burden, Lindstrom said. It is not true that criminal hackers are just behind them when it comes to uncovering bugs, he said. Instead, attacks always take advantage of bugs published by researchers, he said: "Maybe the good guys should stop finding bugs for the bad guys." From isn at c4i.org Fri Oct 28 02:33:01 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 28 02:51:22 2005 Subject: [ISN] I CONNED YOU: GIVE ME A JOB Message-ID: http://www.dailyrecord.co.uk/news/tm_objectid=16303148&method=full&siteid=66633&headline=i-conned-you--give-me-a-job--name_page.html 28 October 2005 A TEENAGER locked up for conning ?45,000 out of eBay shoppers wants a job with the auction site as a security expert. And eBay bosses say they are interested in hiring Phillip Shortman, 18, even though he is now awaiting sentence for a second online scam. Shortman got 12 months' detention in May for offering ?45,000 of goods for sale on eBay, pocketing the cash and failing to supply the goods. Then, while out on licence, he was caught selling ?8000 of bogus Welsh rugby tickets on the site. He is waiting to be sentenced for the tickets con. Despite his latest conviction, Shortman, of Pontypool, Gwent, told Tonight with Trevor McDonald: "I've turned over a new leaf." He insisted he would make a good security adviser, saying: "I can see a scam from miles away. Fingers crossed, maybe Microsoft or eBay or somebody big will get in touch." The head of security at eBay, Gareth Griffiths, told the programme he was keen to meet Shortman to discuss the idea of hiring him. He said: "I'd love to have a chat with Phillip Shortman. Let's talk about it, very happy to have a chat From isn at c4i.org Fri Oct 28 02:33:19 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 28 02:51:47 2005 Subject: [ISN] UNL officials pondering computer security overhaul Message-ID: http://www.dailynebraskan.com/vnews/display.v/ART/2005/10/28/4361b2d9d7b13 JOHNNY PEREZ October 28, 2005 University of Nebraska-Lincoln officials are cautiously preparing to comply with a controversial federal law that may require colleges and universities to overhaul their computer networks to make it easier for law enforcement agencies to monitor electronic communications. The mandate is an expansion of the 11-year-old Communications Assistance for Law Enforcement Act (CALEA), which requires telephone service providers to fund updates of their systems in order to assist law enforcement with electronic surveillance. The FCC began implementing the act in 1997 but has since made several orders concerning CALEA's rules. The FCC's most recent changes, which will go into effect Nov. 14, included conclusions that expanded the original definition of a ``telecommunications carrier'' and suggested that facilities-based providers of broadband Internet access - including universities - were subject to CALEA's rules, a prospect that has many university officials worried. ``The fear is that CALEA somehow is going to require colleges and universities to redesign their entire computer networks ... and telephone networks to accommodate law enforcement,'' said Michael Carr, information security officer for the University of Nebraska. The FCC has yet to announce specific changes that universities must make to their networks, although all changes must be implemented by June 2007.But these future changes could raise concerns among university officials about invasion of privacy. Colleges and universities already hand over information to law enforcement concerning network traffic - such as e-mails sent by faculty and students and Internet searches - to comply with court-ordered subpoenas or warrants. The FCC's changes will aim to speed up this process by providing easier access to the information. Because universities and colleges already partially comply with this regulation, Carr said some officials are questioning their inclusion in the new changes. But Carr said criminals are using Internet networks to communicate in new ways, increasing the need for government action. ``We have an obligation to make sure digital resources aren't being used for bad things,'' he said. ``You have to change the way you do business if you're an investigative agency.'' But many organizations representing universities are expressing concerns about the possibility that such updates could cost educational institutions billions of dollars. But Rick Haugerud, assistant director for Information Services at the University of Nebraska-Lincoln, said these potential costs could be inflated because the federal government has yet to specify what changes universities need to have in place by 2007. The changes came in response to a March 2004 petition by the Department of Justice, FBI and Drug Enforcement Administration to the FCC to include broadband Internet access services and voice-over-Internet providers, which allow phone calls to be made over the Internet. The American Council on Education, a coordinating body for educational institutions around the country, filed a lawsuit Monday challenging the new requirements. EDUCAUSE, a nonprofit educational information technology organization, also has filed comments with the FCC requesting that the proposed changes be modified. ``Our posture has been to kind of sit back and communicate with our user groups,'' Haugerud said. ``They're putting up the money to fight this thing, and we'll see where it goes.'' With current discussion generated by the issue, Haugerud said UNL is looking into ways they could comply with new mandates. ``We don't want to do anything that would inhibit our ability to do this down the road,'' he said. ``We're looking at if this were to happen, what would we do. ... We're not making fixed decisions, we're just having conversations.'' As educational institutions wait on detailed instructions from the federal government, Carr said it is still early to become too worried since the FCC has only said something needs to be done - not what must be done. ``But it's not bad to think about it,'' he said. From isn at c4i.org Fri Oct 28 02:34:04 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 28 02:52:13 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-43 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-10-20 - 2005-10-27 This week : 47 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Skype, which can be exploited by malicious people to cause a DoS or to compromise a user's system. All users of Skype are advised to update to the latest version. Reference: http://secunia.com/SA17305 -- A security issue has been reported in Symantec Discovery, which potentially can be exploited by malicious people to gain access to, or to manipulate certain information. The vendor has released updated versions. Please see the referenced Secunia advisory for additional details. Reference: http://secunia.com/SA17302 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA17305] Skype Multiple Buffer Overflow Vulnerabilities 2. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 3. [SA17250] Oracle Products 85 Unspecified Vulnerabilities 4. [SA17220] Snort Back Orifice Pre-Processor Buffer Overflow Vulnerability 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA16560] Windows Registry Editor Utility String Concealment Weakness 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 8. [SA17281] RSA Authentication Agent for Web "Redirect" Buffer Overflow 9. [SA17284] Debian update for mozilla-thunderbird 10. [SA17254] Ethereal Multiple Protocol Dissector and PCRE Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17301] eBASEweb Unspecified SQL Injection Vulnerability UNIX/Linux: [SA17284] Debian update for mozilla-thunderbird [SA17335] SGI Advanced Linux Environment Multiple Updates [SA17332] Debian update for koffice [SA17327] Red Hat update for ethereal [SA17305] Skype Multiple Buffer Overflow Vulnerabilities [SA17288] Trustix update for multiple packages [SA17286] Fedora update for ethereal [SA17339] Debian update for libgda2 [SA17325] CHM Lib Buffer Overflow Vulnerability [SA17323] GNOME-DB libgda Logging Functions Format String Vulnerabilities [SA17320] SUSE update for curl/wget [SA17317] F.E.A.R. Lithtech Engine UDP Datagram Denial of Service [SA17313] HP Oracle for Openview Multiple Vulnerabilities [SA17309] Gentoo update for zope [SA17298] Gentoo update for phpmyadmin [SA17297] Gentoo update for curl [SA17285] Mandriva update for ruby [SA17321] Network Appliance Data ONTAP iSCSI Authentication Bypass [SA17331] RSA ACE/Agent for Web "image" Cross-Site Scripting Vulnerability [SA17314] Basic Analysis and Security Engine SQL Injection Vulnerability [SA17287] Fedora update for squid [SA17322] Debian update for sudo [SA17318] Sudo Environment Cleaning Privilege Escalation Vulnerability [SA17299] mgdiff Patch Viewer Insecure Temporary File Creation [SA17293] Fetchmail "fetchmailconf" Password Disclosure Vulnerability [SA17290] SUSE update for permissions Other: Cross Platform: [SA17328] PHP iCalendar "phpicalendar" File Inclusion Vulnerability [SA17330] Snoopy "_httpsrequest()" Shell Command Injection Vulnerability [SA17324] TClanPortal "id" SQL Injection Vulnerability [SA17315] PHP-Nuke SQL Injection Vulnerabilities [SA17312] PHP-Fusion "news_body" Script Insertion Vulnerability [SA17310] archilles Newsworld "data" Exposure of Sensitive Information [SA17308] SaphpLesson "forumid" SQL Injection Vulnerability [SA17307] ar-blog Script Insertion and Authentication Bypass Vulnerabilities [SA17306] Zomplog Cross-Site Scripting and SQL Injection Vulnerabilities [SA17304] Nuked-Klan Script Insertion and SQL Injection Vulnerabilities [SA17303] MWChat "Username" SQL Injection Vulnerability [SA17300] Xoops Multiple Script Insertion Vulnerabilities [SA17292] AL-Caricatier "cookie_username" Authentication Bypass Vulnerability [SA17291] FlatNuke Cross-Site Scripting and Disclosure of Sensitive Information [SA17289] phpMyAdmin Local File Inclusion and Cross-Site Scripting [SA17302] Symantec Discovery Database Accounts Null Password [SA17319] IBM HTTP Server HTTP Request Smuggling Vulnerability [SA17316] Flyspray Cross-Site Scripting Vulnerabilities [SA17295] phpBB Avatar Script Insertion Vulnerability [SA17283] Chipmunk Directory "entryID" Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17301] eBASEweb Unspecified SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-10-24 A vulnerability has been reported in eBASEweb, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17301/ UNIX/Linux:-- [SA17284] Debian update for mozilla-thunderbird Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-21 Debian has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17284/ -- [SA17335] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, System access Released: 2005-10-26 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to gain knowledge of sensitive information, bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/17335/ -- [SA17332] Debian update for koffice Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-26 Debian has issue an update for koffice. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17332/ -- [SA17327] Red Hat update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-10-26 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17327/ -- [SA17305] Skype Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-10-25 Some vulnerabilities have been reported in Skype, which can be exploited by malicious people to cause a DoS or to compromise a user's system. Full Advisory: http://secunia.com/advisories/17305/ -- [SA17288] Trustix update for multiple packages Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting, Manipulation of data, Privilege escalation, DoS, System access Released: 2005-10-24 Trustix has issued updates for multiple packages. These fix some vulnerabilities, where the most critical ones can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17288/ -- [SA17286] Fedora update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-10-21 Fedora has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17286/ -- [SA17339] Debian update for libgda2 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-26 Debian has issued an update for libgda2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17339/ -- [SA17325] CHM Lib Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-26 Sven Tantau has reported a vulnerability in CHM Lib (chmlib), which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17325/ -- [SA17323] GNOME-DB libgda Logging Functions Format String Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-26 Steve Kemp has reported two vulnerabilities in GNOME-DB libgda, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17323/ -- [SA17320] SUSE update for curl/wget Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-25 SUSE has issued updates for curl and wget. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17320/ -- [SA17317] F.E.A.R. Lithtech Engine UDP Datagram Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-24 Luigi Auriemma has reported a vulnerability in F.E.A.R. (First Encounter Assault and Recon), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17317/ -- [SA17313] HP Oracle for Openview Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data, System access Released: 2005-10-25 HP has acknowledged some vulnerabilities in HP OfO (Oracle for Openview), which can be exploited with unknown impact, to conduct PL/SQL injection attacks, cross-site scripting attacks, or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17313/ -- [SA17309] Gentoo update for zope Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-10-25 Gentoo has issued an update for zope. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/17309/ -- [SA17298] Gentoo update for phpmyadmin Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-10-25 Gentoo has issued an update for phpmyadmin. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/17298/ -- [SA17297] Gentoo update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-24 Gentoo has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17297/ -- [SA17285] Mandriva update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-21 Mandriva has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17285/ -- [SA17321] Network Appliance Data ONTAP iSCSI Authentication Bypass Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-10-25 Thomas H. Ptacek has reported a vulnerability in Network Appliance Data ONTAP, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17321/ -- [SA17331] RSA ACE/Agent for Web "image" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-26 SEC Consult has reported a vulnerability in RSA ACE/Agent for Web, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17331/ -- [SA17314] Basic Analysis and Security Engine SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-10-25 Remco Verhoef has discovered a vulnerability in Basic Analysis and Security Engine (BASE), which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17314/ -- [SA17287] Fedora update for squid Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-21 Fedora has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17287/ -- [SA17322] Debian update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-26 Debian has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17322/ -- [SA17318] Sudo Environment Cleaning Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-25 Tavis Ormandy has reported a vulnerability in Sudo, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17318/ -- [SA17299] mgdiff Patch Viewer Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-24 Javier Fernandez-Sanguino Pena has reported a vulnerability in mgdiff Patch Viewer, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17299/ -- [SA17293] Fetchmail "fetchmailconf" Password Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-10-24 A vulnerability has been reported in Fetchmail, which can be exploited by malicious, local users to gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/17293/ -- [SA17290] SUSE update for permissions Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-10-24 SUSE has issued an update for permissions. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17290/ Other: Cross Platform:-- [SA17328] PHP iCalendar "phpicalendar" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-26 Francesco "aScii" Ongaro has discovered a vulnerability in PHP iCalendar, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17328/ -- [SA17330] Snoopy "_httpsrequest()" Shell Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-26 Daniel Fabian has discovered a vulnerability in Snoopy, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17330/ -- [SA17324] TClanPortal "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-10-25 Abducter has discovered a vulnerability in TClanPortal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17324/ -- [SA17315] PHP-Nuke SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-10-25 rgod has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17315/ -- [SA17312] PHP-Fusion "news_body" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-25 peanut has discovered a vulnerability in PHP-Fusion, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17312/ -- [SA17310] archilles Newsworld "data" Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2005-10-25 Christoph "Chb" Burchert has discovered a security issue in archilles Newsworld, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17310/ -- [SA17308] SaphpLesson "forumid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-10-25 aLMaSTeR has reported a vulnerability in SaphpLesson, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17308/ -- [SA17307] ar-blog Script Insertion and Authentication Bypass Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2005-10-25 _MoHaJaLi_ has reported two vulnerabilities in ar-blog, which can be exploited by malicious people to conduct script insertion attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17307/ -- [SA17306] Zomplog Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-10-24 BiPi_HaCk has discovered some vulnerabilities in Zomplog, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17306/ -- [SA17304] Nuked-Klan Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-10-25 papipsycho has reported some vulnerabilities in Nuked-Klan, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17304/ -- [SA17303] MWChat "Username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-10-24 rgod has reported a vulnerability in MWChat, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17303/ -- [SA17300] Xoops Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-25 Keigo Yamazaki has reported some vulnerabilities in Xoops, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17300/ -- [SA17292] AL-Caricatier "cookie_username" Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-24 God Of Death has discovered a vulnerability in AL-Caricatier, which can be exploited by malicious people to bypass certain security protections. Full Advisory: http://secunia.com/advisories/17292/ -- [SA17291] FlatNuke Cross-Site Scripting and Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-10-24 Abducter has discovered some vulnerabilities in FlatNuke, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/17291/ -- [SA17289] phpMyAdmin Local File Inclusion and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-10-24 Two vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/17289/ -- [SA17302] Symantec Discovery Database Accounts Null Password Critical: Moderately critical Where: From local network Impact: Manipulation of data, Exposure of sensitive information Released: 2005-10-25 A security issue has been reported in Symantec Discovery, which potentially can be exploited by malicious people to gain access to, or to manipulate certain information. Full Advisory: http://secunia.com/advisories/17302/ -- [SA17319] IBM HTTP Server HTTP Request Smuggling Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-10-25 IBM has acknowledged a vulnerability in IBM HTTP server, which can be exploited by malicious people to conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/17319/ -- [SA17316] Flyspray Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-26 Lostmon has reported some vulnerabilities in Flyspray, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17316/ -- [SA17295] phpBB Avatar Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-24 K-Gen has discovered a vulnerability in phpBB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17295/ -- [SA17283] Chipmunk Directory "entryID" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-21 trueend5 has discovered a vulnerability in Chipmunk Directory, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17283/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Oct 31 07:24:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 31 07:33:29 2005 Subject: [ISN] Origins of spy-mail easy to trace Message-ID: http://www.thestar.co.za/index.php?fSectionId=225&fArticleId=2973225 By Jacques Wessels October 30, 2005 Can the government IT systems be hacked, broken into and information stolen or planted? The answer is yes. It is a fact of life in the IT industry that there is no such thing as a secure network. IT systems and networks can have a high or low level of security, but the perfect impenetrable network does not exist. Is it a trivial matter to break into government systems? This is a question that needs deeper understanding. The government.s information security policies are modelled around the BS7799 standard, which is an internationally recognised benchmark for information security around the world. But the problem comes with implementing those policies. On October 10, it was reported that government websites were repeatedly hacked into by a group calling themselves the "Beyond Crew". Technical personnel fixed their web servers only to have them hacked into again by another group known as "BHS-Team". These systems were built on platforms generally regarded as very secure. A hacker is a person with very good technical computer skills that uses those skills to gain access to computer systems. As is the case with web servers, the reason is often a form of prestige within the hacker community on being able to gain access. How does all this tie into the current saga between Minister Kasrils and the NIA on claims of stolen e-mails? The NIA claims an .agent. either intercepted the e-mails or fabricated them. For a more objective opinion, it would be useful to bring certain events into focus. Deputy president Phumzile Mlambo-Ngcuka's laptop was recently stolen. It is alleged that presidential legal advisor Mojanko Gumbi's laptop was also stolen. Government websites have very recently been hacked and defaced, and now there are supposed e-mails of a sensitive nature doing the rounds. If indeed the laptops had been acquired by someone with the correct level of technical skills, it would be a fairly routine exercise to find and interpret sensitive information. The e-mails may well have been obtained from the laptops themselves. If the laptops are not to blame, that leaves the possibility of an agent breaking into the government network. This may sound easy, but a high level of technical expertise is required for this. Government networks use devices called firewalls to enforce computer security policies. A firewall is a device that makes decisions on which users from the Internet may access a protected network. A hacker would therefore have to compromise the firewall security to gain access to the internal government network. This is a very complex task since firewalls are explicitly designed to stop this from happening. It is however not impossible, and there are many companies that get hacked despite their state-of-the-art firewalls. The question is whether your security policy is smarter than the hacker you are trying to keep out. Government has a fairly smart policy and if implemented properly, there is a far more likely scenario. According to research on security in the computer world, the weakest link is the human one. Couple this with the fact that more than 70% of information security breaches occur from within the organisation, the most likely scenario is that someone already inside the government computer network gained illegal access to information. Once a hacker has physical access to a network, the picture changes dramatically. The exercise of stealing data and breaking into computer systems becomes a trivial exercise. Computer networks and computer systems can be compared to a noisy bar and its patrons respectively. It is easy to .tune. into a single conversation at a time . a conversation meant for your ears, but it is also possible to eavesdrop on other conversations. Eavesdropping on network traffic such as e-mails and chat room conversations is called "sniffing" in hacker terms. Some forms of sniffing attacks allow a hacker access to data even on switched networks by inserting the hacker.s computer between two communicating computers. These attack methods are known as "man-in-the-middle". They can also allow a form of digital impersonation called "spoofing" where the hacker can send e-mails that look like they came from another person. One important point remains. Even though it is entirely possible to obtain information such as e-mails, the hacker will always leave some kind of trail. Every web page, phone call, e-mail message or even chat room conversation can be traced, intercepted or monitored. Without exception. This is also true of government systems and will prove to be critical in finding the truth. If the e-mails did originate within government then log files will exist, and if proper forensic investigation is conducted, then it should be possible to trace their origin. -=- Jacques Wessels is a computer science lecturer in the Engineering faculty at the Nelson Mandela Metropolitan University From isn at c4i.org Mon Oct 31 07:25:03 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 31 07:34:03 2005 Subject: [ISN] Linux Advisory Watch - October 28th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 28th, 2005 Volume 6, Number 44a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mozilla, module-assistant, eric, sudo, libgda2, imlib, koffice, net-snmp, lynx, RTF, Netpbm, cURL, Zope, phpMyAdmin, ethereal, pam, and fetchmail. The distributors include Debian, Gentoo, and Red Hat. ---- Security Compromise Underway? By: Dave Wreski Spotting a security compromise under way can be a tense undertaking. How you react can have large consequences. If the compromise you are seeing is a physical one, odds are you have spotted someone who has broken into your home, office or lab. You should notify your local authorities. In a lab, you might have spotted someone trying to open a case or reboot a machine. Depending on your authority and procedures, you might ask them to stop, or contact your local security people. If you have detected a local user trying to compromise your security, the first thing to do is confirm they are in fact who you think they are. Check the site they are logging in from. Is it the site they normally log in from? No? Then use a non-electronic means of getting in touch. For instance, call them on the phone or walk over to their office/house and talk to them. If they agree that they are on, you can ask them to explain what they were doing or tell them to cease doing it. If they are not on, and have no idea what you are talking about, odds are this incident requires further investigation. Look into such incidents , and have lots of information before making any accusations. If you have detected a network compromise, the first thing to do (if you are able) is to disconnect your network. If they are connected via modem, unplug the modem cable; if they are connected via Ethernet, unplug the Ethernet cable. This will prevent them from doing any further damage, and they will probably see it as a network problem rather than detection. If you are unable to disconnect the network (if you have a busy site, or you do not have physical control of your machines), the next best step is to use something like tcp_wrappers or ipfwadm to deny access from the intruder's site. If you can't deny all people from the same site as the intruder, locking the user's account will have to do. Note that locking an account is not an easy thing. You have to keep in mind .rhosts files, FTP access, and a host of possible backdoors. After you have done one of the above (disconnected the network, denied access from their site, and/or disabled their account), you need to kill all their user processes and log them off. You should monitor your site well for the next few minutes, as the attacker will try to get back in. Perhaps using a different account, and/or from a different network address. Read more from the Linux Security Howto: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Mozilla packages fix several vulnerabilities 20th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120623 * Debian: New module-assistant package fixes insecure temporary file 20th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120624 * Debian: New Mozilla Thunderbird packages fix several vulnerabilities 20th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120630 * Debian: New eric packages fix arbitrary code execution 21st, October, 2005 Updated Package. http://www.linuxsecurity.com/content/view/120638 * Debian: New sudo packages fix arbitrary command execution 25th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120648 * Debian: New libgda2 packages fix arbitrary code execution 25th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120655 * Debian: New libgda2 packages fix arbitrary code execution 25th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120659 * Debian: New imlib packages fix arbitrary code execution 26th, October, 2005 Upgrade package. http://www.linuxsecurity.com/content/view/120660 * Debian: New koffice packages fix arbitrary code execution 26th, October, 2005 Upgraded package. http://www.linuxsecurity.com/content/view/120661 * Debian: New net-snmp packages fix denial of service 26th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120668 * Debian: New lynx packages fix arbitrary code execution 27th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120671 * Debian: New OpenSSL packages fix cryptographic weakness 27th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120672 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: AbiWord New RTF import buffer overflows 20th, October, 2005 AbiWord is vulnerable to an additional set of buffer overflows during RTF import, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120625 * Gentoo: Netpbm Buffer overflow in pnmtopng 20th, October, 2005 The pnmtopng utility, part of the Netpbm tools, contains a vulnerability which can potentially result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120626 * Gentoo: cURL NTLM username stack overflow 22nd, October, 2005 cURL is vulnerable to a buffer overflow which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120640 * Gentoo: Zope File inclusion through RestructuredText 25th, October, 2005 Zope is vulnerable to a file inclusion vulnerability when exposing RestructuredText functionalities to untrusted users. http://www.linuxsecurity.com/content/view/120652 * Gentoo: phpMyAdmin Local file inclusion and XSS vulnerabilities 25th, October, 2005 phpMyAdmin contains a local file inclusion vulnerability that may lead to the execution of arbitrary code, along with several cross-site scripting issues. http://www.linuxsecurity.com/content/view/120653 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: ethereal security update 25th, October, 2005 Updated Ethereal packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120658 * RedHat: Low: pam security update 26th, October, 2005 An updated pam package that fixes a security weakness is now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120666 * RedHat: Low: fetchmail security update 26th, October, 2005 Updated fetchmail packages that fix insecure configuration file creation is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120667 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Oct 31 07:25:20 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 31 07:34:41 2005 Subject: [ISN] AIM worm plays nasty new trick Message-ID: http://news.com.com/AIM+worm+plays+nasty+new+trick/2100-7349_3-5920403.html By Joris Evers Staff Writer, CNET News.com October 28, 2005 A worm found spreading via America Online's Instant Messenger is carrying a nastier punch than usual, a security company has warned. The unnamed worm delivers a cocktail of unwanted software, including a so-called rootkit, security experts at FaceTime Communications said Friday. A rootkit is a tool designed to go undetected by the security software used to lock down control of a computer after an initial hack. "A very nasty bundle is downloaded to your machine" when you click on the worm link, said Tyler Wells, senior director of engineering at FaceTime. "This is the first time that we have seen a rootkit as part of the bundle of applications that is sent to your machine. It is a disturbing trend." IM worm and malicious code attacks are happening more than ever before. The number of threats detected for instant-messaging and peer-to-peer networks rose 3,295 percent in the third quarter of 2005, compared with last year, according to a recent report from security provider IMlogic. In addition to the "lockx.exe" rootkit file, the new worm delivers a version of the Sdbot Trojan horse, said FaceTime, which sells products to protect instant-messaging traffic. Sdbot opens a backdoor on the infected PC. The worm also places several spyware and adware applications, including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle, the company added. All that unwanted software can eat up system resources, slowing down the PC, Wells said. Also, the malicious applications will attempt to disable security programs and change the search page on the user's Web browser, FaceTime said. The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. "It is still out there, and it is definitely something the user should be leery of," Wells said. "The rootkit is designed to not be detected, and that is the scary part." Worms on IM networks can spread rapidly. They appear as a message from a buddy with a link that looks innocent, but in fact points to malicious code somewhere on the Internet. Once the user clicks on the link, malicious code is installed and runs on the computer. The worm then spreads itself by sending messages to all names on the victim's contact list. The advice to users is to be careful when clicking on links in IM messages--even when they seem to come from friends--and to use up-to-date antivirus software. When receiving a link in an instant message, the best practice is to verify with the sender if the link was sent intentionally or not. From isn at c4i.org Mon Oct 31 07:25:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 31 07:36:06 2005 Subject: [ISN] Web Banking Undergoing Security Upgrade Message-ID: http://www.lasvegassun.com/sunbin/stories/business/2005/oct/30/103005691.html By BRIAN BERGSTEIN ASSOCIATED PRESS October 30, 2005 BOSTON (AP) - If you do banking over the Internet, generally the drill is pretty simple: You enter your user name and password, and away you go. But behind the scenes, the bank can do a lot to check you out: Are you at your home computer, or at one with an Internet address that, strangely, is registered overseas? Are you logging on at an unusual time of day, or from a super-fast connection when normally you have dial-up? This kind of analysis is one example of the layers that bank Web sites will be adding by the end of 2006 to meet new demands from federal regulators for "two-factor" authentication. That essentially means checking something more than just user name and password to verify a customer's identity. "Phishers" and other Internet fraud artists have become adept at stealing passwords, mainly through "social engineering." Preying on people's propensity to believe something seemingly authoritative, criminals send authentic-looking e-mails that send unsuspecting people to an authentic-looking Web site where they give away their data. Many banks overseas, where data-privacy laws are stronger, already have deployed a second level of authentication. They give customers specialized hardware, such as a "smart card" or an electronic token that displays a changing series of passcodes. Cost-conscious U.S. banks are unlikely to go as far. Instead, they'll probably perform tweaks inside their own Web servers that most of us will barely notice. "We're trying to come up with something here that's very user-friendly," said Jim Maloney, chief security executive of Corillian Corp., a Web-banking services company that offers login-analysis software. If the software raises red flags about a user's profile - because, say, he one day logs in from Denmark instead of Denver - the bank can confirm his identity by asking a series of questions that only he is likely to know, such as the amount of his last mortgage payment, or the street he grew up on. That kind of fraud detection has long existed on credit cards, and the fact that Web banking has yet to widely deploy it says a lot about the state of the industry. Although identity theft and other financial fraud have garnered a lot of attention and are believed to be getting more sophisticated, banks have been reluctant to do anything to increase the cost and complexity of their Web sites. After all, the Internet is supposed to be banks' low-cost platform, cheaper than having customers deal with tellers or ring up the help desk. The efficiencies of self-service Web banking likely have outweighed the costs of fraud, which some estimates have placed as low as $137 million worldwide in 2004. "Right now banks don't have that much security around checking accounts," said Avivah Litan, an analyst with the Gartner research firm. "Generally speaking, their losses are pretty tolerable." However, on Oct. 12, the Federal Financial Institutions Examination Council, an umbrella group of U.S. regulators including the Federal Reserve and the Federal Deposit Insurance Corp., told banks to strengthen their online authentication by the end of 2006. Auditors will examine those efforts in regular inspections. The policy was widely interpreted as a boost for security providers, who are tired of seeing banks kick the tires of two-factor authentication services but generally not buy. According to a June report from the FDIC, a handful of U.S. banks had given customers tokens with passcodes that change every minute. The codes are generated by an algorithm programmed into the token and confirmed on a central authenticating server, making the password impossible to guess. But tokens create their own headaches. They're relatively costly to deploy and can prompt lots of calls to customer service if they're lost or temporarily out of reach. Banks also fear a "necklace" scenario in which customers end up collecting an annoying strand of tokens from all the companies they do business with online. Even one token might be seen as a hassle. After ETrade Financial Corp. began offering tokens from RSA Security Inc. to its 2.8 million U.S. customers, only 20,000 signed up. Almost all those people could get the gadgets for free because they were frequent traders or had more than $50,000 in their accounts; everyone else had to pay $25. One-time passwords can be given out in less expensive ways. They can be beamed to a cell phone or handheld computer, or mailed to customers on scratch-off cards. But security experts warn that one-time passwords can be stolen in a "man-in-the-middle" attack, in which a con artist harvests a victim's code on a phony Web site and instantly relays it to the real bank, then conducts transactions in her name. Such frauds are rare - if they happen at all - but that's partly because there are so many easier targets, for now. Token vendors point out that their devices can be set to foil men in the middle by generating additional codes for each individual transaction. Still, there are enough knocks against hardware-based solutions that most banks will take softer steps to meet the regulators' demands. In one approach, encrypted electronic "certificates" could be issued that users would store in a small file on their computers. These certificates would confirm to the bank that the user is bona fide. In turn, a properly encrypted certificate would not respond to a Web site other than the one that issued it - protecting the user as well as the bank. Banks also might ask customers to enter passwords on drop-down menus or "scrambled PIN pads," in which an on-screen display indicates letters that correspond to the numbers in the PIN. That code changes every time. Those techniques are designed to throw off Trojan horses and keystroke-logging programs that aim to steal passwords by registering everything a victim types. Web bank ING Direct, part of Holland's ING Groep NV, recently added a scrambled PIN pad to its site. Another software-based approach is Bank of America's SiteKey service. The bank's Web page shows each user a personally chosen picture and caption at the beginning of each banking session, and asks randomly chosen "secret questions" that users have set up in advance. However, even this kind of approach could be flawed unless many users are better educated about the constant arms race between Web sites and criminals. Social engineering, not technology, often is the real problem. Richard M. Smith, an Internet security consultant behind ComputerBytesMan.com, says he expects phishers will send legitimate-seeming messages to dupe people into believing, for example, that their SiteKey picture had to be changed. "I think people would still fall for this kind of trick," he said. "The key thing to remember is that phishers are very adaptable, and they will make changes to their operation when security technology is upgraded and becomes popular." -=-- On the Net: FDIC report on bank security: http://www.fdic.gov/consumers/consumer/idtheftstudysupp/index.html From isn at c4i.org Mon Oct 31 07:25:54 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 31 07:36:37 2005 Subject: [ISN] Ex-employee alleged to have deleted township files Message-ID: http://www.starbeacon.com/?MC=NEWS&NID=1&AID=9477 By MARGIE TRAX PAGE Staff Writer mtrax @ starbeacon.com 10/30/2005 MADISON TOWNSHIP - The Madison Township Zoning Office is reeling after what Madison Township Police Chief Jerry Jenkins called "a malicious act by a township employee." Trustees confirmed a former assistant in the clerk-treasurer's office was the employee who allegedly entered Madison Township zoning inspector Valerie Leitch's office in July and purposely deleted programs and files from a township computer. Now considered an uncharged suspect in the case, the employee has resigned the position in the township office, without a reprimand. "This is not an employee of the trustees; this was an employee of the clerk-treasurer. And it would have been up to (Linda Blankenship) to reprimand her or fire (the employee)," Trustee Paul Brunner said. Link to: True North Auto Group In her written statement given to the police July 21, the employee wrote: "I am so sorry for what I did. I have had so many issues going on in my life that I am so stressed out - not to mention the egos and the tension that exists on the administrative side of Madison Township." The employee went on to say she erased five years of zoning files because Leitch "has never taken care of her computer system. She has had numerous virus(es). No matter what, apparently, she doesn't feel the need to update and back up her system." As a way to punish Leitch, the employee decided to delete the files herself, police reports show. Leitch said she was backing up her computer files as she was shown by the computer technician, but the system was not maintaining the files for an unknown reason. "Though five years' worth of files were lost, four years were recovered, and the fifth year was backed up with paper files and will need only to be re-entered into the computer database, Jenkins said. Advey, Leitch, Brunner and Jenkins all said they are not sure whether an audit of the employee's files will be ordered, as that would be the decision of the clerk-treasurer. The employee's duties included the management of payroll accounts, including her own payroll, and accounts payable, according to her job description. From isn at c4i.org Mon Oct 31 07:26:08 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 31 07:37:10 2005 Subject: [ISN] Maui man admits to selling classified military secrets Message-ID: http://khon.com/khon/display.cfm?storyID=8430&sid=1152 Tina Shelton October 27, 2005 The FBI says a Maui resident has admitted to selling classified military secrets to at least eight foreign countries. The case against the longtime stealth bomber engineer is expected to grow. It's an investigation that's in its very early stages. They're not even saying which countries -- enemy or ally -- are involved. He marketed himself as the father of the B-2's unique infrared suppressing propulsion system. That's what makes the stealth bomber able to hide from heat seeking missiles. Sixty-one-year-old Noshir Gowadia, born in India, was a naturalized U.S. citizen who worked nearly 20 years at New Mexico's Los Alamos National Laboratory and for defense contractor Northrup Corporation. He retired to Maui having set up a consultant business, and began selling his expertise. "The investigation has revealed that Gowadia over the last several years has marketed himself to foreign military entities and other foreign persons, and disclosed United States military technology secrets," says Charles Goodwin, FBI special agent in charge. Gowadia's charged with faxing a document with details for developing infrared technology to a foreign official in an undisclosed country. "The investigation has also revealed that he's been rewarded monetarily for his efforts," says Goodwin. Agents say Gowadia confessed during questioning, saying "I disclosed classified information with the knowledge that information was classified...I knew it was wrong and I did it for the money." The evidence against Gowadia was in his laptop and materials seized from him on Maui, and on court authorized wiretaps. We reported last week that the FBI has dramatically cut drug cases in Hawaii, while increasing counter intelligence and counter terrorism efforts. That post 9/11 focus is obvious by this criminal complaint. Gowadia's due in court on Friday, where a federal magistrate will decide whether he gets bail. From isn at c4i.org Mon Oct 31 07:27:20 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 31 07:37:38 2005 Subject: [ISN] REVIEW: "Corporate Computer and Network Security", Raymond R. Panko Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCPCNSC.RVW 20050614 "Corporate Computer and Network Security", Raymond R. Panko, 2004, 0-13-038471-2 %A Raymond R. Panko pankosecurity.com %C One Lake St., Upper Saddle River, NJ 07458 %D 2004 %G 0-13-038471-2 %I Prentice Hall %O 800-576-3800 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130384712/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0130384712/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0130384712/robsladesin03-20 %O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 522 p. %T "Corporate Computer and Network Security" In the preface (for teachers), Panko states that this is a text for a security course. The book is said to be based on the CISSP (Certified Information Systems Security Professional) "exam," although there is a definite lack of material dealing with architecture, physical security, and security management. Chapter one is a list of possible attacks and security problems. There are "Test Your Understanding" questions sprinkled throughout, but they are mostly on the level of fact-based reading checks. (One of the later examples asks "What is shoulder surfing?" immediately under a paragraph on shoulder surfing.) There is also a chapter "1a" with a collection of very terse "case studies" (one is only a sentence in length). Access control and a tiny mention of physical security is in chapter two. (As well as a very strange mention of wireless LANs: the author considers WLAN access to be a factor of site security.) There are odd and sometimes careless mistakes: "rters" is said to be four characters. The emphasis seems to be on minutiae rather than concepts. A lot of material is repeated: two separate paragraphs deal with piggybacking, only five paragraphs apart. The facts are generally correct, but the discussions are often misleading if not wrong: a confusing deliberation of what is probably false acceptance incorrectly refers to the situation as false rejection. Chapter three reviews the TCP/IP protocol suite. (Again, the conceptual material is weak: Panko asserts that the real world uses an amalgam of the OSI [Open Systems Interconnection] and TCP/IP models, whereas the TCP/IP protocol suite is generally described with reference to the OSI model. Anyone who has actually used the OSI protocols knows why the rest of the world uses TCP/IP.) Network attacks are discussed in chapter four. (Oddly, in the midst of a list of net probing activities comes a mention of looking up corporate information on the Security and Exchange Commission's EDGAR database.) There is also a rather limited section on malware. Chapter five looks at firewalls. Some generic advice on hardening hosts or desktop computers is given in chapter six. Chapters seven and eight contain miscellaneous references to cryptographic ideas or practices. Most of the discussion of application security, in chapter nine, is limited to Web and e- commerce problems. Chapter ten is a rather mixed bag of incident response, automated intrusion detection, and business continuity planning. Security should be managed, says chapter eleven, but it doesn't give an awful lot of help on how it can be done. Most of chapter twelve looks at computer related laws. The book seems to be a very loosely structured compilation of points related to security. The lack of overall organization means that material is often disjointed and repetitive. As with anything, in the hands of a good teacher this could be used for a computer security course text. In the hands of one who followed the text closely, the course would be a bit ragged. copyright Robert M. Slade, 2005 BKCPCNSC.RVW 20050614 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu There's nothing so useless as doing efficiently that which should not be done at all. - Peter F. Drucker http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade