From isn at c4i.org Mon Apr 3 04:24:26 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 3 Apr 2006 03:24:26 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - March 31st 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 31st, 2006 Volume 7, Number 14n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week advisories were released for firebird2, sendmail, evolution, kpdf, flex, netpbm-free, file, man, db4, gok, gedit, epiphany, gnome-power-manager, pyoribit, totem, libglade, gnome-icon-theme, shared-mime-info, libxklavier, gstreamer, cpio, squirrelmail, glibc, mtr, tix, xterm, perl, rpm, scim, mrtg, wpa, samba, bsd-games, mailman, and freeradius. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Linux Command Reference Manual: Linux File Formats By: Suhas Desai Linux File Formats /etc/crontab The syntax of each line in this file is: minute, hour, day of month, Month, day of week, (user name), command /etc/fstab Columns are: device file to mount, directory to mount on, filesystem type, options, backup frequency, and fsck pass number (To specify the order in which filesystems should be checked on boot; 0 means no check.) The noauto option stops this mount from being done automatically on boot. /etc/hosts Sets up host address information for local use. The format is: IPaddress name1 name2. /etc/inittab Sets the init configuration. An entry in the inittab file has the following format: id: runlevels: action: process /etc/passwd The file has one line per username, and is divided into seven colonde limited fields: 1. Username. 2. Password, in an encrypted form. 3. Numeric user id. 4. Numeric group id. 5. Full name or other description of account. This is called gecos. 6. The user's home directory. 7. The user's login shell (program to run at login). /usr/X11R6/lib/X11/XF86Config The main XFree86 configuration file. Read Full Paper http://www.linuxsecurity.com/images/stories/commandref.pdf ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New firebird2 packages fix denial of service 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122058 * Debian: New sendmail packages fix arbitrary code execution 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122059 * Debian: New evolution packages fix arbitrary code execution 23rd, March, 2006 Ulf Hrnhammar discovered several format string vulnerabilities in Evolution, a free groupware suite, that could lead to crashes of the application or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122065 * Debian: New Linux kernel 2.6.8 packages fix several vulnerabilities 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122073 * Debian: New kpdf packages fix several vulnerabilities 24th, March, 2006 Derek Noonburg has fixed several potential vulnerabilities in xpdf, the Portable Document Format (PDF) suite, which is also present in koffice, the KDE Office Suite. http://www.linuxsecurity.com/content/view/122078 * Debian: New Linux kernel 2.4.27 packages fix several vulnerabilities 24th, March, 2006 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122079 * Debian: New flex packages fix insecure code generation 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122126 * Debian: New netpbm-free packages fix arbitrary command execution 28th, March, 2006 Max Vozeler from the Debian Audit Project discovered that pstopnm, a converter from Postscript to the PBM, PGM and PNM formats, launches Ghostscript in an insecure manner, which might lead to the execution of arbitrary shell commands, when converting specially crafted Postscript files. http://www.linuxsecurity.com/content/view/122131 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 5 Update: file-4.17-2.fc5 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122071 * Fedora Core 5 Update: man-1.6c-2.fc5 24th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122089 * Fedora Core 5 Update: db4-4.3.29-3.fc5 24th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122090 * Fedora Core 5 Update: gok-1.0.7-1 24th, March, 2006 A new gok package has been built that fixes several bugs, and adds support for the zh_HK language. http://www.linuxsecurity.com/content/view/122091 * Fedora Core 5 Update: gedit-2.14.1-1 24th, March, 2006 A new version of the gedit package has been built that fixes a problem with tab drag-and-drop when multiple gedit windows are open. http://www.linuxsecurity.com/content/view/122092 * Fedora Core 5 Update: epiphany-2.14.0-1 24th, March, 2006 A new epiphany package has been built that brings the epipany version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122093 * Fedora Core 5 Update: evolution-connector-2.6.0-1 24th, March, 2006 A new evolution-connector package has been built that brings the version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122094 * Fedora Core 5 Update: evolution-data-server-1.6.0-1 24th, March, 2006 A new evolution-data-server package has been built that brings the version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122095 * Fedora Core 5 Update: gnome-power-manager-2.14.0-1 24th, March, 2006 A new gnome-power-manager package has been built that brings the version in Fedora Core 5 in sync with the version that was released for Gnome 2.14. http://www.linuxsecurity.com/content/view/122096 * Fedora Core 5 Update: pyorbit-2.14.0-1 24th, March, 2006 A new pyorbit package has been built that brings the version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122097 * Fedora Core 5 Update: totem-1.4.0-2 24th, March, 2006 A new totem package has been built that brings the version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122098 * Fedora Core 5 Update: libglade2-2.5.1-4.fc5.1 24th, March, 2006 A new libglade package has been released that fixes a problem when setting the "invisible" character (in password entries) to a non-ASCII character. http://www.linuxsecurity.com/content/view/122099 * Fedora Core 5 Update: gnome-icon-theme-2.14.2-1.fc5.1 24th, March, 2006 An updated gnome-icon-theme package fixes a problem where files with mimetype application/xml would not get the right icon. http://www.linuxsecurity.com/content/view/122100 * Fedora Core 5 Update: shared-mime-info-0.17-1.fc5.1 24th, March, 2006 A new version of the shared-mime-info package has been released that fixes several bugs. http://www.linuxsecurity.com/content/view/122101 * Fedora Core 5 Update: libxklavier-2.2-1 24th, March, 2006 A new libxklavier package has been built that brings the version in Fedora Core 5 in sync with the version that shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122102 * Fedora Core 5 Update: gnome-vfs2-2.14.0-2 24th, March, 2006 A new version of the gnome-vfs2 package fixes a packaging error. http://www.linuxsecurity.com/content/view/122103 * Fedora Core 5 Update: gstreamer-plugins-base-0.10.5-1 24th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122104 * Fedora Core 5 Update: gstreamer-0.10.4-1 24th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122105 * Fedora Core 5 Update: cpio-2.6-15.FC5 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122113 * Fedora Core 4 Update: squirrelmail-1.4.6-4.fc4 27th, March, 2006 This update fixes Bug #185767 where we broke Japanese mail sending in our previous update. (I would really appreciate it if Chinese and Korean users would test this and report if it works properly for incoming and outgoing mail.) http://www.linuxsecurity.com/content/view/122114 * Fedora Core 5 Update: squirrelmail-1.4.6-4.fc5 27th, March, 2006 This update fixes Bug #185767 where we broke Japanese mail sending in our previous update. (I would really appreciate it if Chinese and Korean users would test this and report if it works properly for incoming and outgoing mail.) http://www.linuxsecurity.com/content/view/122115 * Fedora Core 4 Update: glibc-2.3.6-3 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122116 * Fedora Core 5 Update: mtr-0.71-0.FC5.1 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122117 * Fedora Core 4 Update: mtr-0.71-0.FC4.1 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122118 * Fedora Core 5 Update: tix-8.4.0-4 27th, March, 2006 The tix-8.4.0-3.1 package that shipped with Fedora Core 5 had libTix8.4.so in the wrong directory. The tix-8.4.0-4 package corrects this problem. The 'package require Tix' command now works as it should. http://www.linuxsecurity.com/content/view/122119 * Fedora Core 5 Update: xterm-211-1.FC5 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122121 * Fedora Core 4 Update: perl-5.8.6-24 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122122 * Fedora Core 4 Update: kernel-2.6.16-1.2069_FC4 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122170 * Fedora Core 4 Update: rpm-4.4.1-23 30th, March, 2006 This update fixes an issue with a double free experienced in verification with matchpathcon. http://www.linuxsecurity.com/content/view/122171 * Fedora Core 5 Update: scim-hangul-0.2.2-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122172 * Fedora Core 5 Update: scim-anthy-1.0.0-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122173 * Fedora Core 5 Update: mrtg-2.13.2-0.fc5.1 30th, March, 2006 Fixes the RouterUptime option. http://www.linuxsecurity.com/content/view/122174 * Fedora Core 5 Update: wpa_supplicant-0.4.8-6.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122175 * Fedora Core 5 Update: samba-3.0.22-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122176 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: NetHack, Slash'EM, Falcon's Eye Local privilege escalation 23rd, March, 2006 NetHack, Slash'EM and Falcon's Eye are vulnerable to local privilege escalation vulnerabilities that could potentially allow the execution of arbitrary code as other users. http://www.linuxsecurity.com/content/view/122072 * Gentoo: RealPlayer Buffer overflow vulnerability 26th, March, 2006 RealPlayer is vulnerable to a buffer overflow that could lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/122106 * Gentoo: OpenOffice.org Heap overflow in included libcurl 27th, March, 2006 OpenOffice.org contains a vulnerable version of libcurl that may cause a heap overflow when parsing URLs. http://www.linuxsecurity.com/content/view/122124 * Gentoo: bsd-games Local privilege escalation in tetris-bsd 29th, March, 2006 tetris-bsd is prone to local privilege escalation vulnerabilities. http://www.linuxsecurity.com/content/view/122159 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated FreeRADIUS packages fix EAP-MSCHAPv2 module vulnerability 24th, March, 2006 An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/122077 * Mandriva: Updated mailman packages fix DoS from badly formed mime multipart messages. 29th, March, 2006 Scrubber.py, in Mailman 2.1.5 and earlier, when using email 2.5 (part of Python), is susceptible to a DoS (mailman service stops delivering for the list in question) if it encounters a badly formed mime multipart message with only one part and that part has two blank lines between the first boundary and the end boundary. http://www.linuxsecurity.com/content/view/122161 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: RealPlayer security update 23rd, March, 2006 An updated RealPlayer package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux Extras 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122057 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: RealPlayer security problems 23rd, March, 2006 This update fixes the following security problems in Realplayer: CVE-2006-0323, CVE-2005-2922. http://www.linuxsecurity.com/content/view/122060 * SuSE: freeradius authentication bypass 28th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122127 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Apr 3 04:24:48 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 3 Apr 2006 03:24:48 -0500 (CDT) Subject: [ISN] Daughter: DIA security roughed-up mom, 83 Message-ID: http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_4585114,00.html By Chris Barge Rocky Mountain News March 31, 2006 Sally Moon had to cool off for the better part of this week before she could see straight enough to write a complaint about a security agent's treatment of her elderly mother at Denver International Airport. At first, she couldn't settle on the right words to use. "Horrific," "mind-boggling" and "outrageous" were a few that came to mind. Anyone could see that Bernice "Bea" Bogart, 83, was a fragile woman, Moon said. Bogart had breast cancer surgery in 1997, a total hip replacement after a fall in 1999, a major stroke in 2004 that caused dementia, and is hard of hearing. So when Bogart, who was in a wheelchair, was required by airport security on Saturday to stand against doctor's orders and undergo a rigorous screening by a testy female screener, Moon got furious. "I don't know if she thought my mom had a bomb in her Depends or what," Moon said. A Transportation Security Administration spokeswoman said Thursday that a high level of professionalism and courtesy is expected from its screeners and Moon's complaint is being looked into. But Moon doubts anyone will be held accountable. This week, she sat at her computer in Colorado Springs and e-mailed the TSA's Office of Civil Rights. "Although I imagine this complaint will go straight to the trash and the agent responsible will face no consequences and receive no reprimand, I could not sleep until I at least voiced my outrage," she began. Moon said that at about 6 p.m. Saturday, she and her sister were walking alongside their mother, who was in a wheelchair being pushed by a Frontier Airlines employee to a special screening area at the head of DIA's Concourse A. Just before reaching security, Moon's sister, who did not have gate clearance, was asked to sit in a chair away from the screening area while Moon and their mother proceeded. Bogart was holding an orthopedic card saying that she had a metal plate in her hip. Having been assured that Frontier and the TSA staff would not require Bogart to leave her wheelchair, Moon turned her back to put her mother's bags through the X-ray screener. Moon said she was horrified when she turned around moments later to discover that her mother had been selected for additional screening and was out of her wheelchair and hobbling through a large glass- walled corridor. "There were no grab bars," Moon said. "What I could see really was her fingers trying to hang onto a little ledge." Fearing another hip-shattering fall, Moon instinctively reached out for her mother. "Don't touch her!" Moon says the screener barked. As the elderly woman shuffled along, Moon said she continued to tell the screener that her mother was not to stand without her four- wheeled walker. "You'd better change your attitude," Moon recalls the screener saying. "Or do you want me to make it so you don't fly today?" The screener allowed Bogart to sit down for a moment and then instructed her to stand up and lift her arms, Moon said. Bogart could barely raise her arms due to the breast cancer surgery and so the screener lifted them higher herself, Moon said. Infuriated, Moon protested and said she was told to sit across the room "or else." "I know she prolonged her search because she was mad at me," Moon said. Bogart had been nervous about flying alone for the first time since her husband's death last year. She sat back down in the wheelchair after the screening in shocked silence, her daughter said. Two hours later, Bogart was in the air, en route to Nashville, Tenn., to visit her youngest daughter for a month. Moon marched back to security to give management a piece of her mind. She demanded the name of the young screener in her mid-to-late 20s with darkish hair pulled back in a bun. A TSA manager refused to give her the screener's name, Moon said, and suggested she file a general complaint. Several days later, Moon did just that. "If you've read this far, I'm surprised," she wrote in closing. "But if you have, you can now toss this letter, send me one of those form letters indicating you take these kinds of complaints 'very seriously' and are going to investigate the matter, blah blah blah, and get back to more important activities." Moon can expect a response from the TSA's Office of Civil Rights, Denver TSA spokeswoman Carrie Harmon said. "When we receive complaints, we take them very seriously, we investigate them and we address any personnel issues as appropriate," Harmon said. Reached at her youngest daughter's home in Nashville on Thursday, Bogart said she didn't want to get anyone in trouble and emphasized "they were all kind except for that one girl. I thought she was a little harsh." "I thought it was a little much," she added. "She wouldn't let my daughter help me. And I have a hard time standing very long at a time at all." DIA spokesman Chuck Cannon expressed surprise at Bogart's tale, but said ultimately the airport has no authority to regulate the TSA, which is a federal agency. "I honestly don't know why they would have made a woman in that condition get up and walk through secondary screening," he said. "I'm sure it's all a misunderstanding, but we hate for those things to happen and we wish they wouldn't happen." From isn at c4i.org Mon Apr 3 04:25:04 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 3 Apr 2006 03:25:04 -0500 (CDT) Subject: [ISN] New generation of IE malware now circulating Message-ID: http://www.networkworld.com/news/2006/033106-ie-malware.html By Robert McMillan IDG News Service 03/31/06 Hackers have posted a new version of malicious software that will make it easier for them to exploit an unpatched vulnerability in Microsoft's Internet Explorer (IE) browser. Based on a critical bug disclosed on March 22, the software was posted by hackers Friday to the Milw0rm.com Web site. The code exploits a flaw in the way IE processes Web pages using the createTextRange() method. Hackers have been using malware that takes advantage of this vulnerability to install unauthorized software on victims' computers over the past week, but this new generation is considered to be more dangerous, according to security researchers. Older versions of the malware could freeze victims' browsers for more than a minute, giving them an opportunity to shut down their computers or stop the malicious software before it could complete its work. But the new software works more quickly, meaning it will be particularly effective on older machines with limited memory and processing capabilities, said Craig Schmugar, researcher with McAfee Avert Labs. Though hackers had not widely adopted the new software as of Friday morning, Schmugar said he expected that to change. "It's still pretty early," he said. "I think it's reasonable to expect that people will shift." The software also uses new techniques to avoid certain types of signatures used by anti-virus vendors, said Aviv Raff, a security researcher based in Israel. "It's much more effective," he said. "I think people should know and understand that ... now they are more vulnerable." The fact that the code was released just before the weekend is also worrisome, because it means that "administrators have to wait for Monday to apply their protections and to give warning to users," said Juha-Matti Laurio, a security researcher in Helsinki. With a fix for the problem expected as late as April 11, the date of Microsoft's next scheduled security update, security companies Determina and eEye Digital Security issued unsupported patches for the problem. According to eEye, there have been more than 70,000 downloads of its software since its Monday release. Microsoft does not recommend that users install these patches. Instead, it recommends that users disable IE's Active Scripting feature as a work-around. Despite the severity of the TextRange() bug, McAfee says that the malware that takes advantage of it is not particularly widespread. This software at present ranks No. 13 in McAfee's list of the top 20 pieces of malware being reported, Schmugar said. From isn at c4i.org Mon Apr 3 04:25:29 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 3 Apr 2006 03:25:29 -0500 (CDT) Subject: [ISN] Call For Papers - The 6th Annual Digital Forensic Research Workshop Message-ID: Forwarded from: dfrws2006 (at) dfrws (dot) org Call for Papers The 6th Annual Digital Forensic Research Workshop (DFRWS 2006) August 14-16, 2006 Purdue University Lafayette, Indiana, USA www.dfrws.org dfrws2006 (at) dfrws (dot) org The purpose of this workshop is to bring together researchers, practitioners, and educators interested in digital forensics. We welcome the participation of people in industry, government, law enforcement, and academia who are interested in advancing the state of the art in digital forensics by sharing their results, knowledge, and experiences. The accepted papers will be published in printed proceedings. Topics of Interest We are looking for research papers, demo proposals, and panel proposals. Major areas of interest include, but are not limited to, the following topics: - Incident response and live analysis - OS and application analysis - Multimedia analysis - File system analysis - Memory analysis - Network analysis - Data hiding and recovery - Event reconstruction - Large-scale investigations - Data mining techniques - Automated searching - Tool testing and development - Digital evidence storage formats - Digital evidence and the law - Traceback and attribution - Physical media analysis - Case studies and trend reports - Non-traditional approaches to forensic analysis Important Dates Papers, demo, and panels submission deadline: April 21, 2006 Author notification: May 21, 2006 Camera-ready copies due: June 21, 2006 Workshop dates: August 14-16, 2006 Submission Papers must be written in English and should not be longer than 10 single spaced, double column pages. All papers should illustrate the applicability of their work to practical issues. Papers must not significantly duplicate work that has been presented or published elsewhere. The papers will be published in printed proceedings. The DFRWS 2006 review process will be "double-blind" (the reviewers will not know who the authors are and the authors will not know who the reviewers are). Therefore, the version submitted for review should not contain the names or affiliations of the authors. When referring to one's previous work, the writing should be in the third person instead of the first person (i.e. "Smith and Jones [2] previously determined..." instead of "We [2] previously determined.."). Accepted papers will obviously contain the names and affiliations of authors. Panel proposals should be one to three pages and clearly describe the topic, its relevance and a list of potential panelists and their biographies. Proposals for demonstrations of proof of concept and research-based tools are welcome. Proposals should describe the tool, its relevance to one of the topics listed above, and space/equipment needs (e.g., power, networking, etc.) Paper submissions must be in PDF format. Panel and demo proposals can be in either plain text or PDF. Documents can be submitted via the EDAS system at: http://edas.info/index.php Once you are logged in, select the DFRWS 2006 conference to submit your paper. If you do not already have an account with EDAS you can register at: http://www.edas.info/Conferences.cgi A direct link to the EDAS submission website for DFRWS 2006 is here: http://www.edas.info/home.cgi?c=4771 Organizing Committee Frank Adelstein (ATC-NY) David Baker (MITRE) Brian Carrier (Basis Technology) Eoghan Casey (Stroz Friedberg) Dan Kalil (Air Force Research Lab, Assured Information Security) Chet Maciag (Air Force Research Lab) Daryl Pfeif (Digital Forensics Solutions) Golden G. Richard, III (University of New Orleans) Marcus Rogers (Purdue University) Vassil Roussev (University of New Orleans) Todd Shipley (SEARCH) Wietse Venema (IBM) Program Committee Cory Altheide (Google) Tom Bacon (Southern Oregon University) Nicole Beebe (University of Texas at San Antonio) Florian Buchholz (James Madison University) R. Chandramouli (Stevens Institute of Technology) Olivier De Vel (Australian Department of Defense) Tom Daniels (Iowa State University) Dave Dittrich (University of Washington) Derick Donnelly (Black Bag Technologies) Heather Dussalt (State University of New York Institute of Technology) Knut Eckstein (NATO) Dario Forte (DFLabs Italy) Yun Gao (University of New Orleans) Simson Garfinkel (Harvard University) Yong Guan (Iowa State University) Warren Harrison (Portland State University) Chet Hosmer (Wetsone Technologies) Erin Keneally (San Diego Supercomputer Center) Jesse Kornblum (ManTech CFIA) Michael Losavio (University of Louisville) James Lyle (NIST) Nasir Memon (Polytechnic University) Srinivas Mukkamala (New Mexico Tech) Judie Mulholland (Florida State University) Gilbert Peterson (Air Force Institute of Technology) Steve Romig (Ohio State University) Kulesh Shanmugasundaram (Polytechnic University) JK.P. Subbalakshmi (Stevens Institute of Technology) Duminda Wijesekera (George Mason University) From isn at c4i.org Tue Apr 4 03:02:20 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:20 -0500 (CDT) Subject: [ISN] Payment processor fears credit card crooks Message-ID: http://news.com.com/Payment+processor+fears+credit+card+crooks/2100-7349_3-6057305.html By Joris Evers Staff Writer, CNET News.com April 3, 2006 A major online payment provider said Monday that its processing service had been used in an attempt to charge money to stolen credit and debit cards. Several Web hosting companies that use the Authorize.Net service to accept credit cards online saw a sudden spike in transactions over the weekend. The transactions, most for $500 and $700, were billed to Visa, MasterCard and American Express cards that belong to people across the U.S., representatives for three Web hosts told CNET News.com. "These hackers got their hands on high quality data, and they used merchants of ours to run that data through the merchant's Web site, which goes through our platform," said David Schwartz, a spokesman for Authorize.Net in American Fork, Utah. The company says more than 130,000 merchants use its online payment service. The Web hosting companies discovered the unusual charges through e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of three companies with which CNET News.com spoke, and more likely happened at other Web hosts, these three companies said. Unclear, however, is where the weakness in the transaction chain is, whether it was at the level of the payment processor or the Web hosts. Also unclear is where the culprits obtained the card information they used in the transaction attempts. On Sunday morning, in about an hour-and-a-half time period, fraudsters ran close to 1,500 transactions through the Authorize.Net account of Defender Technologies Group, a Web host in Ashburn, Va., said Tom Kiblin, the company's CEO. "It was just under $1 million that got put through on our account," he said. Kiblin says he has reported the matter to the U.S. Secret Service. Lance Conway, president of Viper Logic in Palm Springs, Calif., and Lisa Willman, billing manager at Vortech in Orlando, Fla., have similar stories. Viper's account was used on Friday to charge $700 to almost 800 cards, Conway said. At Vortech, that same amount was billed on Friday to about 400 cards, Willman said. In all cases, the information that was put through the system included a card number, expiration date, name and address, representatives for the Web hosts said. The episode is another example of credit card and debit card insecurity. Recently, a crime spree forced banks across the nation to replace hundreds of thousands of debit cards. Last year a cyber break-in at a payment processor exposed names, account numbers and verification codes for 40 million credit cards. The three Web hosting companies have all voided the fraudulent transactions, which took up significant time, the company representatives said. Nevertheless, some consumers noticed that their banks had put holds on their credit cards or even charged their debit cards, and they called the Web hosting companies for clarification. "We try to explain to them: 'No we're not thieves, we're not stealing your money, your credit card information was stolen,'" said Kiblin. His company, Defender Technologies, has fielded calls from about 100 cardholders, he added. Conway at Viper Logic received about 30 calls over the weekend, and his phone was ringing often on Monday as well, he said. "What a nightmare. We're just a small company; there are only eight of us here." Though the attackers already had control over a database of credit card numbers, Authorize.Net and the Web hosting companies are pointing fingers as to who is to blame for allowing the mass charges to the accounts. The Web hosts say there are no traces of transactions on their servers, so fraudsters must have accessed Authorize.Net directly. But Authorize.Net denies any blame. "Authorize.Net did not suffer from any sort of security breach whatsoever," Schwartz said. "If someone commits fraud in a physical store using a stolen credit card, the merchant would never hold the manufacturer of the card-swipe terminal accountable for that fraud. In the e-commerce world, a payment gateway is the equivalent." The Web hosting companies may have left open a door to the payment processing service, possibly through their online shopping carts, Schwartz speculated. Opinions also differ on why someone would want to send large amounts of money into the accounts of the Web hosts. "It looks like somebody was fishing with a credit card list, trying to validate credit cards," said Kiblin. "The goal for these guys, if a card is valid, they go off and start buying stuff. All these guys that got hit are going to see other charges." But for that to be true, the transaction amounts are too high, Schwartz said. "Usually, when hackers try to validate whether a card is good or not, they will do an authorization attempt for a dime. If it goes through, they know they have got a good card number, and when it is rejected it is going to reject whether it is a dime or $700," he said. Avivah Litan, an analyst with Gartner, agreed. She suspects the culprits had figured out the Authorize.Net system and intended for the money to go into the merchant account only to siphon it out later. But they were tripped up by the e-mail notifications Authorize.Net sends to its users. "It was on a weekend; they always do this stuff on weekends, when no one is around watching these systems. If there were no e-mail alerts, the money would have gone into the merchant account and they would have redirected it into their account and no one would have known," Litan said. "They got caught with their pants down." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue Apr 4 03:02:32 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:32 -0500 (CDT) Subject: [ISN] Policeman Charged With Cyberstalking Message-ID: http://www.wral.com/apstrangenews/8449104/detail.html April 3, 2006 HAUPPAUGE, N.Y. -- A police officer named Valentine has been charged with hacking into the e-mail account of a woman he met through an online dating service and posing as her in messages sent to himself and to other men. Officer Michael Valentine, 28, met the woman on Match.com last November and dated her for about six weeks before she broke up with him, Suffolk County District Attorney Thomas Spota said in a news release. Valentine is accused of reading her e-mail, changing her Match.com profile and sending e-mails using her name. He went into her account and, posing as her, sent himself an e-mail threatening that her friends would "come out of the bushes with a baseball bat and beat your brains in," prosecutors said. He also sent Match.com messages to 70 men on the dating service to falsely indicate she was romantically interested in them, Spota said. At least twice men showed up at the woman's house to take her out on a date because they were under the mistaken impression she wanted to go out with them, Spota said. Valentine pleaded not guilty. His lawyer, Paul Gianelli, said he planned to "vigorously defend" his client. "It certainly comes as a shock to my client to be charged with a crime," Gianelli said. Spota said computer crimes detectives determined that Valentine used a number of computers, including one that belonged to the Suffolk County Police Department. Valentine, who joined the police force in 2002, was arraigned Monday on a 197-count indictment that included charges of stalking, computer trespassing, official misconduct and tampering with evidence. He was released on his own recognizance and was scheduled to return to court on April 20. He has been suspended from his job without pay. Copyright 2005 by The Associated Press. From isn at c4i.org Tue Apr 4 03:01:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:01:51 -0500 (CDT) Subject: [ISN] Yahoo: We need effective cybercrime laws Message-ID: http://news.zdnet.com/2100-1009_22-6056523.html By Tom Espiner ZDNet (UK) ZDNet News March 31, 2006 Yahoo has called for "effective" legislation, combined with industry self-regulation, to deal with online fraud, child abuse and other cybercrime. The Internet services giant appealed on Thursday for policymakers to concentrate on defining illegal use of technology, rather than focus on how an action breaks the law. "Effective policy defines what is legal and what is illegal. If legislation is concerned with how an action is illegal, it creates rigidity, and means the legislation won't keep up with the technology," Robin Pembrooke, the director of product operations for Yahoo Europe, told ZDNet UK. The lack of global legislation adds to the complexity of the situation, Pembroke added. "It's not realistic to have global legislation, but we do need international consistency," he said. "One example is 'child abuse' content, which has a different definition in the U.S. than in the U.K." Pembrooke advocated a combination of legislation and self-regulation of Internet businesses in order to combat cybercrime. "There are some really good examples of where the industry has come together. The Internet Watch Foundation is funded by industry, and without legislation, this approach has achieved fantastic things in the last five years," Pembrooke said. Worldwide cooperation An Interpol officer agreed with Pembroke's remarks, and called for a global legislative structure to make international evidence transfer easier, and international response times quicker. "(Pembrooke) is completely right, we shouldn't overlegislate," said Bernhard Otupal, a crime intelligence officer at the Financial and High Tech Crime Sub-Directorate of Interpol. "In the EU, there are so many different regulations covering different technologies. What we need is real international legislation and a global legislative framework." "There must be a self-regulatory process for the big players, with internal rules, as that is efficient. However, self-regulation is not enough--you need both legislation and self regulation," Otupal said. Yahoo said that over-legislation is incompatible with the needs of its customers, which needed to be balanced with the needs of governments. "We find users want freedom of expression, privacy and ease of use. We have to balance that with the needs of governments looking for increasing access to data," Pembrooke said. Last year, Yahoo was accused of passing data to the Chinese government that led to the arrest and imprisonment of two Chinese Internet users, including a journalist who was sentenced to 10 years in prison. Saying Yahoo felt "horrible" about the political arrests of Internet users in China, Pembroke underlined that the Web company believes it's better to be there and cooperate with the authorities than not be there. "By cooperating with the authorities, we can improve people's lives. By giving them access to the Internet, this raises awareness in differences in government approaches, and increase forces for change," he said. "Our challenge is we have to work inside the laws of the countries we operate in," Pembrooke said. Tom Espiner of ZDNet UK reported from London. From isn at c4i.org Tue Apr 4 03:02:03 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:03 -0500 (CDT) Subject: [ISN] Nuke plant gets new locks after keys lost Message-ID: http://news.scotsman.com/latest.cfm?id=513752006 Reuters 3 Apr 2006 BERLIN (Reuters) - German authorities are changing 150 locks at a nuclear power plant after its owner said they had lost keys to a security area, a ministry spokesman in the south western state of Baden-Wuerttemberg said on Monday. Plant operator EnBW said that in spite of intensive searches and questioning it had not been able to recover 12 keys for its Philippsburg plant after discovering they were lost in March. The environment ministry said EnBW informed it the keys were missing and the operator had put extra safety measures in place to control access to the secure area. "This has never happened anywhere in Germany before," the ministry spokesman said. "The keys have simply disappeared." Prosecutors have launched an investigation for theft. From isn at c4i.org Tue Apr 4 03:02:46 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:46 -0500 (CDT) Subject: [ISN] A Pretty Good Way to Foil the NSA Message-ID: http://www.wired.com/news/technology/0,70524-0.html By Ryan Singel Apr, 03, 2006 How easy is it for the average internet user to make a phone call secure enough to frustrate the NSA's extrajudicial surveillance program? Wired News took Phil Zimmermann's newest encryption software, Zfone, for a test drive and found it's actually quite easy, even if the program is still in beta. Zimmermann, the man who released the PGP e-mail encryption program to the world in 1991 -- only to face an abortive criminal prosecution from the government -- has been trying for 10 years to give the world easy-to-use software to cloak internet phone calls. On March 14, Zimmermann released a beta version of the widely anticipated Zfone. The software is currently available only for OS X (Tiger) and Linux, though a Windows version is due in April. The open-source software manages cryptographic handshakes invisibly, and encrypts and decrypts voice calls as the traffic leaves and enters the computer. Operation is simple, and users don't have to agree in advance on an encryption key or type out long passcodes to make it work. Would-be beta testers must provide Zimmermann with an e-mail address. That seems an odd requirement for a privacy product, but the process itself was painless, and an e-mail with a download code arrived immediately. In our test, Zfone installed easily and quickly on OS X, though there were some mild hitches in actually getting it to work. Zfone is designed to work with VoIP clients that use the industry standard SIP protocol, and has been tested with clients such as X-lite, Free World Dialup and Gizmo Project. Following Zfone's instructions, Wired News was able to fairly quickly configure Gizmo Project to work with the software. But initial efforts to make phone calls with the system failed. Eventually, a little trial and error revealed that Zfone needed to be started before Gizmo Project, and that to see if a secure connection has been created, both Gizmo and Zfone's interface needed to be visible on the desktop. Once that happens, and the caller on the other end also has Zfone installed, the interface cleanly indicates that the call is secure. It also displays two different three-character codes. One party reads his code, e.g. "CF8," while the other says hers, "TKP." This bit of cloak-and-dagger isn't just fun, it helps prevents what is known as a man-in-the-middle attack, in which an eavesdropper sits between two callers, intercepting their cryptographic keys and then relaying the communications between them. If someone tries that with Zfone, the spoken codes won't match what the callers see on their screens. Using Zfone didn't add any noticeable latency or distortion to calls made with Gizmo Project. Once it's up and running, you're simply talking on the phone. But make no mistake: to eavesdroppers, Zfone is anything but routine. The protocol is based on SRTP, a system that uses the 256-bit AES cipher and adds to that a 3,000-bit key exchange that produces the codes callers can read off to one another. It has been submitted to IETF for approval as an internet standard, and by most accounts is strong enough to defy even the most sophisticated code-breaking technologies, from a hacker's packet sniffer to the acres of computers beneath Ft. Meade. That makes Zfone the "most secure telephone system anyone has ever used," according to PGP Corporation's CTO Jon Callas, who worked with Zimmermann on the protocol Of course, security is nice, but the value of an end-to-end crypto system is partially a function of its popularity. If you're the only one using the system, there's nobody to talk to. The Gizmo Project ostensibly uses its own encryption for Gizmo-to-Gizmo calls, though the company won't reveal what algorithms they use. But primarily, Zfone is competing with the built-in crypto that comes with Skype, which is closed-source, uses its own proprietary protocols, and employs its own encryption scheme -- which, significantly, is not available for inspection and peer-review (though some have evaluated (.pdf) it and others purportedly cracked it anyway). Those are all troubling signs for a security system. But as a standard element in Skype's popular VoIP software, this unproven crypto has already achieved a market penetration that will likely elude Zimmerman's system. So as nice as it is, unless Zfone is adopted by mainstream VoIP providers, it will probably occupy the same limited market niche as the hyper-secure PGP program that ruffled so many government feathers over a decade ago. PGP didn't become standard e-mail fare outside of the community of geeks, cypherpunks and those with special privacy needs, like human rights workers and people living in countries where the government routinely spies on its citizens without oversight. Fortunately for Zimmerman, there are a lot more of us these days. From isn at c4i.org Tue Apr 4 03:02:58 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:58 -0500 (CDT) Subject: [ISN] Microsoft's Canberra security deal Message-ID: http://australianit.news.com.au/articles/0,7204,18699718%5E15306%5E%5Enbv%5E,00.html Simon Hayes and James Riley The Australian APRIL 04, 2006 MICROSOFT has promised to help Australia tackle threats to "national security, economic strength and public safety" under a deal to allow its engineers to examine attempts to hack into federal government computer networks. Microsoft managing director Steve Vamos and Attorney-General's Department secretary Robert Cornall will sign the Microsoft Security Co-operation Agreement tomorrow in a ceremony to be chaired by Attorney-General Philip Ruddock at federal Parliament House. The deal is to share data on security incidents and information on critical events and security emergencies. Australia follows the US, Canada, Chile and Norway in signing the agreement, aimed at improving the flow of computer security information. The deal builds on Microsoft's 2003 agreement to allow the government to examine source code for Windows and Office. That agreement followed an increase in the popularity of open source software. Microsoft opened its code to select governments to prove its technology was as safe as any other, but not all governments were happy with the access restrictions imposed by Microsoft. China, Russia, Britain and NATO signatory countries are among other nations to have signed that agreement. The new agreement is expected to include access to information on planned software patches, and data about vulnerabilities that Microsoft is investigating, allowing the government to plan ahead for security threats. Also likely is an agreement for Microsoft to provide resources for a joint response to emergencies, and to provide assistance with consumer education campaigns on computer security. A Microsoft Australia spokesman declined to comment on the program. Chairman Bill Gates told a conference in February last year that Microsoft would give governments better access to security information, and would help protect critical infrastructure. "We have 24-hour-a-day surveillance working with other companies, so we see things and we can work with governments around the clock when there is a challenge," he said. "Having these channels of communication open, knowing exactly who to work with, what the messaging should be, that's something we're putting in place." Microsoft public sector corporate vice-president Gerri Elliott last year said the program would make it easier to track and combat security threats to government agencies and critical infrastructure. "The digital age creates some unique challenges for governments to help secure their computing environments," he said. "By taking a collaborative approach with global governments, we can bring to bear the combined expertise from public and private sectors and enable governments to better prepare, manage and mitigate the impact of security incidents." From isn at c4i.org Tue Apr 4 03:03:24 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:03:24 -0500 (CDT) Subject: [ISN] REVIEW: "Snort Cookbook", Angela Orebaugh/Simon Biles/Jacob Babbin Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKSNRTCB.RVW 20051208 "Snort Cookbook", Angela Orebaugh/Simon Biles/Jacob Babbin, 2005, 0-596-00791-4, U$39.95/C$55.95 A% Angela Orebaugh A% Simon Biles A% Jacob Babbin %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2005 %G 0-596-00791-4 %I O'Reilly & Associates, Inc. %O U$39.95/C$55.95 800-998-9938 fax: 707-829-0104 nuts at ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596007914/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596007914/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596007914/robsladesin03-20 %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 270 p. %T "Snort Cookbook: Solutions and Examples for Snort Administrators" Chapter one covers the installation of Snort on various systems, and even includes a wiring diagram for a passive tap, if you need that sort of application. (The "cookbook" format, with its "Problem/Solution" structure, seems a bit odd, in this case.) An assortment of issues in logging are dealt with in chapter two. The creation and maintenance of rules, in chapter three, is discussed in a very useful fashion. Chapter four is about preprocessing, and is somewhat more demanding of the reader. Administrative tools, for managing Snort sensors, rulesets, and data, are described in chapter five, while utilities for analysis and display of collected information are presented in six. A variety of additional uses for Snort are mentioned in chapter seven. This book outlines the basic use and operation of Snort in a convenient and easy-to-use manner. Aside from the first chapter, the cookbook format is used effectively, and thus the work becomes a handy, quick reference for those interested in using and exploring Snort. copyright Robert M. Slade, 2005 BKSNRTCB.RVW 20051208 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu What you see and hear depends a good deal on where you are standing; it also depends on what sort of person you are. - Clive Staples Lewis http://victoria.tc.ca/techrev/rms.htm From isn at c4i.org Tue Apr 4 03:03:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:03:59 -0500 (CDT) Subject: [ISN] Linux Security Week - April 4th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 4th, 2006 Volume 7, Number 14n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Steganography FAQ," "IPCop-OpenVPN HOWTO," "International Body Adopts Network Security Standard," and "The Top 10 Information Security Myths." --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * (IN)SECURE Issue 6 has been released 30th, March, 2006 The latest edition of this free PDF digital security magazine is packed with content that caters all levels of knowledge. Get your copy today! http://www.linuxsecurity.com/content/view/122162 * Steganography FAQ 29th, March, 2006 Steganography is a subject which is rarely touched upon by most IT Security Enthusiasts. Most people don't see Steganography has a potential threat, some people don't even know what Steganography is. With this FAQ I hope to answer any questions anyone may want to ask about Steganography, and to educate people so they can understand what exactly Steganography is. Is Steganography a potential threat? Well your about to find out. http://www.linuxsecurity.com/content/view/122140 * IPCop-OpenVPN HOWTO 30th, March, 2006 I=E2..m a huge fan of IPCop. It=E2..s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home. I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows. If you=E2..ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide. http://www.linuxsecurity.com/content/view/122168 * Defeating the Hacker 31st, March, 2006 Way back in the early 1980s, Robert Schifreen shot to notoriety as one of the hackers who broke into Prince Philip's mailbox on the Prestel service. It was this case that, after the Law Lords ruled that the forgery laws did not cover typing a user name and password into a computer screen, instigated the drafting and passage of the Computer Misuse Act in 1984. Schifreen has spent the intervening years being a respectable computer journalist, and his specialty -- as you might expect -- is security. Defeating the Hacker: A Non-Technical Guide to IT Security is the result of years of writing, research and speaking at conferences on security topics. http://www.linuxsecurity.com/content/view/122178 * International Body Adopts Network Security Standard 25th, March, 2006 The International Organization for Standardization (ISO) approved last month a comprehensive model that identifies critical requirements to ensure end-to-end network security. Specifically, the global standards group formally adopted ISO/IEC 18028-2, which defines a standard security architecture and provides a systematic approach to support the planning, design and implementation of information technology networks. http://www.linuxsecurity.com/content/view/122087 * Look Toward The Future 27th, March, 2006 Just like their larger brethren, small to medium-sized enterprises that wish to garner a competitive advantage must develop an effective IT plan. Increasingly, IT departments are becoming the hub of the company, and more and more companies expect their IT managers to accomplish a variety of tasks with limited resources. In fact, having an established plan goes far to empower smaller firms so they=E2..ll be able to play with the =E2..big boys=E2.=9D in their industry arenas. http://www.linuxsecurity.com/content/view/122123 * Learning An Advanced Skillset 28th, March, 2006 It was almost two years ago now that I wrote the SecurityFocus article on TCP/IP skills required for security analysts. That article offered advice on how one can seek employment in the security field through education, training, and a strong focus on TCP/IP. The idea came about from all of the questions this author has been asked on the subject. There is often a lot of uncertainty as to what one should study to further one=E2..s career in the network security world. Much as I mentioned previously, it can be a daunting task. What was laid out as core skills required for a fully competent security analyst are in reality, but a baseline. From that foundation of skills learnt, and honed over time can you begin to think about acquiring more advanced skills. http://www.linuxsecurity.com/content/view/122133 * Visualization in the Security and New Media World 31st, March, 2006 Information visualization seems to be a growing trend in today's knowledge driven, and information-overloaded society. The following represents a URL tree graph of the Security Mind Streams blog -- looks resourceful! Want to freely graph your site/blog? Take advantage of Texone's tree, just make sure you don't forget to press the ESC key at a certain point. http://www.linuxsecurity.com/content/view/122180 * Are Cyber Criminals Or Bureaucrats The Industry's Top Performer? 28th, March, 2006 Last week, I came across a great article at Forbes.com, "Fighting Hackers, Viruses, Bureaucracy", an excerpt: "Cyber security largely ends up in the backseat," says Kurtz, who prior to lobbying did stints in the State Department, the National Security Council and as an adviser to President George W. Bush on matters relating to computer security. "Our job is to shine a bright light on it, to help people understand it." http://www.linuxsecurity.com/content/view/122136 * Open Source Security Testing Methodology 30th, March, 2006 Truth is made of numbers. Following this golden rule, Federico Biancuzzi interviewed Pete Herzog, founder of ISECOM and creator of the OSSTMM, to talk about the upcoming revision 3.0 of the Open Source Security Testing Methodology Manual. He discusses why we need a testing methodology, why use open source, the value of certifications, and plans for a new vulnerability scanner developed with a different approach than Nessus. http://www.linuxsecurity.com/content/view/122165 * Lundquist's Guide To Not Getting Fired for Losing Your Laptop 2nd, April, 2006 How often do we have to read about someone losing a laptop with a bunch of client data? I've included some links to recent stories: Stolen Fidelity Laptop Exposes HP Workers and=09Lost Fidelity Laptop Stirs Fear of ID Theft. Stop and think for a second. You are a high-powered road warrior jetting around the world making lots of complex but incredibly lucrative financial deals. You lose your laptop with all that important information. You have to call your boss back at the home office. Your next job involves asking customers if they want the large or the super-jumbo Slurpee. http://www.linuxsecurity.com/content/view/122184 * Roll Your Own Firewall 27th, March, 2006 Over the years I have learned how to roll my own firewall script and call it from /etc directory. Of course, my firewall is only INPUT based, instead of INPUT and OUTPUT based, but I find that building an INPUT/OUTPUT based firewall is tremendously difficult and not really all that necessary if you use good download practices on your Linux server or PC and/or if you're already behind a NAT router (such as a home-based DSL or cable router or wireless router) or other firewall. http://www.linuxsecurity.com/content/view/122120 * Domain Registrar Joker Hit by DDoS 27th, March, 2006 Domain registrar Joker.com says its nameservers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany. Any of those domains that use Joker's DNS servers are likely to be affected. "Joker.com currently experiences massive distributed denial of service attacks against nameservers," the registrar says in an advisory on its home page. "This affects DNS resolution of Joker.com itself, and also domains which make use of Joker.com nameservers. We are very sorry for this issue, but we are working hard for a permanent solution." http://www.linuxsecurity.com/content/view/122108 * Detecting Botnets Using a Low Interaction Honeypot 26th, March, 2006 This paper describes a simple honeypot using PHP and emulating several vulnerabilities in Mambo and Awstats. We show the mechanism used to 'compromise' the server and to download further malware. This honeypot is 'fail-safe' in that when left unattended, the default action is to do nothing =E2.. though if the operator is present, exploitation attempts can be investigated. IP addresses and other details have been obfuscated in this version. http://www.linuxsecurity.com/content/view/122088 * The e-Crime Congress 2006. March 30 & 31 2006 27th, March, 2006 The e-Crime Congress 2006 will seek to challenge conventional attitudes on e-Crime and examine how business, government and law enforcement can continue to work together in order to tackle a threat that undermines public confidence in the Internet as a viable and secure commercial medium for the future. http://www.linuxsecurity.com/content/view/122112 * The Pathogenesis of Dark Traffic Attacks 29th, March, 2006 As well as straightforward spam, dark traffic comprises directory harvest attacks, email Denial of Service attacks, malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages. http://www.linuxsecurity.com/content/view/122139 * Amanda 2.5 - A major new release of the Open Source Backup Software 27th, March, 2006 Amanda is the world's most popular open source backup and recovery software. Amanda allows system administrators to set up a single server to back up multiple hosts to a tape- or disk-based storage system over the network. It uses native dump and/or GNU tar facilities and can back up a large number of workstations or servers running various versions of Linux, Unix, Mac OS-X or Microsoft Windows operating systems. On March 23rd, 2006, the Amanda team released a major version (2.5) of the software. Overall the focus of the release is on security of the backup process & backed up data, scalability of the backup process and ease of installation & configuration of Amanda. http://www.linuxsecurity.com/content/view/122111 * Users of SELinux Now Have A Choice On Security 27th, March, 2006 The release of a new open-source security package has sparked debate over how many Mandatory Access Control applications Linux really needs, and if more than one would just dilute volunteer efforts. Novell Inc. of Provo, Utah, recently released the source code for its recently acquired Linux security application, AppArmor. It also set up a project site in hopes of attracting outside developers to further refine the program. http://www.linuxsecurity.com/content/view/122125 * Linux Supporters Fiddle While OpenSSH Burns 30th, March, 2006 Once again, the OpenBSD project is asking for donations to keep its operations in motion. It doesn't ask for much -- U.S. $100,000 (small potatoes in the operating system development industry) -- yet it provides so much to the software world. Even if you don't use OpenBSD, you're likely to be benefiting from it unknowingly. If you're using Solaris, SCO UnixWare, OS X, SUSE Linux, or Red Hat Enterprise Linux, chances are you're using the OpenBSD-developed OpenSSH for secure shell access to remote machines. If so many are using this software, why are so few paying for it? Official responses (and non-responses) from Sun Microsystems, IBM, Novell, and Red Hat are below, but if you're one of the freeloaders who hasn't contributed to OpenBSD or OpenSSH, what's your excuse? http://www.linuxsecurity.com/content/view/122166 * Computer Forensics Tool Testing (CFTT) Project 27th, March, 2006 There is a critical need in the law enforcement community to ensure the reliability of computer forensic tools. A capability is required to ensure that forensic software tools consistently produce accurate and objective test results. The goal of the Computer Forensic Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) is to establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. http://www.linuxsecurity.com/content/view/122109 * Version 0.7 of the OSSEC HIDS is now available 29th, March, 2006 OSSEC HIDS is an open source host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. This is one of the most improved versions so far. It now includes support for squid, pure-ftpd, postfix and AIX ipsec logs (in addition to a lot of improvements to the previous rules). http://www.linuxsecurity.com/content/view/122138 * Secure Coding 27th, March, 2006 The primary cause of commonly exploited software vulnerabilities is software defects that could have been avoided. Through our analysis of thousands of vulnerability reports, the CERT/CC has observed that most of them stemmed from a relatively small number of root causes. If we can identify the root causes of vulnerabilities and develop secure coding practices for illustration, software producers may be able to take practical steps to prevent introduction of vulnerabilities into deployed software systems. http://www.linuxsecurity.com/content/view/122110 * Exegesis of Virtual Hosts Hacking 28th, March, 2006 There is a lot that we can say about finding virtual hosts from a given IP address. Sometimes this task is straightforward, other times a bit of thinking is required. However, in general it is not a mission impossible. During the last few years, domain name databases have emerged like mushrooms after a rainy day. This has certainly increased the awareness among security professionals about the possibility of using virtual hosts as backdoors when testing the security of a given organization. In reality, a good attacker will try to break into your organization by knocking on the not-so-obvious doors. http://www.linuxsecurity.com/content/view/122128 * Ensure data doesn't leave with your staff 28th, March, 2006 With average employee turnover in the UK stable at about 15%, the security implications of staff departures should not be overlooked. While most departing employees are honourable, there is, unfortunately, a sizeable minority who will copy databases, customer requirements, tender documents or, in some cases, copy and remove proprietary code. http://www.linuxsecurity.com/content/view/122130 * Secure Your Applications From The Start 28th, March, 2006 Information security in financial services is one of the highest priorities for C-level executives. CEOs don't want the bad press and liabilities associated with a security breach, and CIOs know that their phones will be the first to ring if data is compromised. Adding to the urgency of the issue, the number of reported security vulnerabilities and the cost per incident continue to rise, according to the 2005 Computer Security Institute/FBI Computer Crime and Security Survey. But most IT shops don't properly test applications for security flaws during the development life cycle, resulting in apps riddled with vulnerabilities. Too often, security and application development are viewed as separate disciplines. Part of the problem is that security teams often are called in to add security to software post-development, rather than working alongside developers during the development process. http://www.linuxsecurity.com/content/view/122135 * Knoppix Hacks: Scanning For Viruses 28th, March, 2006 Ridding a network of Windows computers of a virus or worm can seem impossible. Viruses may cause computers to reboot and infect new machines while you are in the process of removing them. Through the use of the live-software installer, Knoppix provides a solution to this catch-22. http://www.linuxsecurity.com/content/view/122137 * Looking For Love In All The Wrong Places 29th, March, 2006 Despite all the dire warnings about legal liabilities and security risks, a new study indicates one in five workers uses his or her company's Web access for personal use. Among the industries reporting the highest abuse is the male-dominated manufacturing field, where nearly 13% of users try accessing forbidden pornography, dating and gambling sites. Its workforce also tended to chat longest with friends while at work. http://www.linuxsecurity.com/content/view/122160 * Security isn't always perfect, but it doesn't necessarily have to be 30th, March, 2006 A big part of being a security professional, or for that matter an informed citizen, is examining a proposed security control and identifying weaknesses or ways it could potentially bypassed. But there's a logic error frequently committed here, and that's assuming that because a control has some weakness, that it's useless. This is due to a poor understanding of what the goal of the exercise is and a poor understanding of what security is really about. http://www.linuxsecurity.com/content/view/122163 * The Top 10 Information Security Myths 30th, March, 2006 When it comes to information security, there's a lot of popular wisdom available, but much of it is unfounded and won't necessarily improve your organization's security. Only by cutting through the hype to separate reality from myth can IT professionals help take their enterprises to the next level. Here are 10 network security myths that bear further examination. http://www.linuxsecurity.com/content/view/122164 * E-mail Security: Detecting Spam (II) 30th, March, 2006 As spam filters get more advanced, less spam is allowed to enter into user=E2..s inbox so the business model of spammers gets hurt. Instead of thinking that people don=E2..t really like to receive spam and they would prefer less intrusive ways to get publicity, they try to workaround these filters in, sometimes, really clever ways. So, spam filters have to be continually modified and adapted to not fall into these new tricks. http://www.linuxsecurity.com/content/view/122167 * Why Phishing Attacks Work 30th, March, 2006 When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension." http://www.linuxsecurity.com/content/view/122169 * RSA Looks To Drown Phishers In Data Flood 1st, April, 2006 A novel tactic to defeat phishers is being employed by Cyota staff: flooding phishing sites with fake bank details to make the real information harder to find. RSA's Cyota division is helping fight phishing attacks by giving the online fraudsters what they want =E2.. lots of user names, passwords, online banking credentials and credit card numbers. http://www.linuxsecurity.com/content/view/122183 * CYBEREYE: Security: Lots Of Lessons, Nothing Learned 28th, March, 2006 The issues of personal data security and identity theft broke into the national consciousness a year ago, when Choice-Point reported that thieves had established accounts with the data broker to obtain sensitive information on 145,000 people. Outrage was immediate, but the problem has persisted. Despite congressional hearings, a plethora of federal bills and the passage of laws in at least 22 states, data on more than 53 million people was stolen, lost or exposed in 121 more incidents over the next year, according to the Privacy Rights Clearinghouse. By far the largest exposure was at payment processor CardSystems Solutions Inc., which effectively was put out of business after data on 40 million people was hacked. http://www.linuxsecurity.com/content/view/122134 * GAO: Security Accreditation Program a Tough Sell 31st, March, 2006 The federal government's program for testing and accrediting the security of commercial technology has not been proven a success, according to a report by the Government Accountability Office.=09The National Information Assurance Partnership (NIAP), which is sponsored by the National Security Agency and the National Institute of Standards and Technology, was created to make it easier for agencies to find products that meet basic industry standards for security. http://www.linuxsecurity.com/content/view/122181 * Consumer Data Security Bill Passes Out of House Committee 31st, March, 2006 A House committee this week unanimously approved a data security law that would establish federal standards for protecting personal information and would supersede state laws. The Data Accountability and Trust Act, (HR 4127), is one of a spate of bills introduced last year in the wake of publicity about the theft or loss of data that could lead to identity theft. The incidents came to light as a result of state laws requiring consumer notification of security breaches and spurred a consumer demand for tighter regulation. http://www.linuxsecurity.com/content/view/122182 * Industrial espionage worm authors jailed 28th, March, 2006 A married couple accused of using computer worms to conduct industrial espionage has received jail terms of four and two years after pleading guilty in an Israeli court. http://www.linuxsecurity.com/content/view/122129 * Registrar Joker.com Suffers Attack 28th, March, 2006 Domain-name registrar Joker.com acknowledged this weekend that distributed denial-of-service attacks had caused numerous problems for customers that use its domain-name service (DNS) servers to advertise the Internet addresses of their domains. http://www.linuxsecurity.com/content/view/122132 * Two DNS Servers Hit By denial-of-service Attacks 29th, March, 2006 In the second attack of its kind in the past few days, Domain Name System (DNS) servers at Network Solutions Inc. were hit by a denial-of-service attack this afternoon, resulting in a brief performance degradation for customers, according to the company. The attacks, which started at around 2:20 p.m. EST, were targeted at the company's WorldNIC name servers and resulted in a service degradation for about 25 minutes before the server was restored to normal, a spokeswoman for the company said. http://www.linuxsecurity.com/content/view/122142 * Hackers Serve Rootkits with Bagles 31st, March, 2006 Malicious hackers have fitted rootkit features into the newest mutants of the Bagle worm, adding a stealthy new danger to an already virulent threat. According to virus hunters at F-Secure, of Helsinki, Finland, the latest Bagle.GE variant loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. http://www.linuxsecurity.com/content/view/122179 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Apr 5 05:25:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:25:29 -0500 (CDT) Subject: [ISN] DHS Spokesman Is Accused of Soliciting Teen Online Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/04/04/AR2006040401973.html By Spencer S. Hsu Washington Post Staff Writer April 5, 2006 The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff's detective who he thought was a 14-year-old girl, the Polk County Sheriff's Office said. Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. and charged with seven counts of using a computer to seduce a child and 16 counts of transmitting harmful materials to a minor, according to a sheriff's office statement. Agents with the department's Inspector General's Office, the U.S. Secret Service, the Montgomery County police and the Polk County Sheriff's Office served a search warrant and seized his home computer and other materials, the statement said. Doyle was online at the time awaiting what he thought was a nude image of a girl who had lymphoma, Polk County Sheriff Grady Judd said in an interview with Fox News' "On the Record With Greta Van Susteren." "We wanted to make sure he was using that computer and talking to detectives at the time of the arrest," Judd said. In his initial communication last month, Doyle told an undercover computer-crimes detective who he was and that he worked for the Department of Homeland Security, later disclosing numbers for his office phone and government-issued cellphone and using those lines, the sheriff's office said. "If he would provide that kind of information to include a photograph of himself with his identification tags, who else may he be talking to around the world who he thinks to be a 14-year-old girl?" Judd said on CNN's "Anderson Cooper 360." Attempts to reach Doyle, who was booked into the Montgomery County jail on the Polk County charges, on his office and cellphone numbers and by his official e-mail were unsuccessful. He was a TSA spokesman before becoming deputy press secretary last year to Homeland Security Secretary Michael Chertoff. Chertoff press secretary Russ Knocke declined to comment on the case beyond releasing a written statement, saying, "We take these allegations very seriously and we will cooperate fully with this ongoing investigation." Judd said Doyle confessed and waived extradition to Polk County. According to the sheriff's office, Doyle initiated a sexually explicit conversation with the detective on March 12 in response to an Internet profile of a 14-year-old girl. Doyle allegedly sent pornographic movie clips, non-pornographic photos of himself and instant messages from his AOL account, the police statement said. The sheriff's office alleged that Doyle "on many occasions" instructed the undercover detective to perform a sexual act while thinking of him and described explicit acts he wished to perform. Another Homeland Security official -- Frank Figueroa, special agent in charge of U.S. Immigration and Customs Enforcement in Tampa -- faces trial this week on charges of exposing himself to a teenage girl last year at a mall. Figueroa, who has been suspended, pleaded not guilty. From isn at c4i.org Wed Apr 5 05:26:26 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:26:26 -0500 (CDT) Subject: [ISN] Air Force to use Symantec product suite and consulting services Message-ID: http://www.fcw.com/article92832-04-04-06-Web [I wonder if the USAF will be stuck activating and reactivating their security software over and over again [1], and often at the most inopportune times... - WK] By Michael Hardy Apr. 4, 2006 The Air Force has selected Symantec's LiveState Client Management Suite and the company's professional services consulting to support its Air Force Standard Desktop Configuration. The Air Force's effort is a global client device and software management program. Through the five-year contract with Symantec, the service is working to create, deploy and manage applications and settings centrally for hundreds of thousands of users worldwide. "The military's demand for secure and survivable [information technology] assets compliant with policies requires a continuous and integrated approach to asset management spanning security, compliance, administration, and recovery," said David Saunders, vice president of Symantec's public-sector business, in a statement. LiveState provides life cycle management of devices from the time they are acquired until they are discarded. The Air Force agreement came through the Defense Department's Enterprise Software Initiative. [1] http://www.gripe2ed.com/scoop/story/2006/1/6/0331/89933 From isn at c4i.org Wed Apr 5 05:25:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:25:10 -0500 (CDT) Subject: [ISN] After attack, Network Solutions knocked down again Message-ID: http://www.computerworld.com/developmenttopics/websitemgmt/story/0,10801,110193,00.html by Robert McMillan APRIL 04, 2006 IDG NEWS SERVICE For the second time in a week, domain-name registrar Network Solutions Inc. has experienced a disruption of service. The company's Web site was inaccessible for more than two hours earlier today because of an outage at the company's Internet service provider, Savvis Inc. "Our collocation provider experienced a global outage, so people could not access their products and services from about 7:56 a.m. to about 10:02 a.m. this morning, Eastern time," said Susan Wade, a Network Solutions spokeswoman. The provider in question was Savvis, she said. The Network Solutions Web site is now operating normally, she said this afternoon. Network Solutions was the first company authorized to register the Internet's domain names, and its Web site is still widely used to register and mange information about domain names. This outage comes a week after the Herndon, Va.-based company's WorldNIC Domain Name System (DNS) servers were hit by a denial-of-service attack, which temporarily disrupted the servers (see "Update: Two DNS servers hit by denial-of-service attacks" [1]). The WorldNIC servers are used to translate domain names such as IDG.com into the numerical Internet Protocol addresses used by computers on the Internet. Savvis officials could not be reached for comment, but discussion early today on a list [2] used by network operators indicated that the company may have had a problem at its data center in Weehawken, N.J. [1] http://www.computerworld.com/networkingtopics/networking/story/0,10801,109972,00.html [2] http://www.merit.edu/mail.archives/nanog/msg16832.html From isn at c4i.org Wed Apr 5 05:28:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:28:17 -0500 (CDT) Subject: [ISN] NHTCU disappears into new crime agency Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=5713 By Matthew Broersma Techworld 04 April 2006 When you're hit by a virus, will SOCA want to know? Home Secretary Charles Clarke has formally launched the Serious Organised Crime Agency (SOCA), which will handle high-tech crime along with drugs trafficking, immigration crime, money laundering and identity fraud. IT industry observers, meanwhile, said criticisms of the previous anti-cybercrime approach had not yet been addressed. SOCA folds in the National High-Tech Crime Unit (NHTCU), formerly the main national UK force tackling cybercrime, along with the National Crime Squad, the National Criminal Intelligence Service and specialists from HM Revenue and Customs and the UK Immigration Service. There is a worry that high-tech crime may be lost at SOCA amid a predominant focus on drugs trafficking and immigration crime, according to industry observers. The new body plans to spend 40 percent of its resources on stopping drug trafficking, 25 percent on immigration, 10 percent on individual and private sector fraud and 15 percent on other types of crime, with another 10 percent spent on assisting other law-enforcement agencies. But anti-cybercrime efforts may also benefit from being included alongside other types of crime. "In some ways it makes sense, since it isn't really distinct from other types of crime," said Graham Cluley, senior technology consultant with Sophos. The main problem under the NHTCU was the lack of a clear structure for the reporting of cybercrime, which means there are no reliable cybercrime statistics for the UK. "A clear structure for how to report computer crimes has been missing all along. If you're hit by a virus, no one in authority wants to know," Cluley said. "They actually say, 'don't tell us, tell the antivirus companies'. With this reshuffling, there is a danger that companies may not be clear whom to report to." Clarke said the new agency will be better able to tackle sophisticated From isn at c4i.org Wed Apr 5 05:28:27 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:28:27 -0500 (CDT) Subject: [ISN] Citigroup employee accused of hacking Message-ID: http://www.whas11.com/news/local/stories/WHAS11_local_Citigroupcreditfraud.30ec202.html April 4, 2006 A Citigroup employee is accused of hacking into the accounts of almost a half-dozen customers. Tremice Ralston is charged with misuse of computer information. Police say Ralston illegally obtained access to the credit card accounts of five customers. They say she would then raise the credit limit on the customers' cards, order a new one and then have them sent to relatives. This is the second time in just one week that a Louisville bank employee has been charged with stealing money from customers. Last week, Patricia Jordan pleaded not guilty to embezzling more than 210-thousand dollars from customers of the national city bank on Breckenridge Lane. From isn at c4i.org Thu Apr 6 04:28:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:28:18 -0500 (CDT) Subject: [ISN] Microsoft Says Recovery from Malware Becoming Impossible Message-ID: http://www.eweek.com/article2/0,1895,1945808,00.asp By Ryan Naraine April 4, 2006 LAKE BUENA VISTA, Fla. - In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation. "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here. Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed. He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added. Danseglio, who delivered two separate presentations at the conference - one on threats and countermeasures to defend against malware infestations in Windows, and the other on the frightening world on Windows rootkits - said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard." "We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself," he said. "Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background." He recommended using PepiMK Software's SpyBot Search & Destroy, Mark Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free utilities that help with malware detection and cleanup, and urged CIOs to take a defense-in-depth approach to preventing infestations. Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past. "In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money. "At Microsoft, we are fielding 2,000 attacks per hour. We are a constant target, and you have to assume your Internet-facing service is also a big target," Danseglio said. Danseglio said the success of social engineering attacks is a sign that the weakest link in malware defense is "human stupidity." "Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," he said. The most recent statistics from Microsoft's anti-malware engineering team confirm Danseglio's contention. In February alone, the company's free Malicious Software Removal Tool detected a social engineering worm called Win32/Alcan on more than 250,000 unique machines. According to Danseglio, user education goes a long way to mitigating the threat from social engineering, but in companies where staff turnover is high, he said a company may never recoup that investment. "The easy way to deal with this is to think about prevention. Preventing an infection is far easier than cleaning up," he said, urging enterprise administrators to block known bad content using firewalls and proxy filtering and to ensure security software regularly scans for infections. From isn at c4i.org Thu Apr 6 04:27:23 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:27:23 -0500 (CDT) Subject: [ISN] GAO: SEC's info security not up to snuff Message-ID: http://www.fcw.com/article92839-04-05-06-Web By Dibya Sarkar Apr. 5, 2006 Congressional investigators said the Securities and Exchange Commission is not doing a good job of strengthening the security of its information systems, leaving them vulnerable to illegal access or disruption. In a new report released last week, Government Accountability Office investigators said SEC officials have addressed only eight of 51 weaknesses detailed in an earlier GAO report. Among the improvements, SEC officials replaced a publicly accessible workstation and changed control procedures for a major application. "However, SEC did not effectively control remote access to its servers, establish controls over password composition and storage, or manage access to its systems and data," the report states. "Further, the commission did not securely configure all its network devices and servers, nor did it implement auditing and monitoring mechanisms to detect and track security-relevant incidents." The problem is that SEC officials have not yet fully developed, documented and implemented a comprehensive information security program, the report states. The commission still needs to develop or document policies and procedures that assess risks, test and evaluate effectiveness of controls, monitor and report corrective action, and analyze security incidents, according to the report. The commission also needs to ensure that employees have the proper training, the report states. GAO also found 15 security weaknesses in addition to the 43 that still need to be corrected. SEC officials have not implemented consistent and effective access controls over user accounts and passwords, among other problems, according to the report. The commission also needs to do a better job of addressing physical security challenges, software patch management processes, segregation of computer functions and application change controls, which ensure only authorized programs and modifications are implemented, the report states. "These weaknesses increase the risk that financial and sensitive information will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place SEC operations at risk of disruption," the report states. That's not to say the SEC hasn't made some improvements. It has increased the number of security employees, certified and accredited several major applications and established a backup data center, according to the report. According to the GAO report, Christopher Cox, the SEC's chairman, agreed with the findings and said the commission is taking steps to improve the security program. In a March 24 letter to GAO, Cox wrote, for example, that 16 major applications have been certified and accredited, and the remaining four will be accredited during the spring. The commission is maintaining and tracking its "plans of action and milestones" through a new automated system, he added. Cox wrote that GAO's recommendations are appropriate and actionable and that the SEC will implement them before October, the end of fiscal 2006. Those actions include fixing specific weaknesses and implementing an agencywide information security program. From isn at c4i.org Thu Apr 6 04:27:56 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:27:56 -0500 (CDT) Subject: [ISN] IE Exploit; Firewall Tests Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Thawte http://list.windowsitpro.com/t?ctl=2605B:4FB69 8e6 Technologies http://list.windowsitpro.com/t?ctl=26069:4FB69 ==================== 1. In Focus: IE Exploit; Firewall Tests 2. Security News and Features - Recent Security Vulnerabilities - CipherTrust Launches PhishRegistry.org - Black-market Sale on Spyware - Beef Up Security for Your Mobile-Device Fleet 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Password-Protect Your Web Site Logon Information ==================== ==== Sponsor: Thawte ==== Discover how to ensure efficient ongoing management of your digital certificates, how your business will benefit by addressing unique online security issues and more! http://list.windowsitpro.com/t?ctl=2605B:4FB69 ==================== ==== 1. In Focus: IE Exploit; Firewall Tests ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net As you probably know, really dangerous JavaScript-based exploits of Microsoft Internet Explorer (IE) are on the loose. The exploits take advantage of problems in JavaScript processing that allow injection of arbitrary code. Microsoft is working on a patch for the problems that's currently scheduled for release April 11--the company's scheduled monthly patch release date. Several attacks that use the exploits are under way. For example, one attack comes disguised as a BBC News story snippet. When a person clicks the link to read the rest of the story, the exploit is triggered. Ken Pfeil sent me a link to another site hosting an exploit. The exploit includes some shell code, but I didn't completely reverse- engineer the exploit, so I'm not entirely sure what all it does. If you want to take a look, visit 207.5.68.153 on port 80 with a telnet client and enter the command "GET /" to dump out the exploit code. Ken also pointed out that some software, such as Microsoft SharePoint Server, can be configured to load files based on content instead of file extension. This means that an exploit can be packaged inside something as seemingly harmless as a .txt file to get past your defenses and will then be run by the software. This software capability undoubtedly adds to the danger level of the new exploits and other exploits. While you're waiting for Microsoft's patch, you might consider using a third-party patch from Determina or eEye Digital Security. I haven't tested either of these patches so I can't vouch for them, but both companies are reputable. Alternatively, you can disable Active Scripting in IE to stop the execution of JavaScript. I tested one of the JavaScript-based exploits with Mozilla Firefox and found that it caused the system's disk subsystem to go into overdrive. There was so much disk activity that it took me more than 5 minutes to get Task Manager to open so that I could terminate the Firefox process, which stabilized the system. I recently came across an interesting set of desktop firewall test results--at the Firewall Leak Tester Web site. The 2006 results show which desktop firewalls perform best in terms of outbound application filtering and the prevention of information leakage. Coming in dead last out of 16 desktop firewalls is Windows Firewall, which ships as part of Windows XP Service Pack 2 (SP2). This isn't too surprising given that Windows Firewall doesn't do outbound blocking. So which firewalls are the best? When it comes to outbound application filtering, no other firewall beats Jetico Personal Firewall. Kaspersky Lab's firewall is the strongest in terms of preventing information leakage, with Jetico coming in a close second place. Overall, Jetico appears to make the strongest desktop firewall available, beating out other well-known firewalls such as those from Sunbelt Software (Kerio), ZoneLabs (ZoneAlarm Pro and ZoneAlarm Free), and Symantec (Norton). As a bonus, Jetico Personal Firewall is free. Check out the results at the URL below. http://list.windowsitpro.com/t?ctl=2606C:4FB69 Editor's note: Meet Your Favorite IT Experts at Connections Europe in Nice, France, April 24-27 Did you know your favorite Connections conference is coming to Europe in April? Learn from your favorite authors live and in person, and hear directly from Microsoft experts about the next generation of Microsoft technologies. This is an action-packed event with four conferences located together for one rate: ASP.NET, Visual Studio, SQL Server, and Exchange, plus bonus sessions on SharePoint and Windows! I'm going to let you know about a special rate: When you buy your first conference registration at 1,100 euros, you can get additional passes at half off--so partner up with your friends and take advantage of this great rate. The regular price is 1,450 euros, so this is a big bargain, especially when you check out the line-up of speakers! To get this special rate, go to http://list.windowsitpro.com/t?ctl=2606A:4FB69 to register today and enter promocode: SECENL. ==================== ==== Sponsor: 8e6 Technologies ==== Stop Spyware Now - Free White Paper! Spyware remains a problem for most companies, disrupting productivity, wasting time and money. Now 8e6 Technologies' free White Paper proposes breakthrough solutions to counteract the Spyware problem: recognize potential infections, stop unauthorized programs at the source. Get the Free White Paper: http://list.windowsitpro.com/t?ctl=26069:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=2605C:4FB69 CipherTrust Launches PhishRegistry.org CipherTrust launched a new free service, PhishRegistry.org, that aims to alert companies when their Web sites are mimicked for fraudulent purposes. http://list.windowsitpro.com/t?ctl=26064:4FB69 Black-market Sale on Spyware You might think that buying exploit code to create spyware would be expensive. But it's not. Security software maker Sophos reported that it found a site selling a spyware kit, WebAttacker, for $15. Learn more about it in this news article. http://list.windowsitpro.com/t?ctl=26065:4FB69 Beef Up Security for Your Mobile-Device Fleet When a mobile device falls into the wrong hands, so can a lot of corporate information--even the device owner's domain credentials, since most users choose to have the Microsoft ActiveSync client remember their username and password. But help is available in the form of Exchange Server 2003 Service Pack 2 (SP2) and the Messaging and Security Feature Pack (MSFP) for Windows Mobile 5.0. An article by Randy Franklin Smith shows you how to configure this protection. http://list.windowsitpro.com/t?ctl=26062:4FB69 ==================== ==== Resources and Events ==== Learn to secure your IM traffic--don't let your critical business information be intercepted! http://list.windowsitpro.com/t?ctl=2605A:4FB69 Special Offer Ends Soon! Register now for DevConnections Europe, 24-27 April in Nice, France, and get a second registration for half price. http://list.windowsitpro.com/t?ctl=26061:4FB69 Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=26056:4FB69 Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient. http://list.windowsitpro.com/t?ctl=26058:4FB69 Learn the advantages of each alternative to traditional file servers and tape storage solutions, and make the best choice for your enterprise needs. Live event: Thursday, April 13 http://list.windowsitpro.com/t?ctl=26055:4FB69 ==================== ==== Featured White Paper ==== Protect mission-critical business information stored on your high- availability Exchange systems when you implement backup and restore strategies. You'll also learn about key configuration and deployment considerations. http://list.windowsitpro.com/t?ctl=26059:4FB69 ==================== ==== Hot Spot ==== Learn to identify the top 5 IM security risks, and protect your networks and users. http://list.windowsitpro.com/t?ctl=26057:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Microsoft Takes a Page from Open Source Playbooks by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=26068:4FB69 Bugzilla is a great resource for both developers and users of Mozilla products. It lets people submit and track bug reports. Microsoft just launched something similar for Internet Explorer (IE) 7.0. Learn about it in this blog article. http://list.windowsitpro.com/t?ctl=26063:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=26067:4FB69 Q: What is the User Profile Hive Cleanup (UPH Clean) service? Find the answer at http://list.windowsitpro.com/t?ctl=26066:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Exclusive Spring Savings Subscribe to Windows IT Pro and SAVE 58% off! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful articles. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=2605F:4FB69 Save 44% off the Windows Scripting Solutions newsletter For a limited time, order the Windows Scripting Solutions newsletter and SAVE up to $80. You'll get 12 helpful issues loaded with expert- reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article library (more than 500 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=2605E:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Password-Protect Your Web Site Logon Information Siber Systems announced the release of RoboForm 6.6, which automatically fills out online forms for users. New in RoboForm 6.6 is the ability to isolate and protect personal IDs and passwords currently left exposed in Microsoft Internet Explorer's (IE's) AutoComplete directory. Users can convert logon information stored in AutoComplete to RoboForm Passcards that are encrypted with a Master Password. RoboForm 6.6's other new features include support for several new encryption algorithms (AES, Blowfish, and RC6) and the ability to be loaded onto USB drives (from SanDisk, Kingston Technologies, and others) so that users can carry their RoboForm-stored information with them. RoboForm 6.6 is now available for a 30-day trial; personal users with 10 or fewer logons can use RoboForm for free even after the trial. Volume discounts are available. For more information, go to http://list.windowsitpro.com/t?ctl=2606D:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2606B:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=26060:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Apr 6 04:28:34 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:28:34 -0500 (CDT) Subject: [ISN] The NSA's ultra-secure Linux technology evolves for the enterprise Message-ID: http://www.networkworld.com/news/2006/040506-selinux.html By Phil Hochmuth NetworkWorld.com 04/05/06 Boston - Linux and open-source developers are working to make Linux security tools developed by the National Security Agency more accessible and usable by regular system administrators and application developers. Software developers and users discussed how Security Enhanced Linux (SE Linux) is evolving, and the benefits - and potential pitfalls - it could introduce when deployed in an enterprise data center. This discussion took place in a panel on SE Linux at the LinuxWorld Expo this week. SE Linux is not a Linux distribution, such as SuSE or Red Hat, but is instead a set of modifications to the Linux kernel that limit the access that applications have to memory, processors, operating system configuration files and other critical components of a server or PC operating system. SE Linux uses mandatory access controls to limit applications' access only to the minimal amount of resources they need to run. The idea is to prevent hackers from taking over or breaking into a server by exploiting openings in poorly designed code, or by squeezing through small holes in well-designed software. Introduced in 2000 by the NSA, SE Linux "only covered a small subset of the overall [Linux] system," said Stephen Smalley, a research scientist for the NSA. "SE Linux policy has since been expanded to cover more of the system. A year ago we had fairly immature support and a monolithic policy. Today we have support for modular policy, enabling third-party application developers to create policies [for SE Linux] and package them with their applications." A major step in making SE Linux easier to use has been the development of the SE Linux Reference Policy, an open-source project for creating tools that make it easier to create and apply SE Linux policies to software. Smalley says other developments the NSA is working on for SE Linux are ways to apply the technology to desktop Linux systems, as well as to multiple virtualized Linux systems running on top of a single hardware platform. The U.K. Central Government is testing SE Linux with its infrastructure of Linux and IBM WebSphere servers. The goal is to secure the Web services architecture for its municipal-service Web sites and public-facing applications. "We wanted to enforce policies which say that application servers can only talk to the end points that they're authorized to talk to," said Mark Hocking, technical architect for the U.K. Cabinet Office's e-Government Unit. Such mandatory access controls have been used for a long time in government operating systems and highly customized systems, he said. The U.K.'s e-Government Unit wanted to apply SE Linux protection to a range of Java 2 Enterprise Edition (J2EE) applications it uses with minimal changes to the WebSphere servers it has up and running. So far, the group's beta tests have been successful, Hocking says. "We're not saying it will have 100% [security] assurance, but it seems to be working quite well. We believe we can apply SE Linux to commercial off-the-shelf products to give us a higher level of assurance than what we would have had without it." SE Linux has been included in Red Hat Enterprise Linux 4, as well as Red Hat's Fedora Core version 4 and the recently released version 5. However, it has been turned off by default, since the policies can disrupt some commonly used system processes and applications, according to Red Hat developers. And turning on SE Linux can frustrate administrators because the severe limitations to resources it puts on applications can cause applications to fail or act erratically. "SE Linux breaks everything," or so goes the perception of SE Linux, said Daniel Walsh, principal software engineer at Red Hat. "So what we have to figure out is, if SE Linux causes a problem, what are the actions an administrator can take to fix it. Right now an admin has the ability to turn SE Linux on and off; maybe there's another solution." Walsh says Red Hat is working on tools that will allow for modular implementations of SE Linux, and that can give administrators easier feedback on how SE Linux policies are affecting a server. These tools will be included in the upcoming Red Hat Enterprise Linux version 5, which is expected to be released at the end of this year, Walsh said. "The problem with [turning on SE Linux] is that all of the sudden, access that was there before isn't there, and [a system administrator] might not know how to fix it," Walsh said. "Or worse, they may make a change or take an action in order to just get the system up and running that may make security worse on the system overall." In spite of the difficulties that the NSA, Red Hat and other open source developers are working to overcome with SE Linux, the technology itself can be a powerful tool for security an infrastructure based on open-source software - code which is sometimes, and sometimes not, written with security in mind. "The problem is there's so much [sloppy] code out there," Walsh said. "Allowing this crappy code to be out there is a major security problem. What we want to do is lock the memory to make sure that someone does not get into memory to run random code." All contents copyright 1995-2005 Network World, Inc. From isn at c4i.org Thu Apr 6 04:29:06 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:29:06 -0500 (CDT) Subject: [ISN] Anybody remember floppy disks? Message-ID: http://seattlepi.nwsource.com/virgin/265346_virgin04.html By BILL VIRGIN P-I COLUMNIST April 4, 2006 You see them sometimes at garage sales or thrift stores, lying forlornly in a cardboard box, the music of some pop-music star of the early 1970s locked within their plastic cases, never to be heard -- unless someone can track down an eight-track-tape machine. Perhaps that same scene will be played out 35 years from now with boxes of digital cameras going begging because no one has a way of unlocking the photos embedded on compact flash cards or memory sticks or whatever the obsolete media storage technology of the era turns out to be. That the tunes of Three Dog Night or fuzzy photos of a 5-year-old's birthday party are rendered inaccessible by the march of technology represents no great societal tragedy or loss to posterity. But what if the information was something more significant -- such as government or corporate records, personal financial or health data, documents of historic significance? Paper-based records we can preserve and read even if they're centuries old. Presuming that we handle them carefully and still know how to read, we'll be able to read them hundreds of years from now. Jerry Handfield, the state's archivist, recently returned from a trip to Argentina where he viewed paper records dating from 1500. What about records that depend on a specific device or piece of hardware to read them? "The digital information we create is in danger of disappearing on a major scale," says a release from the Digital Futures Alliance, a consortium established last year by University of Washington Libraries. "We think about that a lot," says Feliks Banel, deputy director of Seattle's Museum of History and Industry. Institutions such as MOHAI not only have to sort and store vast amounts of archival material, they have to think about how to access the information, even when the specific technology is no longer in wide use. "We're getting video formats donated to us that we have to go to a studio to get transferred," says Banel, who has hunted down such devices as an eight-track player (located at Goodwill) and a player for 16-inch transcription discs of recordings of 1940s radio broadcasts. In some fields of interest, enthusiasts are doing the job of advancing the material to whatever is the current format. Banel notes that many "Golden Age" radio shows, having been available on records and then cassette tapes, are now available in the MP3 format. But with so much material on formats that have a much shorter lifespan, there's a danger that material may be lost. Says Banel, "I don't know anyone who could play floppy disks." Actually, there is someone who could. The state archivist's office has been compiling, at its facility in Cheney, a library of hardware, software and manuals. Handfield says the collection includes such early-PC-era relics as Commodore 64s, Kaypros and Apple Lisas, all kept in anticipation of the day, he says, when someone finds an 8-inch floppy disk (yes, there were such things) "and says, 'What's this?' " The library also makes sense because Washington has several thousand governmental units and, as Handfield notes, "There's no mandate they use the same equipment." Accessibility is not the only issue with new, old and soon-to-be-obsolete information-storage formats. There's also an issue of whether, even if you have the equipment to read it, anything useful will be left on what you're trying to read. Paper can decay, photographs fade; digital media can be even less permanent. (CDs, for example, are considered unstable. "We don't keep CDs as archival media," Handfield says.) If the issue isn't yet a big concern for many individuals or businesses, at least some people are thinking about the problem. The Digital Futures Alliance includes as charter partners such heavyweights as Microsoft, Amgen and RealNetworks and has set up working groups to tackle specific issues including what to keep and how. Whatever answers the alliance and others come up with, sooner would be preferable. If new formats appear as rapidly as they have been, and obsolete formats prove to be as unstable as forecast, and the flood of data stored digitally continues unabated -- and all of those are quite likely -- a lot of people are going to be discovering very soon they have a problem they didn't expect to have. And when they make that discovery, they'd probably like some better method for data retrieval than holding an eight-track tape up to the ear in hopes of hearing something, or holding a computer floppy up to a bright light in hopes of reading something on it. From isn at c4i.org Thu Apr 6 04:29:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:29:20 -0500 (CDT) Subject: [ISN] Cybercrooks ramp up against antivirus firms -- and each other Message-ID: http://news.zdnet.com/2100-1009_22-6057654.html By Tom Espiner ZDNet (UK) April 4, 2006 Cybercriminals are increasingly fighting each other, as well as antivirus vendors, in pursuit of illegal gain, Kaspersky Lab has warned. The antivirus provider said Tuesday that as profits from cybercrime grew in 2005, criminals increasingly tried to prevent antivirus providers from developing protection against the latest threats. "Honeypots," or lightly protected systems set up to collect samples of malicious software for antivirus companies, were a prime target, Kaspersky said. Criminals can use legions of compromised "zombie" computers, called "botnets," to bombard honeypot networks with data to hinder or stop them working, according to Kaspersky's "Malware Evolution: 2005, Part 2" report, published Monday. "If the bad guys are aware of a network that looks suspicious because it's too unprotected--to lure bad code--they can take steps like launching (distributed denial-of-service) attacks against that honeypot network. They can then launch other attacks simultaneously (against other targets)," said David Emm, senior technology consultant for Kaspersky. Worms can also be programmed to avoid domains known to be monitored by antivirus companies. "Criminals will employ whatever evasive techniques they can," Emm said. In 2005, cybercriminals increasingly used techniques such as creating their own packing mechanisms to compress malicious code, so that they could try to avoid detection by antivirus software. Creators of malicious software also now routinely include code that will try to either disable antivirus updating mechanisms on infected machines or remove antivirus software completely, Emm said. Cybercriminals are also increasingly targeting one another to maximize financial gain, according to Kaspersky's research. "It's like any kind of economic venture. Those that get smarter survive. Organized criminal structures are run as businesses, and they take over smaller guys," Emm said. Kaspersky also said that cybercriminals often launch distributed denial-of-service attacks against rivals to stop them from operating, and they attempt to hijack each other's botnets. They also program their software to attempt to disable any other malicious software that has already been installed on an infected PC. "Criminals have realized that it is much simpler to obtain already infected resources than to maintain their own botnets or to spend money on buying parts of botnets which are already in use," Yury Mashevsky, a virus analyst at Kaspersky, said in the report. Kaspersky also reported that it had detected a five-fold increase over 2005 in the amount of malicious software designed to steal financial information. Tom Espiner of ZDNet UK reported from London. From isn at c4i.org Thu Apr 6 04:29:37 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:29:37 -0500 (CDT) Subject: [ISN] VSC narrows down personal data exposed by laptop theft Message-ID: http://www.rutlandherald.com/apps/pbcs.dll/article?AID=/20060406/NEWS/604060353/1004/EDUCATION05 By Darren M. Allen Vermont Press Bureau April 6, 2006 MONTPELIER - A month after the theft of a laptop computer containing personal information of thousands of students and employees of the Vermont State Colleges system, officials are narrowing down the types of private information that were exposed. In a system-wide e-mail sent Monday to students, faculty, staff and alumni of the five state colleges, VSC Chancellor Robert Clarke emphasized the colleges' assertion that no personal information has been accessed or compromised from the laptop, which has not been recovered. "We have no evidence to date that personal data were actually retrieved or misused," Clarke said. "The laptop has not been recovered by law enforcement, so our ongoing information requires working with staff who may have exchanged e-mails and attachments with teams including the owner of the stolen laptop." The concealed laptop was stolen Feb. 28 from the chief information officer's car while it was parked on the streets of Montreal. The car, according to Karrin Wilks, the colleges' vice president for academic and strategic planning, was broken into by someone who also stole a pair of skis and other visible valuables. The colleges have been under fire recently because they did not notify the nearly 20,000 people whose personal financial information was potentially available on the laptop until three weeks after the theft occurred. The faculty union has asked its attorney to look into why it took so long to notify its members of the potential information breach, and the state employees union has registered its displeasure as well. In his memo this week, Clarke said the colleges' notified all banks in Vermont, New Hampshire and New York on March 27 of the theft and potential release of financial information. The memo did specify the types of information that was potentially on the laptop. College administrators said access to the system's computer networks from the stolen laptop was immediately blocked as soon as they were notified of the theft. Employee information from June 2002 to November 2005 may have been archived on the laptop. The data, which includes names, addresses, Social Security numbers, salary, taxes, withholding and wage garnishment information, as well as bank account numbers for people with direct-deposit accounts, were not encrypted, the memo said. Admissions information for all students from June 2002 to December 2004 could have been on the computer. That data includes names, addresses, birth dates, Social Security numbers and academic records such as college placement exams. Clarke said that information on parents, spouses and dependents was not on the laptop. Wilks, in a brief interview Wednesday, said the VSC system is in the midst of developing policies for future breaches of information. She said VSC over the weekend also mailed detailed information about the theft to 50,000 students, former students, faculty, staff and former employees. The laptop theft was followed by an incident late last month in which someone hacked into the Lyndon State College e-mail system. Someone pretended to be the school's computer administrator, sending out a mass e-mail in his name and warning about identity theft. The hacker has not been identified, and a Lyndon spokesman on Wednesday said the investigation was continuing. Last fall, the colleges also had a computer security breach in which the Social Security numbers of Vermont Technical College students were posted on a school Web site. Sensitivity to the disclosure of personal financial information is increasing nationwide because of fears of identity theft. Armed with such information, thieves can pretend to be other people and establish credit in their names, drain their bank accounts and make charges to their credit cards. Sen. Patrick Leahy, D-Vt., has sponsored a measure in Congress that would make it easier for consumers to protect their own information. This would include a provision forcing companies or entities who lose information to inform their customers of the potential threat. ? 2006 Rutland Herald From isn at c4i.org Fri Apr 7 01:32:39 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:32:39 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-14 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-03-30 - 2006-04-06 This week : 65 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks. The vulnerability can be exploited to spoof the address bar in a browser window showing web content from a malicious web site. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/?s Reference: http://secunia.com/SA19521 -- A vulnerability has been reported in McAfee WebShield SMTP, which can be exploited by malicious people to compromise a vulnerable system. Additional information is available in the referenced Secunia advisory below. Reference: http://secunia.com/SA19491 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 2. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 3. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 4. [SA19491] McAfee WebShield SMTP Format String Vulnerability 5. [SA19451] McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability 6. [SA19461] Claroline Multiple Vulnerabilities 7. [SA19455] Samba Exposure of Machine Account Credentials 8. [SA19469] Dia XFig Import Plugin Buffer Overflow Vulnerabilities 9. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 10. [SA19218] Flash Player Unspecified Code Execution Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19491] McAfee WebShield SMTP Format String Vulnerability [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing [SA19513] Ultr at VNC Buffer Overflow Vulnerabilities [SA19500] SiteMan "txtpassword" SQL Injection Vulnerability [SA19535] SynchronEyes Denial of Service Vulnerabilities [SA19529] HP Color LaserJet 2500/4600 Toolbox Disclosure of Sensitive Information UNIX/Linux: [SA19540] Debian update for kaffeine [SA19533] SGI IRIX update for sendmail [SA19532] SGI Advanced Linux Environment Multiple Updates [SA19528] Gentoo update for horde [SA19525] Kaffeine Player "http_peek()" Function Buffer Overflow [SA19509] X-Doom Denial of Service and Buffer Overflow Vulnerabilities [SA19504] SUSE Updates for Multiple Packages [SA19485] Horde Help Viewer Unspecified Code Execution Vulnerability [SA19478] Crafty Syntax Image Gallery Multiple Vulnerabilities [SA19522] Ubuntu update for mailman [SA19517] Gentoo update for mediawiki [SA19507] Ubuntu update for dia [SA19505] Mandriva update for dia [SA19472] XFIT/S File Transfer Denial of Service Vulnerability [SA19469] Dia XFig Import Plugin Buffer Overflow Vulnerabilities [SA19499] Mandriva update for php [SA19527] Gentoo update for freeradius [SA19518] Red Hat update for freeradius [SA19497] Mandriva update for freeradius [SA19539] Trustix update for samba [SA19502] Mandriva update for MySQL [SA19489] Debian update for storebackup [SA19468] Fedora update for samba [SA19490] HP-UX passwd Unspecified Denial of Service Vulnerability [SA19477] BusyBox MD5 Password Hash Generation Weakness Other: Cross Platform: [SA19524] Virtual War "vwar_root" File Inclusion Vulnerabilities [SA19515] Doomsday Format String Vulnerabilities [SA19514] Barracuda Spam Firewall Archives Buffer Overflow Vulnerabilities [SA19501] PHPNuke-Clan "vwar_root" File Inclusion Vulnerability [SA19498] Exponent CMS Unspecified PHP Code Injection Vulnerabilities [SA19496] Zdaemon Denial of Service and Buffer Overflow Vulnerabilities [SA19482] SQuery "libpath" Multiple File Inclusion Vulnerabilities [SA19541] CzarNews Script Insertion and SQL Injection Vulnerabilities [SA19538] wpBlog "postid" SQL Injection Vulnerability [SA19530] MD News "id" SQL Injection Vulnerability [SA19526] N.T. Multiple Vulnerabilities [SA19523] Softbiz Image Gallery Script Multiple Vulnerabilities [SA19516] MyBB "email" BBcode Script Insertion Vulnerability [SA19512] gtd-php Cross-Site Scripting and Script Insertion Vulnerabilities [SA19510] Basic Analysis and Security Engine Authentication Bypass [SA19508] MediaWiki Encoded Links Script Insertion Vulnerability [SA19503] MonAlbum Multiple SQL Injection Vulnerabilities [SA19493] Struts Multiple Vulnerabilities [SA19488] Interact Multiple Vulnerabilities and Weakness [SA19487] aWebNews Multiple Vulnerabilities [SA19486] aWebBB Multiple Vulnerabilities [SA19481] Oxygen "fid" SQL Injection Vulnerability [SA19479] QLnews Multiple Vulnerabilities [SA19476] qliteNews "loginprocess.php" SQL Injection Vulnerability [SA19475] RedCMS SQL Injection and Script Insertion Vulnerabilities [SA19470] ReloadCMS Statistics Script Insertion Vulnerability [SA19520] Blank'N'Berg Directory Traversal and Cross-Site Scripting [SA19511] KGB Archiver Directory Traversal Vulnerability [SA19506] WebAPP Cross-Site Scripting Vulnerabilities [SA19494] phpBB "cur_password" Cross-Site Scripting Vulnerability [SA19492] Bugzero Cross-Site Scripting Vulnerabilities [SA19483] Groupmax World Wide Web Cross-Site Scripting Vulnerability [SA19474] Esqlanelapse Unspecified Cross-Site Scripting Vulnerability [SA19471] Mantis Cross-Site Scripting Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19491] McAfee WebShield SMTP Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-04 Ollie Whitehouse has reported a vulnerability in McAfee WebShield SMTP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19491/ -- [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2006-04-04 Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/19521/ -- [SA19513] Ultr at VNC Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-04-05 Luigi Auriemma has reported two vulnerabilities in Ultr at VNC, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19513/ -- [SA19500] SiteMan "txtpassword" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-03 S3rv3r_hack3r has reported a vulnerability in SiteMan, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19500/ -- [SA19535] SynchronEyes Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2006-04-05 Dennis Elser has reported two vulnerabilities in SynchronEyes, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19535/ -- [SA19529] HP Color LaserJet 2500/4600 Toolbox Disclosure of Sensitive Information Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-04-05 Richard Horsman has reported a vulnerability in the HP Color LaserJet 2500 Toolbox and HP Color LaserJet 4600 Toolbox software, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19529/ UNIX/Linux:-- [SA19540] Debian update for kaffeine Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-05 Debian has issued an update for kaffeine. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19540/ -- [SA19533] SGI IRIX update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-05 SGI has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19533/ -- [SA19532] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Privilege escalation, DoS, System access Released: 2006-04-05 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities and a security issue, which can be exploited by malicious, local users to gain escalated privileges and read arbitrary cron files, and by malicious people to bypass certain security restrictions, potentially cause a DoS (Denial of Service), and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19532/ -- [SA19528] Gentoo update for horde Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-04-05 Gentoo has issued an update for horde. This fixes some vulnerabilities, which can be exploited by malicious people to disclose sensitive information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19528/ -- [SA19525] Kaffeine Player "http_peek()" Function Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-04 A vulnerability has been reported in Kaffeine Player, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19525/ -- [SA19509] X-Doom Denial of Service and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-03 Luigi Auriemma has reported two vulnerabilities in X-Doom, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19509/ -- [SA19504] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-04-03 SUSE has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19504/ -- [SA19485] Horde Help Viewer Unspecified Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-03 A vulnerability has been reported in Horde, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19485/ -- [SA19478] Crafty Syntax Image Gallery Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2006-04-05 r0t has discovered some vulnerabilities in Crafty Syntax Image Gallery, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19478/ -- [SA19522] Ubuntu update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2006-04-04 Ubuntu has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19522/ -- [SA19517] Gentoo update for mediawiki Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-04 Gentoo has issued an update for mediawiki. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19517/ -- [SA19507] Ubuntu update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-03 Ubuntu has issued an update for dia. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19507/ -- [SA19505] Mandriva update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-04 Mandriva has issued an update for dia. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19505/ -- [SA19472] XFIT/S File Transfer Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-31 A vulnerability has been reported in XFIT/S, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19472/ -- [SA19469] Dia XFig Import Plugin Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-31 Some vulnerabilities have been reported in Dia, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19469/ -- [SA19499] Mandriva update for php Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-04-04 Mandriva has issued an update for php. This fixes a vulnerability, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19499/ -- [SA19527] Gentoo update for freeradius Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2006-04-05 Gentoo has issued an update for freeradius. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19527/ -- [SA19518] Red Hat update for freeradius Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-04-04 Red Hat has issued an update for freeradius. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), to bypass certain security restrictions, and potentially to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/19518/ -- [SA19497] Mandriva update for freeradius Critical: Less critical Where: From local network Impact: DoS Released: 2006-04-06 Mandriva has issued an update for freeradius. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19497/ -- [SA19539] Trustix update for samba Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-04-05 Trustix has issued an update for samba. This fixes a security issue, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/19539/ -- [SA19502] Mandriva update for MySQL Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-04-04 Mandriva has issued an update for MySQL. This fixes a security issue, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19502/ -- [SA19489] Debian update for storebackup Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2006-04-04 Debian has issued an update for storebackup. This fixes a vulnerability and a security issue, which potentially can be exploited by malicious, local users to gain access to sensitive information or perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19489/ -- [SA19468] Fedora update for samba Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-31 Fedora has issued an update for samba. This fixes a security issue, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/19468/ -- [SA19490] HP-UX passwd Unspecified Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-04-03 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19490/ -- [SA19477] BusyBox MD5 Password Hash Generation Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2006-03-31 taviso has reported a weakness in Busybox, which potentially can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19477/ Other: Cross Platform:-- [SA19524] Virtual War "vwar_root" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-04 Some vulnerabilities have been discovered in Virtual War, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19524/ -- [SA19515] Doomsday Format String Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-04 Luigi Auriemma has reported two vulnerabilities in Doomsday, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19515/ -- [SA19514] Barracuda Spam Firewall Archives Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-04 Jean-S?bastien Guay-Leroux has reported two vulnerabilities in Barracuda Spam Firewall, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19514/ -- [SA19501] PHPNuke-Clan "vwar_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-03 uid0 has discovered a vulnerability in PHPNuke-Clan, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19501/ -- [SA19498] Exponent CMS Unspecified PHP Code Injection Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown, System access Released: 2006-04-03 Two vulnerabilities have been reported in Exponent CMS, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19498/ -- [SA19496] Zdaemon Denial of Service and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-03 Luigi Auriemma has reported two vulnerabilities in Zdaemon, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19496/ -- [SA19482] SQuery "libpath" Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-03 uid0 has discovered some vulnerabilities in SQuery, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19482/ -- [SA19541] CzarNews Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-04-05 Aliaksandr Hartsuyeu has reported some vulnerabilities in CzarNews, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19541/ -- [SA19538] wpBlog "postid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-05 Aliaksandr Hartsuyeu has reported a vulnerability in wpBlog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19538/ -- [SA19530] MD News "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-06 Aliaksandr Hartsuyeu has discovered a vulnerability in MD News, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19530/ -- [SA19526] N.T. Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-04-05 Aliaksandr Hartsuyeu has discovered some vulnerabilities in N.T., which can be exploited by malicious people to conduct script insertion attacks and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19526/ -- [SA19523] Softbiz Image Gallery Script Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-04 Some vulnerabilities have been reported in Softbiz Image Gallery Script, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19523/ -- [SA19516] MyBB "email" BBcode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-04 Devil-00 has discovered a vulnerability in MyBB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19516/ -- [SA19512] gtd-php Cross-Site Scripting and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-03 Jericho has discovered some vulnerabilities in gtd-php, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/19512/ -- [SA19510] Basic Analysis and Security Engine Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-04-03 A vulnerability has been reported in Basic Analysis and Security Engine, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19510/ -- [SA19508] MediaWiki Encoded Links Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-03 A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19508/ -- [SA19503] MonAlbum Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-03 undefined1 has discovered some vulnerabilities in MonAlbum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19503/ -- [SA19493] Struts Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS Released: 2006-04-03 Some vulnerabilities have been reported in Struts, which can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19493/ -- [SA19488] Interact Multiple Vulnerabilities and Weakness Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2006-04-05 Pratiksha Doshi has discovered some vulnerabilities and a weakness in Interact, which can be exploited by malicious people to gain knowledge of certain information, and conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19488/ -- [SA19487] aWebNews Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-03 Aliaksandr Hartsuyeu has discovered some vulnerabilities in aWebNews, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19487/ -- [SA19486] aWebBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-03 Aliaksandr Hartsuyeu has discovered some vulnerabilities in aWebBB, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19486/ -- [SA19481] Oxygen "fid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-31 DaBDouB-MoSiKaR has discovered a vulnerability in Oxygen, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19481/ -- [SA19479] QLnews Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-03-31 Aliaksandr Hartsuyeu has discovered multiple vulnerabilities in QLnews, which can be exploited by malicious users to compromise a vulnerable system or by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19479/ -- [SA19476] qliteNews "loginprocess.php" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-31 Aliaksandr Hartsuyeu has discovered a vulnerability in qliteNews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19476/ -- [SA19475] RedCMS SQL Injection and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-31 Aliaksandr Hartsuyeu has discovered some vulnerabilities in RedCMS, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/19475/ -- [SA19470] ReloadCMS Statistics Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-03 rgod has discovered a vulnerability in ReloadCMS, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19470/ -- [SA19520] Blank'N'Berg Directory Traversal and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-04-04 Amine ABOUD has discovered a vulnerability and a weakness in Blank'N'Berg, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19520/ -- [SA19511] KGB Archiver Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-04-03 A vulnerability has been reported in KGB Archiver, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19511/ -- [SA19506] WebAPP Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-03 r0t has discovered some vulnerabilities in WebAPP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19506/ -- [SA19494] phpBB "cur_password" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-03 Preddy has discovered a vulnerability in phpBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19494/ -- [SA19492] Bugzero Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-03 Some vulnerabilities have been discovered in Bugzero, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19492/ -- [SA19483] Groupmax World Wide Web Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-31 A vulnerability has been reported in Groupmax World Wide Web, which can be exploited by malicious people to conduct cross-site scripting attacks Full Advisory: http://secunia.com/advisories/19483/ -- [SA19474] Esqlanelapse Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-31 A vulnerability has been reported in Esqlanelapse, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19474/ -- [SA19471] Mantis Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-31 r0t has discovered some vulnerabilities in Mantis, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19471/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Apr 7 01:33:15 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:33:15 -0500 (CDT) Subject: [ISN] LayerOne 2006 - Finalized Speaker Line-Up Announced Message-ID: Forwarded from: Layer One With less than two weeks to go LayerOne would like to announce that this years Call For Papers is now closed. We would like to thank everyone that submitted a paper. The response we recieved was so overwhelming that we will be making changes to the show for next year to accomodate more speakers (i.e. adding a day, multiple tracks, etc.). We have made our selections and the final speaker line-up and schedule can be viewed on our website. Pre-registration is still open, but will be closing at midnight on April the 8th. Tickets will be available at the door, but the cost will be 80 dollars. Once again, we would like to thank everyone in the community who has supported us and we look forward to seeing you on the 15th. Event details are as follows: LayerOne 2006 April 15-16, 2006 Pasadena Hilton, Pasadena, CA http://layerone.info -The LayerOne Staff From isn at c4i.org Fri Apr 7 01:33:26 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:33:26 -0500 (CDT) Subject: [ISN] DOD IPv6 director arrested for possession of child porn Message-ID: http://www.gcn.com/online/vol1_no1/40341-1.html By Patience Wait GCN Staff 04/06/06 A high-ranking Defense Department IT official has been arrested and indicted on child pornography charges. Charles Lynch, director of the Defense Information Systems Agency's Internet Protocol version 6 transition program, was arrested March 8 and indicted in the U.S. District Court for the Eastern District of Virginia the next day on one count of possessing child pornography. According to a statement by the DOD Inspector General's Office, court documents allege that Lynch had been operating a peer-to-peer file-sharing program on a computer in his office at DISA. Agents confiscated several computers and more than 1,000 CDs from Lynch's office. Agents found child pornography in computer file folders, the IG's statement said. Lynch, 44, is on leave without pay from DISA. If convicted, he faces up to 10 years in prison. The investigation is being conducted by the Defense Criminal Investigative Service, the Federal Bureau of Investigation and the DISA OIG. Officials with those agencies, as well as the U.S. Attorney's Office, declined to comment on the ongoing investigation. In apparently unrelated cases, a Homeland Security Department official was arrested earlier this week for soliciting sex over the Internet with a minor. And last week, federal agents seized computer equipment from the desk of a NASA official March 29, based on information developed during a U.S. Postal Inspection Service undercover investigation of Internet trafficking in child pornography. From isn at c4i.org Fri Apr 7 01:33:42 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:33:42 -0500 (CDT) Subject: [ISN] Why VOIP Needs Crypto Message-ID: http://www.wired.com/news/columns/0,70591-0.html By Bruce Schneier Apr, 06, 2006 There are basically four ways to eavesdrop on a telephone call. One, you can listen in on another phone extension. This is the method preferred by siblings everywhere. If you have the right access, it's the easiest. While it doesn't work for cell phones, cordless phones are vulnerable to a variant of this attack: A radio receiver set to the right frequency can act as another extension. Two, you can attach some eavesdropping equipment to the wire with a pair of alligator clips. It takes some expertise, but you can do it anywhere along the phone line's path -- even outside the home. This used to be the way the police eavesdropped on your phone line. These days it's probably most often used by criminals. This method doesn't work for cell phones, either. Three, you can eavesdrop at the telephone switch. Modern phone equipment includes the ability for someone to listen in this way. Currently, this is the preferred police method. It works for both land lines and cell phones. You need the right access, but if you can get it, this is probably the most comfortable way to eavesdrop on a particular person. Four, you can tap the main trunk lines, eavesdrop on the microwave or satellite phone links, etc. It's hard to eavesdrop on one particular person this way, but it's easy to listen in on a large chunk of telephone calls. This is the sort of big-budget surveillance that organizations like the National Security Agency do best. They've even been known to use submarines to tap undersea phone cables. That's basically the entire threat model for traditional phone calls. And when most people think about IP telephony -- voice over internet protocol, or VOIP -- that's the threat model they probably have in their heads. Unfortunately, phone calls from your computer are fundamentally different from phone calls from your telephone. Internet telephony's threat model is much closer to the threat model for IP-networked computers than the threat model for telephony. And we already know the threat model for IP. Data packets can be eavesdropped on anywhere along the transmission path. Data packets can be intercepted in the corporate network, by the internet service provider and along the backbone. They can be eavesdropped on by the people or organizations that own those computers, and they can be eavesdropped on by anyone who has successfully hacked into those computers. They can be vacuumed up by nosy hackers, criminals, competitors and governments. It's comparable to threat No. 3 above, but with the scope vastly expanded. My greatest worry is the criminal attacks. We already have seen how clever criminals have become over the past several years at stealing account information and personal data. I can imagine them eavesdropping on attorneys, looking for information with which to blackmail people. I can imagine them eavesdropping on bankers, looking for inside information with which to make stock purchases. I can imagine them stealing account information, hijacking telephone calls, committing identity theft. On the business side, I can see them engaging in industrial espionage and stealing trade secrets. In short, I can imagine them doing all the things they could never have done with the traditional telephone network. This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Encryption is one of the essential security technologies for computer data, and it will go a long way toward securing VOIP. The last time this sort of thing came up, the U.S. government tried to sell us something called "key escrow." Basically, the government likes the idea of everyone using encryption, as long as it has a copy of the key. This is an amazingly insecure idea for a number of reasons, mostly boiling down to the fact that when you provide a means of access into a security system, you greatly weaken its security. A recent case in Greece demonstrated that perfectly: Criminals used a cell-phone eavesdropping mechanism already in place, designed for the police to listen in on phone calls. Had the call system been designed to be secure in the first place, there never would have been a backdoor for the criminals to exploit. Fortunately, there are many VOIP-encryption products available. Skype has built-in encryption. Phil Zimmermann is releasing Zfone, an easy-to-use open-source product. There's even a VOIP Security Alliance. Encryption for IP telephony is important, but it's not a panacea. Basically, it takes care of threats No. 2 through No. 4, but not threat No. 1. Unfortunately, that's the biggest threat: eavesdropping at the end points. No amount of IP telephony encryption can prevent a Trojan or worm on your computer -- or just a hacker who managed to get access to your machine -- from eavesdropping on your phone calls, just as no amount of SSL or e-mail encryption can prevent a Trojan on your computer from eavesdropping -- or even modifying -- your data. So, as always, it boils down to this: We need secure computers and secure operating systems even more than we need secure transmission. -=- Bruce Schneier is the CTO of Counterpane Internet Security and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can contact him through his website. From isn at c4i.org Fri Apr 7 01:33:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:33:56 -0500 (CDT) Subject: [ISN] Data breach at Progressive highlights insider threat Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,110303,00.html By Jaikumar Vijayan APRIL 06, 2006 COMPUTERWORLD A recent case in which an employee at Progressive Casualty Insurance Co. wrongfully accessed information on foreclosure properties she was interested in buying highlights again the dangers posed to corporate security by insiders. Progressive officials today confirmed that the company sent out letters in January to 13 people informing them that confidential information, including names, Social Security numbers, birth dates and property addresses had been wrongfully accessed by an employee who has since been fired. Michael O'Connor, a spokesman for the Mayfield Village, Ohio-based company, said officials were alerted to the situation when a local woman complained about receiving calls from a Progressive agent inquiring about her house being under foreclosure. "What happened was that the former employee, who purchased foreclosure property, wrongly used the information in a real estate database," O'Connor said. Though there was no actual hacking involved to get at the data, her actions constituted a violation of Progressive's code of ethics, O'Connor said. "We investigated the situation, the employee was terminated, and we alerted the people whose data was accessed," he said, adding that the matter was resolved in January. Such incidents underscore the threat posed to corporate data by malicious insiders and by workers who accidentally leak sensitive information, said Phil Neray, a vice president at Guardium Inc., a Waltham, Mass.-based vendor of database security products. "Most companies have done a good job with perimeter security" and are now finding out they need similar controls internally, Neray said. The trend is behind a growing need for tools that help companies monitor, detect and audit all activity going on inside networks, databases and applications, he said. One such tool from Reconnex Corp. has been helping Sirva Inc., a Westmont, Ill.-based provider of relocation services with more than 7,000 employees worldwide, keep tabs on its intellectual property and other sensitive data while the company goes through a series of divestitures. "One of the things that happens after a divestiture is that people take the stuff they are working on to their new companies," and Sirva needed a way to prevent that, said Chuck Shmayel, vice president of infrastructure and security at the company. Reconnex's appliance sits at Sirva's network-egress points in each of its four data centers and monitors traffic to ensure that confidential information doesn't exit its networks, either by accident or design. "As a relocation service, we handle a lot of confidential information on behalf of our customers, and we want to make sure it's protected," he said. Implementing specific controls for monitoring what's flowing out of enterprise networks can go a long way towards mitigating accidental and deliberate data leaks, said Mark Moroses, senior director of technical services at Maimonides Medical Center in Brooklyn, N.Y. As an entity covered by the Health Insurance Portability and Accountability Act, Maimonides is required by law to have controls for securing protected health information (PHI). The hospital is using Reconnex's appliance to detect PHI leaving its networks in an unauthorized fashion, Moroses said. "From our point of view, the insider threat comes from people either knowingly or unknowingly damaging our reputation" by leaking sensitive information, Moroses said. "Patients come here for AIDS tests and for pregnancy tests that they don't want to share" with other people, he said. "A patient is not going to come to our hospital if they think we are not doing everything to protect their information. So our reputation is paramount because it affects our bottom-line business." From isn at c4i.org Fri Apr 7 01:34:08 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:34:08 -0500 (CDT) Subject: [ISN] Another security hole found in IE Message-ID: http://news.com.com/Another+security+hole+found+in+IE/2100-1002_3-6058557.html By Joris Evers Staff Writer, CNET News.com April 6, 2006 An unpatched vulnerability in Internet Explorer could aid fraudsters in pulling off phishing scams, experts have warned. The error could be exploited to fake the address bar in a browser window, security monitoring company Secunia said in an advisory published on Tuesday. This tactic could be used in phishing scams that attempt to trick people into believing they are on a legitimate site, when in fact they are viewing a fraudulent Web page. Phishing is a prevalent type of online scam that seeks to pilfer personal information from unsuspecting Internet users. The scams typically combine spam e-mail with fraudulent Web sites that appear to come from a trusted source, such as a credit card company or a bank. The flaw exists because of an error in the way the Microsoft Web browser loads Web pages and Macromedia Flash animations, according to Secunia. The company rates the issue "moderately critical" and has created a special Web page where users can test their Web browser to see if they are affected. Secunia has confirmed that the vulnerability affects IE 6.0 on Windows XP with all current security patches. It also affects the latest IE 7 Beta release, Secunia said. Other versions may also be affected, it said. Microsoft is investigating the newly reported flaw, a representative said in an e-mailed statement late Wednesday. "Our initial investigation has revealed that customers who have set their Internet security settings to high, or who have disabled active scripting, are at reduced risk from attack as the attack vector requires scripting," the representative said. From isn at c4i.org Fri Apr 7 01:34:45 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:34:45 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - April 7th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 7th, 2006 Volume 7, Number 15n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week advisories were released for apache, storebackup, kaffeine, clamav, dia, sash, mailman, rpm, scim-hangul, scim, mrtg, wpa_supplicant, samba, policycoreutils, selinux-policy, mc, k3b, open office, pcmciautils, gnome-applets, binutils, sendmail, newt, dovecot, dia, sane-backends, iptraf, tix, xscreensaver, liboil, alsa-utils, system-config-printer, horde, freeradius, mysql, and openmotif. The distributors include Debian, Fedora, Gentoo, Mandriva, and Red Hat. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Review: The TCP/IP Guide By: Eric Lubow To be a comprehensive source of information is something that any and every author attempts to be in their works. While writing The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference, Charles Kozierok nothing short of comprehensive. In this 1616 page, 88 chapter reference of the TCP/IP protocol set, all the important topics are covered. Normally, when I review books, I give a little bit of information on each chapter. In this case, that would be a little drastic and cause an extremely long review. Whatever little I write as a summary here just will not do this guide the justice it deserves for the effort of the author. Although the book covers such a wide variety of topics, each one is covered very thoroughly. Beginning with basic networking concepts and moving into the OSI (Open Systems Interconnection) model, the bases are fully covered. He even goes so far in depth as to discuss the standards organizations that contribute to, support, and govern networking and the Internet. Once the OSI model is covered, he goes on to talk about how TCP, UDP, and IP protocols integrate themselves into the OSI model. The first topic that is covered within the TCP/IP protocol suite are the interface protocols: SLIP and PPP. Every major PPP and SLIP sub item is covered within the chapters. These include: LCP, PAP, CHAP, ECP, PPP MP, just to name a few. The next set of chapters is covering ARP, RARP, IPv4, IPv6, IP NAT and IP Sec. This basically covers how to move from level 2 to level 3 in the OSI model. Following the OSI model up, he then covers ICMPv4 and ICMPv6 prior to proceeding into routing. The routing protocols covered are: RIP, RIP-2, RIPng OSPF, BGP3, BGP4, GGP, EGP, EGRP, EIGRP, and HELLO. After thoroughly covering how data moves from place to place on the lower levels of the OSI model, he begins by covering TCP and UDP by session establishment and handshaking. Since the book is about TCP protocols, there is a lot of discussion and diagrams of message headers and the theory behind TCP and UDP being designed the way they are. Since all these protocols are merely transport mechanisms for higher level applications, a great deal of time in this book is dedicated to how those higher level applications function. Some of these applications and systems are: DNS, NFS, BOOTP, DHCP, SNMP, RMON, URI and URL structure, FTP, TFP, Email systems including SMTP and MIME structures, HTTP (transfers, encoding, messages, entities, etc), NNTP, and Gopher (again to name just a few). All of these applications that now have counterparts that support IPv6 are also examined and broken down. Each one of the topics listed above have associated diagrams and message layouts to allow as deep a comprehension as is desired by the reader. He finishes up the book talking about remote application protocols and troubleshooting tools. This is especially handy information to have at your fingertips if you are constantly troubleshooting network or application level issues. He even goes so far as to break down common UNIX and Windows commands into their command lines and what the output is actually saying about the state of the packet, interface, application, or network. Read More: http://www.linuxsecurity.com/content/view/122263/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Apache2::Request packages fix denial of service 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122186 * Debian: New storebackup packages fix several vulnerabilities 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122206 * Debian: New Linux kernel 2.4.27 packages fix several vulnerabilities 5th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122222 * Debian: New kaffeine packages fix arbitrary code execution 5th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122223 * Debian: New clamav packages fix several vulnerabilities 5th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122237 * Debian: New dia packages fix arbitrary code execution 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122244 * Debian: New sash packages fix potential arbitrary code execution 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122245 * Debian: New mailman packages fix denial of service 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122246 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: kernel-2.6.16-1.2069_FC4 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122170 * Fedora Core 4 Update: rpm-4.4.1-23 30th, March, 2006 This update fixes an issue with a double free experienced in verification with matchpathcon. http://www.linuxsecurity.com/content/view/122171 * Fedora Core 5 Update: scim-hangul-0.2.2-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122172 * Fedora Core 5 Update: scim-anthy-1.0.0-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122173 * Fedora Core 5 Update: mrtg-2.13.2-0.fc5.1 30th, March, 2006 Fixes the RouterUptime option. http://www.linuxsecurity.com/content/view/122174 * Fedora Core 5 Update: wpa_supplicant-0.4.8-6.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122175 * Fedora Core 5 Update: samba-3.0.22-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122176 * Fedora Core 5 Update: policycoreutils-1.30.1-3.fc5 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122189 * Fedora Core 5 Update: selinux-policy-2.2.25-3.fc5 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122190 * Fedora Core 5 Update: mc-4.6.1a-12.FC5 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122191 * Fedora Core 5 Update: k3b-0.12.14-0.FC5.2 3rd, April, 2006 update to version 0.12.14 http://www.linuxsecurity.com/content/view/122192 * Fedora Core 4 Update: k3b-0.12.14-0.FC4.1 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122193 * Fedora Core 5 Update: openoffice.org-2.0.2-5.7.2 3rd, April, 2006 Fixes for a11y and font handling. http://www.linuxsecurity.com/content/view/122194 * Fedora Core 5 Update: pcmciautils-012-0.FC5.2 3rd, April, 2006 User with pcmcia, namely Laptop users, who experience a hangup at "Starting udev" should update to this package. http://www.linuxsecurity.com/content/view/122195 * Fedora Core 5 Update: gnome-applets-2.14.0-1.fc5 3rd, April, 2006 This update allows the gswitchit applet's plugins to work. http://www.linuxsecurity.com/content/view/122196 * Fedora Core 5 Update: perl-HTML-Parser-3.51-1.FC5 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122197 * Fedora Core 5 Update: perl-DBD-Pg-1.47-0.1.FC5 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122198 * Fedora Core 5 Update: perl-Net-DNS-0.57-1 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122199 * Fedora Core 5 Update: binutils-2.16.91.0.6-5 3rd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122200 * Fedora Core 5 Update: wpa_supplicant-0.4.8-7.fc5 3rd, April, 2006 This update works around older and 3rd-party drivers that report wireless network names incorrectly, causing wpa_supplicant to prematurely terminate a wireless connection. http://www.linuxsecurity.com/content/view/122201 * Fedora Core 5 Update: gthumb-2.7.5.1-1.fc5.1 4th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122221 * Fedora Core 4 Update: sendmail-8.13.6-0.FC4.1 5th, April, 2006 A flaw in the handling of asynchronous signals. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. http://www.linuxsecurity.com/content/view/122232 * Fedora Core 5 Update: sendmail-8.13.6-0.FC5.1 5th, April, 2006 A flaw in the handling of asynchronous signals. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. http://www.linuxsecurity.com/content/view/122233 * Fedora Core 5 Update: newt-0.52.2-6 5th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122234 * Fedora Core 4 Update: dovecot-0.99.14-8.fc4 5th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122235 * Fedora Core 4 Update: dia-0.94-13.fc4 5th, April, 2006 Fixes CVE-2006-1550 Dia multiple buffer overflows http://www.linuxsecurity.com/content/view/122236 * Fedora Core 5 Update: sane-backends-1.0.17-5.fc5.8 5th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122238 * Fedora Core 5 Update: iptraf-3.0.0-1.3.FC5 5th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122239 * Fedora Core 5 Update: tix-8.4.0-6 5th, April, 2006 The tix package was assembled incorrectly which ended up breaking wish and tkinter/ipython. The libraries are now in the right place. http://www.linuxsecurity.com/content/view/122240 * Fedora Core 5 Update: xscreensaver-4.24-2 6th, April, 2006 Don't leak zombie processes with the GL SlideShow ScreenSaver http://www.linuxsecurity.com/content/view/122254 * Fedora Core 5 Update: GConf2-2.14.0-1 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122255 * Fedora Core 5 Update: liboil-0.3.8-1.fc5 6th, April, 2006 This update rebases liboil to 0.3.8 to help resolve issues required by packages in Fedora Extras. http://www.linuxsecurity.com/content/view/122256 * Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5 6th, April, 2006 This update corrects a problem where kerberos credentials weren't being properly refreshed when a user successfully authenticates in the unlock dialog. http://www.linuxsecurity.com/content/view/122257 * Fedora Core 5 Update: alsa-utils-1.0.11-4.rc2 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122258 * Fedora Core 5 Update: system-config-printer-0.6.151.2-1 6th, April, 2006 With no configured printers, it was not possible to disable automatic browsing for shared printers. http://www.linuxsecurity.com/content/view/122259 * Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5.1 6th, April, 2006 This update fixes problems detecting idle activity. http://www.linuxsecurity.com/content/view/122260 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: MediaWiki Cross-site scripting vulnerability 4th, April, 2006 MediaWiki is vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution. http://www.linuxsecurity.com/content/view/122217 * Gentoo: Horde Application Framework Remote code execution 4th, April, 2006 The help viewer of the Horde Framework allows attackers to execute arbitrary remote code. http://www.linuxsecurity.com/content/view/122219 * Gentoo: FreeRADIUS Authentication bypass in EAP-MSCHAPv2 4th, April, 2006 The EAP-MSCHAPv2 module of FreeRADIUS is affected by a validation issue which causes some authentication checks to be bypassed. http://www.linuxsecurity.com/content/view/122220 * Gentoo: Kaffeine Buffer overflow 5th, April, 2006 Kaffeine is vulnerable to a buffer overflow that could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122241 * Gentoo: Doomsday Format string vulnerability 5th, April, 2006 Format string vulnerabilities in Doomsday may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122243 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated dia packages fix buffer overflow vulnerabilities 3rd, April, 2006 Three buffer overflows were discovered by infamous41md in dia's xfig import code. This could allow for user-complicit attackers to have an unknown impact via a crafted xfig file, possibly involving an invalid color index, number of points, or depth. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/122207 * Mandriva: Updated php packages fix information disclosure vulnerability 3rd, April, 2006 A vulnerability was discovered where the html_entity_decode() function would return a chunk of memory with length equal to the string supplied, which could include php code, php ini data, other user data, etc. Note that by default, Corporate 3.0 and Mandriva Linux LE2005 ship with magic_quotes_gpc on which seems to protect against this vulnerability "out of the box" but users are encourages to upgrade regardless. http://www.linuxsecurity.com/content/view/122208 * Mandriva: Updated MySQL packages fix logging bypass vulnerability 3rd, April, 2006 MySQL allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/122209 * Mandriva: Updated kaffeine packages fix remote buffer overflow vulnerability 5th, April, 2006 Marcus Meissner discovered Kaffeine contains an unchecked buffer while creating HTTP request headers for fetching remote RAM playlists, which allows overflowing a heap allocated buffer. As a result, remotely supplied RAM playlists can be used to execute arbitrary code on the client machine. http://www.linuxsecurity.com/content/view/122231 * Mandriva: Updated FreeRADIUS packages fix off-by-one overflow vulnerabilty 5th, April, 2006 Off-by-one error in the sql_error function in sql_unixodbc.c in FreeRADIUS might allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the external database query to fail. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/122242 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: freeradius security update 4th, April, 2006 Updated freeradius packages that fix an authentication weakness are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122210 * RedHat: Moderate: openmotif security update 4th, April, 2006 Updated openmotif packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122211 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Fri Apr 7 01:34:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:34:59 -0500 (CDT) Subject: [ISN] Chertoff Doubts DHS Official Hurt Security Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/04/06/AR2006040600293.html The Associated Press April 6, 2006 WASHINGTON -- Homeland Security Secretary Michael Chertoff said Thursday he did not believe a department official's alleged sexual misconduct resulted in a breach of national security, calling the case an individual's "misstep." "From time to time, there will be instances when misconduct occurs," Chertoff said, referring to the arrest Tuesday of Brian J. Doyle, the department's fourth-ranking spokesman, on charges of sexually preying on a detective posing as a 14-year-old girl. Doyle, 55, allegedly provided the pseudo-victim with his government-issued office phone and cell phone numbers, showed off his department ID and may have used his official computer in chatting her up. House Homeland Security Committee Chairman Peter King, R-N.Y., has vowed to investigate the department's hiring procedures, saying Doyle may have provided "potentially sensitive information over the Internet to a complete stranger." But Chertoff, noting that "individuals will misstep," said he doubted the offense created a risk to national security based on the allegations. "We try to weed out those who pose a security risk," Chertoff said in a briefing with reporters. "I don't know ... that background checks with people hired will predict future behavior." But he added: "We are always focused on tightening our security. We will certainly cooperate with Congress." Doyle, who lives in suburban Silver Spring, Md., has been suspended from his job without pay and was being held without bail at a nearby detention center as Florida seeks to extradite him. From isn at c4i.org Fri Apr 7 01:35:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 7 Apr 2006 00:35:14 -0500 (CDT) Subject: [ISN] See you all at Notacon 3 this weekend! Message-ID: http://www.coolcleveland.com/index.php?n=Main.CoolClevelandPreviewNotacon3 [I'm headed out to Cleveland for Notacon 3 this weekend, and I'm hoping to see some InfoSec News subscribers in attendence! - WK] Cool Cleveland Preview - Notacon 3 Lee Batdorff 4.05-4.12.06 While Cleveland's business community struggles to find ways to attract technically advanced young people, for the third spring in a row a motley gang of hundreds of computer hackers are coming to Cleveland to attend Notacon. This is Cleveland's own computer hackers' conference and one of only a hand full of hackers' conferences (cons) nationwide. Notacon 3, to be held this April 7 through 9 at the Lakeside Holiday Inn in downtown, is directed by Jodie and Paul Schneider the mom-and-pop proprietors of FTS Conventures conference organizers operating from their Lakewood home. Attending Notacon is to gain snatches of graduate-level education on the cheap between snatches of laughter. The audience challenges some ideas in a humorous free-for-all that seems light years from grad school. At Notacon "class clowns" openly question some presenters and sometimes the presenters get the last laugh on the clowns. Tickets at the door are $100 for the Friday afternoon through Sunday afternoon event. Last year at Notacon 2 Paul Schneider told the Saturday afternoon crowd of mostly of men in their 20s and 30s, "This is about bringing a world of people together to help each of us have a chance to be the center of attention." Richard Forno of Washington D.C. is the keynote speaker on Saturday and he has been the sole keynote speaker in three years of Notacon. He is an information assurance specialist who served as chief information security officer for Network Solutions and InterNIC, two entities that have been central to the operation of the Internet. Now a consultant to research organizations, he is author of the 2003 book "Weapons of Mass Delusion: America's Real National Emergency," among other more technical titles. In 2004 at Notacon 1 Forno described corporate digital security as "theaters of illusion." "The self-serving (security and anti-virus) industries are telling us what's best for our society, and us," he said. "It is not in a major software vendor's economic interest to improve systems." Forno is not the only industry-and-government-indicting presenter or attendee at Notacon. Even so the broad base of topics covered at Notacon provides little political dogma. Forum topics include art and music with presenters Laurence Gartel (aka the "father" of digital art) of Boca Raton Fla., and prominent digital musician Joe Canto (aka "Computo") of Los Angeles, plus Cleveland's Cascading Style Sheet guru Eric Meyer. A sample of forum titles: Ethics of the hacker; Brain-computer interfaces; Practical web based multimedia content management systems; How Microsoft is going to die; Building communities in self destructive environments; Computers without hardware, programming without coding; Patch management in a Windows environment; Why your computer guy sucks; Photography, a short skewed history; and presentations on various technical and political aspects of open source code, Linux, computer security and digital privacy. Attendees last year seemed to think that Notacom 2 provided useful connections. "I'm here to find talent," said Paul Bragiel, a video game developer from Chicago Ill. "We have small meetings of hackers with only 20 people in Chicago. There is no convention of hackers near this scale in Chicago." "Notacon has a good 'signal-to-noise' ratio," said Irish Masms an information manager for a defense contractor near Las Vegas. "Bigger conferences are so well known that many people go to be hip and they don't know what's going on. Most people here know something." "I'm too old and stupid to know when to quit," said 70-year-old Richard Baum a retired biomedical engineer from Parma and likely the oldest person at Notacon. "I don't like hanging out at a retirement home listening to people complain about their aches and pains." Mr. Schneider said a total of $10,000 was invested to kick-start Notacon three years ago. The show is produced with the help of 17 volunteers. Ms. Schneider said "when we founded the business we decided we wanted to call this new project 'NotACon' because we wanted to pull away from the technical focus of the standard 'Hacker Con' and instead showcase the social aspects of human networking and the artistic uses of computers." To the Notacon staff and many attendees the Schneiders are known by their online "handles": "Froggy" (Paul), and "Tyger" (Jodie). Both graduated from Case Western Reserve University where they now work. "Froggy" grew up "all over Greater Cleveland" and graduated from North Royalton High School. "Froggy" attracted "Tyger" to Cleveland. While a high school student in Traverse City Mich. Jodie joined the Traverse City FreeNet. This linked with Cleveland FreeNet (the granddaddy of all FreeNets, a prominent precursor to the direct Internet access we have now). In Internet Relay Chat in 1995 she met Paul. They maintained a long-distance relationship through the Internet and telephone calls until 1999 when, partly to find better employment and broaden her education options, she moved to Cleveland. Continuously throughout the conference the Notacon "midway" room features wall-sized video "shoot 'em up" interactive games while lines of hackers at tables ply laptop computers. A favorite Notacon attire are "con" T-shirts. Saturday night loosens up with a variety of entertainment including a techno audio and light show lead by a crew of DJs and musicians from around the East and Midwest. Last year this drew an evening crowd of stylishly dressed Clevelanders attired in something other than T-shirts. Sponsors include Internet services firm N2Net of downtown Cleveland, Rentech Solutions of Cleveland, Sybex technical publishers recently acquired by John Wiley & Sons Publishers of Hoboken N.J., the Hacker Foundation of Stanford Calif. and Bawls Guarana caffeine drink made by Hobarama Corp. of Miami Fla. After launching a mom and pop hackers' conference and staging a small number of other tech-intense events, the Schneider's are charged up to make more high tech connections happen. For more see http://www.notacon.org From isn at c4i.org Mon Apr 10 05:26:20 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 10 Apr 2006 04:26:20 -0500 (CDT) Subject: [ISN] To packed crowd, speaker discusses cyber security crisis Message-ID: http://spectrum.buffalo.edu/article.php?id=26984 TOM HALLECK Staff Writer APRIL 7th, 2006 America has long been in the age of the computer, and with companies' increased reliance on computers and the Internet comes an alarming increase in the rate of crimes perpetrated via the Internet. Professor Eugene H. Spafford, Ph.D., a renowned speaker and leader in the field of computing security, cyber crime and policy, spoke yesterday on the escalating computer security crisis, as a part of the Department of Computer Science and Engineering's Distinguished Speakers Series. Spafford spoke to a packed room in 330 Student Union, discussing the most important issues in cyber security, focusing on the lack of attention paid to security by both the government as well as the private sector. He often used humor to show how unreasonable the situation is regarding computer security, like in the lack of law enforcement. "We have people committing (cyber crime) offenses again and again, but it's been calculated as less than five percent of these crimes are prosecuted," Spafford said. "Please do not take that as career advice." Victims of these crimes are often large companies who are not willing to admit that their security has been breached, Spafford said. Also, prosecution is rare because law enforcement and security in the field of computing and technology is vastly underdeveloped. "Law enforcement has limited personnel and limited resources in these fields," he said. For example, one of the U.S. Army's major command centers decided to throw out all of their computers, according to Spafford, because they were so infiltrated with security breaches that they couldn't be fixed. "They spent thirty million tax dollars to get new computers," Spafford said. "It allegedly took three weeks until they were all compromised again." Spafford said while serving on the President's Information Technology Advisory Committee (PITAC) from 2003 to 2005, as well as advising over a dozen other Federal agencies and major corporations, it became obvious that no one was doing enough to combat cyber crime. "More money is spent keeping people from bringing nail clippers on planes than is spent on cyber security," Spafford said. "This is something I'm pretty sure of." He said that although some of the financial data regarding airline security was unavailable, he has filed a request for the data under the Freedom of Information Act. Research and development in computer security, something Spafford has worked on for decades, is one of the most important issues in national computer security, he said, and yet it's also one of the most under-funded and overlooked. "What is Congress doing? They're stopping research and development spending. The amount the PITAC asked for was an estimated $100 million a year. The U.S. spends that much in three days in military operations in Iraq," he said. According to Spafford, the situation is dire "but not really hopeless." Ten years ago, there were about 10 academic researchers focused on the field of cyber security. Now, there are over 300. "(Federal agencies) are protecting the property rights of Sony and Disney rather than the cyber security of the entire country," Spafford said. Most importantly, he said, public awareness of cyber crime and its severity is something that is generally overlooked but is becoming an increasing part of the public eye. "We're developing a greater public awareness of seen problems," Spafford said. "If you get an e-mail saying 'Your account has been frozen, please give me all of your personal information,' then I'd think you wouldn't give that away, but a lot of people are actually doing it." Age and perspective often will allow someone to realize how dangerous life can be. "I'm not saying this as some old fart, telling you young people to 'straighten up,' " Spafford said. The information that many college-age people give out online is also very risky. He said that the information placed on the social networking site Facebook can be used for blackmail, stalking, and can even damage employment opportunities. "Your Facebook is potentially viewable by two billion people," Spafford said. Bharat Jayaraman, chair of the computer science and engineering department, said Spafford's lecture was one of the best in the series. "He's probably the best speaker I've heard in a while," Jayaraman said. "It wasn't technology talk, but I think he laid out the issues very well." Rich Giomundo, a second year computer science graduate student, said that most importantly, people must become aware of the situation. "Most people don't realize what is going on," Giomundo said. "It's more in the general community, but even people in computer science overlook what he's talking about." Giomundo also said that the No. 1 problem in software engineering today was that deadlines are looked at as more important than security. "People think that it needs to get done, and if it works, they don't care if it's being done the right was and the secure way," he said. "(Software) needs to be written properly, then the deadline should follow." Spafford co-wrote the first English-language technical book on computer viruses and malware in 1989, according to his Web site, and has been an advisor on cyber security to the Federal Bureau of Investigation, the Microsoft Corporation and two U.S. Presidents. The next lecture in the Computer Science and Engineering Department's Distinguished Speakers Series will feature John McCarthy from Stanford University, who will discuss "The Philosophy of AI and the AI of Philosophy," on April 21 at 2 p.m. in 330 Student Union. Content ? 2006 - The Spectrum Student Periodical, Inc. All Rights Reserved. From isn at c4i.org Mon Apr 10 05:26:33 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 10 Apr 2006 04:26:33 -0500 (CDT) Subject: [ISN] Child porn charge against DOD IPv6 director dropped Message-ID: http://www.gcn.com/online/vol1_no1/40341-1.html By Patience Wait GCN Staff 04/06/06 (Updated) - Two weeks after a Defense Information Systems Agency official was arrested on a charge of child pornography, the U.S. Attorney's office handling the case dropped the charge. But a spokeswoman in the U.S. Attorney's Office said the investigation is continuing. "This is an ongoing investigation, so we don't have any comments," the spokeswoman said. Charles Lynch, director of DISA's IP version 6 transition program, was arrested March 8 and indicted in the U.S. District Court for the Eastern District of Virginia the next day on one count of possessing child pornography. According to a statement by the DOD Inspector General's Office, court documents alleged that Lynch had been operating a peer-to-peer file-sharing program on a computer in his office at DISA. Agents confiscated several computers and more than 1,000 CDs from Lynch's office. Lynch, 44, is on leave without pay from DISA. The investigation is being conducted by the Defense Criminal Investigative Service, the FBI and the DISA OIG. Joseph McMillan, special agent in charge of the DCIS Mid-Atlantic Field Office, would not elaborate on why the charge was dismissed. "It's our policy neither to deny nor confirm the existence of an ongoing criminal investigation," McMillan said. In apparently unrelated cases, a Homeland Security Department official was arrested earlier this week for soliciting sex with a minor. And last week, federal agents seized computer equipment from the desk of a NASA official, based on information developed during a U.S. Postal Inspection Service undercover investigation of Internet trafficking in child pornography. -=- EDITOR'S NOTE: The original version of this story, posted April 6, reported Lynch's arrest and indictment, but did not report that the charge had been dismissed. The U.S. Attorney's Office, when contacted April 6 about the arrest, said only that the investigation is continuing, but not that the charge had been dismissed. From isn at c4i.org Mon Apr 10 05:26:58 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 10 Apr 2006 04:26:58 -0500 (CDT) Subject: [ISN] CBI raids premises of Naval chief's kin Message-ID: Forwarded from: William Knowles http://economictimes.indiatimes.com/articleshow/1480861.cms TIMES NEWS NETWORK APRIL 07, 2006 NEW DELHI: A month after the defence ministry handed over the Navy war room leak case, the Central Bureau of Investigation on Thursday arrested three former naval officers and conducted raids at 17 places, including the premises of Ravi Shankaran, kin of Navy chief Admiral Arun Prakash, in connection with the case. The arrested included one woman, who was used a honey trap, for criminal conspiracy. The CBI, which has registered an FIR against nine people, arrested Lt Commander (Retd) Kulbhushan Parashar, who has been reportedly identified as the end user of the classified documents, at Indira Gandhi International Airport as he returned from London by an Air India flight on Wednesday night. Sources said that the CBI had filed the FIR over 15 days ago but had been waiting for Parashar to return before starting arrests and conducting raids. Raids were conducted in 17 locations in New Delhi, Mumbai, Pune, Muzzafarpur, Chandigarh and Goa. Another key accused in the case Lt Commander (Retd) Ravishankaran, the nephew of Navy chief Admiral Arun Prakash, is still in London and the CBI is waiting for his return from London before proceeding against him, He is also named in the CBI FIR. The factory premises of Shanks Oceaneering belonging to Ravishankaran in Mumbai and Goa were also raided. The CBI also raided the house of Manish Vohra, the chartered accountant for Parashar and Ravi Shankaran. The others who were arrested on Wednesday include two ex-commanders of the Indian Navy Virender Rana, who was arrested from Dwarka in Delhi, and Kashyap Kumar, who was arrested from Muzaffarpur. The CBI also arrested Rajrani Jaiswal and Mukesh Bajaj from Pune on Thursday afternoon. The other four named in the FIR apart from Ravishankaran are ex-captain of the Indian Navy Kashyap Kumar, wing commander (Retd) S K Kohli and ex-wing commander of Indian Air Force Sambhajee L Surve, from whom classified naval information was found and the whole case unravelled. The CBI is investigating the role of Rajrani Jaiswal and till now have concluded that she was used as a honey trap to entice naval officers like air force officer Wing Commander S L Surve, and passed information on to Parashar. She has also been charged under 120B (criminal conspiracy) of the Indian Penal Code. The FIR has been registered on the basis of information received from the ministry of defence that three officers of the Indian Navy and one officer of the Indian Air Force in collusion with private persons and retired officers and others conspired to unauthorisedly trade off classified documents and information relating defence ministry. The entire leak was discovered due to an illicit relationship between Jaiswal and Indian Air Force ex-wing commander Sambhajee L Surve, who is also named in the FIR. Surve?s wife had complained to the Air Force. During that investigation, the Air Force counter surveillance team stumbled on to a pen drive in Surve?s possession that led them to the entire war room deal. The Navy and the Air Force both conducted inquiries and three naval officers were thrown out of the Navy. The CBI was given the findings of both the inquiries. The CBI has now asked the other four to join the investigation. Surve has been in touch with the CBI but sources said that his whereabouts is unknown. The war room leak case has led to speculation that the Scorpene deal is also linked somehow to the case. CBI spokesperson Mohanty said that all aspects of the case are being investigated. Parashar and Rana were produced before Chief Metropolitan Magistrate Seema Maini at her residence, who remanded them to 14 days of CBI custody. Jha was being brought here after his transit remand was taken from Muzzafarpur. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Apr 10 05:27:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 10 Apr 2006 04:27:12 -0500 (CDT) Subject: [ISN] Critical IE fix due Tuesday Message-ID: http://www.theregister.co.uk/2006/04/07/ie_patch_scheduled/ By John Leyden 7th April 2006 Microsoft has confirmed it plans to release a fix for a serious security bug in Internet Explorer next Tuesday (11 April). The fix for the "CreateTextRange" vulnerability - which has become the subject of hacker exploits over recent days - will be released as a cumulative update to Internet Explorer along with four other security bulletins (details here [1]). Late last month, numerous maliciously constructed websites began attempting to exploit the "CreateTextRange" vulnerability to install Trojans, botnet clients and other forms on malware on victim PCs. This malicious activity, together with the lack of an immediate fix from Microsoft, prompted two security firms (Determina and eEye Digital Security) to each issue standalone patches to mitigate the risk of attack. Microsoft advised orgainsations to disable Active Scripting as a workaround. Internet Explorer has become the subject of a number of unpatched vulnerabilities over recent weeks. In the latest such incident, security notification firm Secunia warned [2] this week of an unpatched flaw in IE that might be used to spoof the address bar in a browser. Because of this behaviour, the bug might be used to make phishing attacks more convincing. ? [1] http://www.microsoft.com/technet/security/bulletin/advance.mspx [2] http://secunia.com/advisories/19521/ From isn at c4i.org Mon Apr 10 05:27:29 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 10 Apr 2006 04:27:29 -0500 (CDT) Subject: [ISN] Laptop thieves descend upon wireless cafes Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/04/08/MNGE9I686K1.DTL Jaxon Van Derbeken Chronicle Staff Writer April 8, 2006 A San Francisco finance manager stopped in at a Mission District cafe and was tapping on his laptop as he enjoyed his coffee just before noon on a Thursday. Suddenly, he was under siege. "I looked up, and I saw this guy leaning into me as if he was asking a question,'' he said. "I leaned forward, and out of the corner of my eye, I saw someone fiddling with the computer cord. I tried to stand up, and as I stepped back, he stabbed me in the chest.'' The attack marked a violent turn in a wave of crime that has hit the city -- the "hot spots" frequented by wireless laptop users are becoming hot spots for laptop robberies. The 40-year-old San Francisco victim of the March 16 attack suffered a partially collapsed lung and was hospitalized for six days. The two suspects fled with his Apple PowerBook, worth $2,500. "This poor guy, who got stabbed, all he did was kind of stand up ... and almost instantaneously the guy stabbed him,'' said Inspector Robert Lynch of the San Francisco police robbery detail. "The whole thing was over in 15 seconds.'' Police say normally quiet cafes are becoming hunting grounds for laptop bandits. "Now that we have these hot zones, people are bringing laptops out in the street, using them in public cafes,'' said police Lt. John Loftus of the robbery detail. San Francisco police statistics show a disturbing trend. Just 18 laptop computer robberies were logged in 2004, but the figure jumped to 48 last year. There were 18 as of the end of March, a pace that could surpass 70 crimes this year. "It's a changing culture, and crime is following it,'' Loftus said. "To the criminal element, this is a valuable piece of equipment that they can quite easily cash in on -- even otherwise law-abiding people are tempted to buy $3,000 laptops for $200 to $300 on the street.'' "Where else do you have a thousand-dollar item sitting on a table in a coffee shop?'' So far, San Francisco appears to the only major Bay Area city to be hit by the problem. San Jose has been hit by laptop thefts, but it has yet to experience many of the robberies. "We haven't seen it yet,'' said Sgt. Nick Muyo of the San Jose police. Palo Alto hasn't had any, and Berkeley, another hot area for Internet cafes, had only one such crime about a year ago, investigators said. Oakland police investigators had not heard of any such crimes, either. San Francisco's Western Addition area has been hard hit this year, with 11 robberies so far. Park Station Capt. John Ehrlich, who oversees the area, said he has met with the community, giving the message that people need to fasten down their computers and back up their data. The victim in San Francisco's Mission Creek Cafe stabbing, who requested that his name not be used, said since he was attacked, his friends from New York have urged him to go back there. It's safer, they say. "I was lucky. It was the only place he could have stabbed me where it didn't hit a heart or other organ,'' he said. Still, he said, his chest cavity filled with blood. As for the information on his laptop, he wisely had backed it up on a disk after he heard a friend had lost data. Lynch said a videotape at the cafe was not much use in the investigation, and police have little to go on. "One (suspect) was roughly 15, one was roughly 20, that was it -- it's really frustrating,'' Lynch said. Lynch said stolen computers are sold on the street and even over the Internet. "They go to U.N. Plaza, where it's like a stolen-goods bazaar. All you have to do is drive by, you see them out there.'' Lynch said people working on the high-priced computers are easy targets. "You walk by any Starbucks and you see people with a laptop, it's so tempting for the crooks. They walk in, right on top of the person, and the person has all their attention on the laptop. They snatch it right out from underneath their fingertips. "The word is out with crooks in general,'' Lynch said. Some cafes have taken precautions, installing security leashes for laptops and even posting employees to act as observers at doors. Lynch said a leash would prevent some thefts. But posting someone at the door could be risky. Lynch said that in Europe, video monitors are posted and signs warn patrons that they are being watched. Lynch said resisting can be risky. "It's a tough call -- I would fight to maintain my laptop, but you run the risk of ending up like this guy, getting stabbed.'' "We don't need to scare people,'' Loftus emphasized. "People just need to be careful with their laptops.'' Police are considering using police decoys in hard-hit areas. "It's hard to do a stakeout,'' Capt. Ehrlich said, "because it's not happening with any regularity in time or place.'' Besides, such operations are costly in resources, he said. "It's a lot of lattes.'' From isn at c4i.org Mon Apr 10 05:27:48 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 10 Apr 2006 04:27:48 -0500 (CDT) Subject: [ISN] Looking at the Free Market, and Seeing Red Message-ID: http://www.nytimes.com/2006/04/09/business/yourmoney/09digi.html By RANDALL STROSS April 9, 2006 LOU DOBBS is a master of the sinister tease. Last month, he was in top form. Previewing a story, he told viewers of his nightly CNN newscast that when the State Department seeks secure network communications, it "turns to Communist China," and thus renders the United States "perhaps more vulnerable than ever." The story turned out to be another Lou Dobbs exercise in bashing immigrants, or, more precisely, bashing a single immigrant: Lenovo, the PC maker originally based in China that last year acquired I.B.M.'s PC division and is now based in Raleigh, N.C. Lenovo recently won a competitive bid to sell the State Department $13 million worth of personal computers. Mr. Dobbs, like some politicians on Capitol Hill, suggests that those PC's could provide shadowy spooks in the Chinese government with an ideal means of conducting espionage. Merely hinting at such a possibility is enough to hurt Lenovo's reputation. This is a potentially serious impairment in the highly competitive, commoditized PC business. What is happening to Lenovo, the most internationalized company in the industry, is a drive-by smearing. Mr. Dobbs is not the only practitioner of the hit-and-run attack. In his segment about Lenovo he called upon Michael R. Wessel, a member of the U.S.-China Economic and Security Review Commission, an advisory body to Congress. Mr. Wessel said that the State Department would use the Lenovo computers in offices around the world, potentially providing China access to "some of our deepest secrets," a "treasure trove of information they could use against us." Mr. Wessel's segment was too brief to explain how China's agents would be able to grab hold of the machines to install the software for clandestine data transmission back to the party's Central Committee. The Lenovo desktops headed for the State Department will be assembled in facilities in North Carolina, not a People's Liberation Army compound in China. Also unexplained was how infected machines would meet General Services Administration security standards and get past the State Department's two computer security groups, which oversee the administration of their own test suites and install firewalls and other security software. Last week, I spoke with Mr. Wessel to learn more about the basis for his alarm. It turned out that he was not able to describe how Chinese agents could gain access to the Lenovo machines, undetected, while they were being assembled. When I asked why he thought the State Department's security procedures were inadequate, he suggested that he could not say because the State Department had been less than forthcoming with him. "We don't fully know" what the procedures are, he said. But when I asked him if he had requested information from the department about its protocols before he publicly voiced his concerns about the Lenovo deal, he said he had not. Larry M. Wortzel, the chairman of the security review commission on which Mr. Wessel serves, was even more animated in asserting that there were security risks in the Lenovo sale to the State Department. When I spoke with him, he professed to be mystified as to "why the State Department would take the risk." What had the State Department told him about its security procedures? He, too, had yet to speak with anyone there; the commission's request for a briefing had been drafted but not yet sent. Both commissioners assume that Lenovo is managed by puppets whose strings are pulled in Beijing. Mr. Wessel said he was certain that "a major portion" of Lenovo was "controlled by the Chinese government." State enterprises are placed in the hands of "princelings," who are the children of government leaders, he began to explain before I interrupted. Princelings installed at the meritocratic Lenovo? When I asked Mr. Wessel to identify a Lenovo princeling, he said, "I haven't done a research of Lenovo." He said he had merely "raised questions" and had "never purported to have answers." This was similar to the reply from Mr. Wortzel when he was asked to substantiate his allegations with details. The fact is that Lenovo is a living repudiation of the system that these critics assume it represents. It was born in 1984 from un-Communist entrepreneurial impulses among a group of Chinese computer scientists who wanted to start their own company. Their employer, the Chinese Academy of Sciences, gave them $25,000 in venture capital, and off they went. It was among the first Chinese companies to issue employee stock options. The Academy of Sciences retains a minority ownership position, but so do I.B.M. and three American private-equity firms. The largest block of shares is owned by public shareholders. (Its shares are traded on the Hong Kong exchange.) Lenovo is headed not by a princeling but by an American, William J. Amelio - a former senior vice president for Dell, as it happens. Perhaps the security concerns could be validated by an authority on China's military. I spoke with James C. Mulvenon, deputy director of the Center for Intelligence Research and Analysis, which is based in Washington and run by Defense Group Inc. Dr. Mulvenon said he had many concerns about China's state-sponsored espionage activities, but Lenovo was not on his list. He described the controversy about Lenovo as "xenophobia and anti-China fervor dressed up as a technology concern." Rob Enderle of the Enderle Group, a technology consulting firm in San Jose, Calif., said he also saw the criticism of Lenovo as lacking in substance. With an executive staff split between Chinese and Americans, Lenovo is the most global company in the PC industry, he said. The real story, he said, was that these critics were "really torqued that China is out-executing the U.S." Lenovo is an inviting magnet for all sorts of free-floating American anxieties about global competition. The visceral nature of these concerns can be seen in other remarks by Mr. Wortzel of the U.S.-China Economic and Security Review Commission. He said, "As a taxpayer, I have a serious concern about why my tax money is spent on a computer made by a company owned by the government of the People's Republic of China." Why, he asked, couldn't the State Department place its order with a "100 percent American-owned company"? The cold-war template of us versus them, capitalist versus Communist, does not fit the geography of the globalized supply chain that underpins the computer industry. All players, even the "100 percent American-owned" vendors, have a major presence in China. Roger L. Kay, the president of Endpoint Technologies Associates, a consulting firm in Natick, Mass., said China had attracted so many companies based in the United States that the PC ecosystem there had reached a critical mass. Low-cost production is not the draw. "Now the reason you want to be in China," he said, "is because that's where everyone else is." Wishing wistfully for a return to the past - in which I.B.M. was still in the PC business ? is not likely to improve American competitiveness here and now. Mr. Enderle said that ignoring the discomfiting fact that technology companies based in the United States are losing leadership positions to their counterparts in east Asia ? not just China, but also Taiwan and South Korea - does not make the problem go away. "It's still going to hit us," he said. NEVERTHELESS, Mr. Dobbs and members of the U.S.-China Economic and Security Review Commission have tarred Lenovo with suspicion of espionage - and the State Department with being their willing dupe. Mr. Kay says the damage to Lenovo has been done, even if the State Department purchase proceeds. "The next time," Mr. Kay predicted, "the government bureaucrat will say: 'Do I want to go through this? No, I'll go with the company that is perceived as American.' " The smears will linger, he fears. "Facts don't matter," he said. "Perception matters." -=- Randall Stross is a historian and author based in Silicon Valley. E-mail:ddomain @ nytimes.com From isn at c4i.org Tue Apr 11 01:18:44 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 11 Apr 2006 00:18:44 -0500 (CDT) Subject: [ISN] Fear sells. Read the report Message-ID: http://www.theregister.co.uk/2006/04/10/infosec_fear_sells/ By John Leyden 10th April 2006 Infosec blog The Infosecurity Europe show is almost upon us again. I've personally attended the show every year since 1997, man and boy, making this year's event my tenth attendance. Over the years the dress code has changed from jeans and t-shirt to business suits and the agenda has shifted towards the business impact of information security breaches (e.g. keynotes this year such as Security Compliance from Conglomerate to SME). New concerns - such as the security impact of VoIP technology - are emerging but hardy perennials, such as the cost of computer virus infection, remain consistent themes. Surveys keep raining on our heads Every two years the show serves as forum for the announcement of the DTI's Information Security Breaches Survey, touted as the UK's most authoritative look at security breaches. Latterly the lead up to the report has been accompanied by a string of press releases, sponsored by security vendors, highlighting a particular facet of security that (no surprise here) help to illustrate the importance of the particular firm's technology. So far this year we've had releases stating "virus infection remains biggest single cause of security incidents", that companies not doing enough to reduce identity theft and on staff misuse of the internet. In the two weeks before the show at least three more releases can be expected, if what happened in 2004 is anything to go by, leaving a the press corps with little enthusiasm for writing about the main launch. It's the information technology equivalent of releasing six different trailers to promote a movie. Please, someone, make it stop! Not wishing to pre-empt the survey myself I'll make a small bet that it will conclude that hackers are costing UK business millions and that security incidents are on the rise. This is probably a fair reflection on the situation on the ground but just once I'd like to see a survey that said some aspect of security incidents had dropped in recent times. After all, hard working sys admins need some encouragement every now and again that their labours are not in vain. Bog blog It would be remiss of us not to mention public transportation or toilets in this pre-show blog [report - Ed]. London's Olympia is a tricky place to get to outside of rush hours, when a handy shuttle service runs from Earl's Court. Outside of these times London transport advises passage via Hammersmith or West Kensington. Typically people coming in from central London have to change three times and hop on at least one bus. Of course for the real security freak the very idea of using an Oyster card is an anathema. They'll cycle to Olympia or, better still, take a ride in the trunk on an unmarked car. And when they're there they'll doubtless want to use the conveniences. Olympia boasts at least three toilets on its ground floor. Unfortunately they're not particularly well marked and all located on the ground floor, a tedious slog away from most of the opportunities for free booze, which tend to happen on Olympia's first floor. The toilets, once you find them, are well above the standard you'd likely find at most Championship grounds but all in all it's not a satisfactory arrangement. Diagonal Security's usual plan - camp out in a nearby pub and have the world come to you, rather than braving Olympia itself - has much to commend it. Whatever happened to the likely lads All this might make you think I'm not looking forward to Infosec. Nothing could be further from the truth. Since moving over to Spain in January the show will be my first opportunity to meet up with key contacts and share a beer. They'll be plenty of talk about defending systems beyond the perimeter, the ethics of security disclosure and malware evolution, no doubt. But what I'm really looking forward is the opportunity to spend time in an environment where law enforcement officials and hackers rub shoulders. Perhaps it's too much to expect an incident like the arrest of infamous hacker Fluffi Bunny at Infosec three years ago but let's hope for an interesting show nonetheless. ? From isn at c4i.org Tue Apr 11 01:18:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 11 Apr 2006 00:18:59 -0500 (CDT) Subject: [ISN] Lawmaker may revisit computer security law Message-ID: http://www.govexec.com/story_page.cfm?articleid=33811 By Daniel Pulliam dpulliam @ govexec.com April 10, 2006 Recent criticism of the federal law governing agencies' policies on information technology security has attracted the attention of a key legislator. Tom Davis, R-Va., chairman of the House Government Reform Committee, said in April 3 letters to two vocal critics of the 2002 Federal Information Security Management Act that he is "not so na?ve or stubborn as to think FISMA is a panacea or that important improvements could not be made." The letters were in response to comments in a March 15 Government Executive article [1] where several observers expressed concern that government computer systems remain insecure despite the millions of dollars agencies spend complying with the cybersecurity law. Davis said in the letters that he is interested in discussing the concerns about FISMA, and ideas for strengthening the law. Alan Paller, research director of the nonprofit cybersecurity research group SANS Institute and one of the recipients [2] of the letters, said he is impressed with Davis' openness to new ideas. He said he responded with a three-page letter outlining his concerns. Under FISMA, agencies are required to produce reports detailing risks posed by IT systems' vulnerabilities and authorizing the systems' continued use, a process known as certification and accreditation. But this process fails to test a system's true security and is 10 times as expensive as it needs to be, Paller said. "Because you're writing a report about security instead of testing security, you don't find out what the actual vulnerabilities were," Paller said. Former Energy Department chief information security officer Bruce Brody, the other recipient of an almost identical letter [3] from Davis, said he is looking forward to working with the congressman on improving FISMA. Brody is vice president for information security at the Reston, Va.-based government market analysis firm INPUT. "[FISMA] is a real paper drill that means nothing when it comes to information security," Brody said. "How do we get to the next stage of FISMA -- to get from the paper-based processes ... to the more technical processes?" Federal agencies are failing to perform a five-step litmus test that would measure their IT security better than the current requirements, Brody said. That test would involve determining the boundaries of networks, their configuration, the devices connected to them, the users of the devices and what the users are doing with the devices. "If I just knew those five things, I'd be better off then I am today," Brody said. "Paper-based processes don't get you to those five things." While Paller and Brody are two of the most vocal opponents of the FISMA reporting process, they are not alone in calling for reform of the law. Former Air Force Chief Information Officer John Gilligan, now vice president and deputy director of the defense sector for the Fairfax, Va., IT firm SRA, said while there are positive aspects to the law, he would like to see the process revised. FISMA fails to measure the entire scope of an agency's systems; rather, it focuses on specific parts of the systems, Gilligan said. "The initial intent [of FISMA] was good," he said. "The danger is that, just because you did well on FISMA, you think you're highly secure. It may be, but it may not be." Nevertheless, an inability to "do the paperwork" is probably a good indicator that an agency's systems are not secure, Gilligan said. Bob Dix, executive vice president for public affairs and corporate development at Citadel Security Software, a Dallas-based IT security firm, and former staff director of the House Government Reform Committee's technology subcommittee, characterized the criticism [4] FISMA as "much ado about nothing," but said he is pleased that Davis is seeking input from those who believe the law needs updating. "I would be the first guy to say that after five years of the law being in place, it should be amended to reflect the experience we've had," Dix said. "But to suggest that it hasn't contributed to security is just a mischaracterization." The Office of Management and Budget, asked to comment on the issue of revising FISMA, referred to an April 2005 statement from Karen Evans, OMB administrator for e-government and IT. She argued that FISMA is working and said "substantial revision could delay additional progress." [1] http://www.govexec.com/features/0306-15/0306-15admt.htm [2] http://www.govexec.com/pdfs/PALLER.pdf [3] http://www.govexec.com/pdfs/BRODY.pdf [4] http://www.govexec.com/dailyfed/0306/031606p1.htm ?2006 by National Journal Group Inc. All rights reserved. From isn at c4i.org Tue Apr 11 01:19:35 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 11 Apr 2006 00:19:35 -0500 (CDT) Subject: [ISN] Return of the Web Mob Message-ID: http://www.eweek.com/article2/0,1895,1947561,00.asp By Ryan Naraine April 10, 2006 Ken Dunham, you could say, spends his life peeking at the bowels of the Internet. As director of the Rapid Response Team at VeriSign-owned iDefense, of Dulles, Va., Dunham and his team of malware hunters infiltrate black hat hacker forums, chat rooms and newsgroups, posing as online criminals to gather intelligence on the dramatic rise in rootkits, Trojans and botnets. Based on all the evidence gathered over the last two years, Dunham is convinced that groups of well-organized mobsters have taken control of a global billion-dollar crime network powered by skillful hackers and money mules targeting known software security weaknesses. "There's a well-developed criminal underground market that's connected to the mafia in Russia and Web gangs and loosely affiliated mob groups around the world. They're all involved in this explosion of phishing and online crime activity," Dunham said in an interview with eWEEK. Just two years after the Secret Service claimed a major success with "Operation Firewall," an undercover investigation that led to the arrest of 28 suspects accused of identity theft, computer fraud, credit card fraud and money laundering, security researchers say the mobsters are back, with a level of sophistication and brazenness that is "frightening and surreal." "They never really went away," Dunham said. "They scurried away for a few months and tightened their security controls. It became harder to get on their lists and into their chat rooms." Not these days. A law enforcement official familiar with several ongoing investigations showed eWEEK screenshots of active Web sites hawking credit card numbers, Social Security numbers, PayPal and eBay credentials, and bank login data by the bulk. "They're very public about all this, especially on the Russian sites. It's almost comical how open and barefaced they are," said the official, who requested anonymity because of the sensitive nature of the ongoing probe. Black hat hackers have set up e-commerce sites offering private exploits capable of evading anti-virus scanners. An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs. Skilled hackers in Eastern Europe, Asia and Latin America are selling zero-day exploits on Internet forums where moderators even test the validity of the code against anti-virus software. "I saw one case where an undetectable Trojan was offered for sale and the buyers were debating whether it was worth the price. They were doing competitive testing to ensure it actually worked as advertised," said Jim Melnick, a member of Dunham's team. "We even have proof of actual job listings on Russian-language sites offering lucrative pay for coders who can create exploits and launch denial-of-service attacks. We've seen evidence of skilled hackers stealing corporate data on behalf of competitors. This isn't just about credit card and bank information. It has all the elements on traditional mafia-type crime," Melnick said. Roger Thompson, a computer security pioneer who created the first Australian anti-virus company in the late 1980s, is convinced the secretive Russian mafia is masterminding the use of sophisticated rootkits in botnet-seeding Trojans. "They are paying to recruit bright young hackers and using teenage kids around the world to move money around. They're into everything: spyware installations, denial-of-service shakedowns, you name it. It's the traditional mafia finding it easy to make money on the Internet," said Thompson, who now runs Exploit Prevention Labs, in Atlanta. Yury Mashevsky, a virus analyst at Kaspersky Lab, said there is even evidence of turf wars in the criminal underworld. "They use malicious programs that destroy the software developed by rival groups and include threats directed at each other, anti-virus vendors, police and law enforcement agencies in their creations," Mashevsky said, in Woburn, Mass. He has also seen fierce online confrontation in the battle to control the resources of infected computers. In November 2005, Mashevsky discovered an attempt to hijack a botnet. "[The] network of infected computers changed hands three times in one day. Criminals have realized that it is much simpler to obtain already-infected resources than to maintain their own botnets, or to spend money on buying parts of botnets which are already in use," he said. On message boards and newsgroups where malicious code is put up for sale, Mashevsky said flame wars and attacks against each other to steal virtual property amounts to normal everyday activity. Dunham, who frequently briefs upper levels of federal cyber-security authorities on emerging threats, said there have been cases in Russia where mafia-style physical torture has been used to recruit hackers. "If you become a known hacker and you start to cut into their profits, they'll come to your house, take you away and beat you to a pulp until you back off or join them. There have been documented cases of this," Dunham said. One key aspect of Web mob activity that flies under the radar is use of "money mules," or individuals who help to launder and transfer money from hijacked online bank accounts. On career Web sites such as Monster.com, a job listing for a "private financial receiver," "shipping manager," or "country representative" invariable is an active attempt to recruit people around the world to withdraw funds and deliver it to crime bosses, according to a detailed research report by iDefense on the so-called money mules. Money is transferred into the mule's account, withdrawn as cash and then wired to an offshore account. "We've only scratched the surface of what's going on in the underworld. It's like the iceberg that took down the Titanic. No one knew how big and dangerous it was," Dunham said. He cited the recent discovery of MetaFisher, also known as SpyAgent, a Trojan connected to a Web-based command and control interface that highlighted just how advanced the attackers have become. "In just a few weeks, MetaFisher spread to thousands of computers. We found conclusively that these attacks were going on undetected for more than a year. Can you imagine the amount of data that has already been stolen? It's unimaginable," Dunham said. Eric Sites, vice president of R&D Sunbelt Software, in Clearwater, Fla., showed eWEEK screenshots of the Web interface that showed specific targeted phishing attacks against European banks and keeps detailed statistics on actual bot infections around the world. The interface also can be used to add exploits, keep track of anti-virus signature definitions and keep track of callback from injected machines. "This isn't the work of the guy in the basement. This is organized and simplified to make it super easy to control all those bot drones," Sites said. From isn at c4i.org Tue Apr 11 01:18:32 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 11 Apr 2006 00:18:32 -0500 (CDT) Subject: [ISN] Microsoft exec warns of rootkits Message-ID: http://www.networkworld.com/news/2006/041006-infosec.html By Ellen Messmer Network World 04/10/06 ORLANDO - If your system gets infiltrated by a rootkit, you might as well just "waste the system entirely," a Microsoft official told fellow security professionals last week at the annual InfoSec Conference here. Microsoft's Mike Danseglio, program manager in the company's security solutions group, was among a host of security experts from big-name companies who swapped advice about protecting networks with 1,700 showgoers. According to Danseglio, the hacker rootkit is "probably the nastiest piece of malware you'll get," because it is designed to hide unwanted files - or any sign a computer has been compromised - stealthily. Microsoft dedicates four staffers to analyze rootkit samples found in customer computers or on the Internet. In his presentation, Danseglio offered a list of the most-wanted rootkits (see graphic), adding that 90% of what Microsoft finds relates to Hacker Defender, a rootkit from the Czech Republic-based programmer who calls himself Holy Father. The programmer charges several hundred dollars to make Gold versions of his basic rootkit. Writing rootkits isn't a crime, but using them to hide code in a computer that's been hacked by other means is, Danseglio said. Holy Father last month indicated he's retiring from his Web site business, leading some to speculate that he's been hired for some purpose somewhere. According to Danseglio, rootkits have been embedded in many networks, with college campuses especially hard-hit. The University of Washington has become notorious for its students using rootkits to hide pornography and music on the university's servers, he said. Danseglio offered a list of tools, including a few from Microsoft, that can detect rootkits. But he said there are no simple ways to address the menace. "There are no rootkit-resistant operating systems," Danseglio said. Lessons shared Kerry Anderson, a Fidelity Investment Brokerage vice president in the information security group, spoke on the topic of setting up a computer forensics program to tackle crime, including child pornography, terrorism and financial fraud. A company's first priority should be establishing a policy and internal training for auditing and investigating suspected computer crime, coordinating among the legal, human resources and IT departments, she said. She advised extending that policy to include working with outsourcing providers, vendors and business partners to ascertain their computer-investigation procedures and get the right to audit and monitor their computers if necessary. "Our contracts today are requiring the right to do risk assessment and visitation audits," she pointed out. The insider threat is a top concern at State Street, which manages more than $10 trillion in assets. State Street Senior Technology Officer Doug Sweetman said securities laws require the firm to conduct background checks on employees and prospective employees. But these days, that might go beyond a criminal-history check and include scouring the Web to find blogs an applicant has written or evidence of a gambling habit or visiting hacker sites - all of which might raise a red flag. "I don't feel any restrictions going after your blog or pulling all these data together," he said. One headache at State Street is the freeware that employees download and the company wants to remove as a potential security risk. Google Desktop 3.0 search software is among the programs State Street watches out for: "It allows for file-sharing and takes the file up to the Google complex," Sweetman said. "You've got to think about where that file is when Google indexes content," he said. -=- Sidebar Microsoft's most-wanted list Rootkits that hide in Windows: * Hacker Defender * FU * HE4Hook * Vanquish * AFX * NT Rootkit Tools that can detect rootkits: * PatchFinder2 and Klister/Flister, proof-of-concept tools from Polish researcher Joanna Rutkoska * RootkitRevealer from Sysinternals * Blacklight from F-Secure * Microsoft File Checksum Integrity Environment * Bootable Antivirus & Recovery Tools from Alwil Software * Knoppix Security Tools Distribution (open source) From isn at c4i.org Tue Apr 11 01:19:56 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 11 Apr 2006 00:19:56 -0500 (CDT) Subject: [ISN] U.S. Military Secrets for Sale at Afghan Bazaar Message-ID: Forwarded from: William Knowles http://www.latimes.com/news/nationworld/world/la-fg-disks10apr10,0,7789909.story?coll=la-home-headlines By Paul Watson Times Staff Writer April 10, 2006 BAGRAM, Afghanistan - No more than 200 yards from the main gate of the sprawling U.S. base here, stolen computer drives containing classified military assessments of enemy targets, names of corrupt Afghan officials and descriptions of American defenses are on sale in the local bazaar. Shop owners at the bazaar say Afghan cleaners, garbage collectors and other workers from the base arrive each day offering purloined goods, including knives, watches, refrigerators, packets of Viagra and flash memory drives taken from military laptops. The drives, smaller than a pack of chewing gum, are sold as used equipment. The thefts of computer drives have the potential to expose military secrets as well as Social Security numbers and other identifying information of military personnel. A reporter recently obtained several drives at the bazaar that contained documents marked "Secret." The contents included documents that were potentially embarrassing to Pakistan, a U.S. ally, presentations that named suspected militants targeted for "kill or capture" and discussions of U.S. efforts to "remove" or "marginalize" Afghan government officials whom the military considered "problem makers." The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names. After choosing the name of an army captain at random, a reporter using the Internet was able to obtain detailed information on the woman, including her home address in Maryland and the license plate numbers of her 2003 Jeep Liberty sport utility vehicle and 1998 Harley Davidson XL883 Hugger motorcycle. Troops serving overseas would be particularly vulnerable to attempts at identity theft because keeping track of their bank and credit records is difficult, said Jay Foley, co-executive director of the Identity Theft Resource Center in San Diego. "It's absolutely absurd that this is happening in any way, shape or form," Foley said. "There's absolutely no reason for anyone in the military to have that kind of information on a flash drive and then have it out of their possession." A flash drive also contained a classified briefing about the capabilities and limitations of a "man portable counter-mortar radar" used to find the source of guerrilla mortar rounds. A map pinpoints the U.S. camps and bases in Iraq where the sophisticated radar was deployed in March 2004. Lt. Mike Cody, a spokesman for the U.S. forces here, declined to comment on the computer drives or their content. "We do not discuss issues that involve or could affect operational security," he said. Workers are supposed to be frisked as they leave the base, but they have various ways of deceiving guards, such as hiding computer drives behind photo IDs that they wear in holders around their necks, shop owners said. Others claim that U.S. soldiers illegally sell military property and help move it off the base, saying they need the money to pay bills back home. Bagram base, the U.S. military's largest in Afghanistan and a hub for classified military activity, has suffered security lapses before, including an escape from a detention center where hundreds of Al Qaeda and Taliban suspects have been held and interrogated. Last July, four Al Qaeda members, including the group's commander in Southeast Asia, Omar Faruq, escaped from Bagram by picking the lock on their cell. They then walked off the base, ditched their prison uniforms and fled through a muddy vineyard. The men later boasted of their escape on a video and have not been captured. The military said it had tightened security at Bagram after the breakout. One of the computer drives stolen from Bagram contained a series of slides prepared for a January 2005 briefing of American military officials that identified several Afghan governors and police chiefs as "problem makers" involved in kidnappings, the opium trade and attacks on allied troops with improvised bombs. The chart showed the U.S. military's preferred methods of dealing with the men: "remove from office; if unable marginalize." A chart dated Jan. 2, 2005, listed five Afghans as "Tier One Warlords." It identified Afghanistan's former defense minister Mohammed Qassim Fahim, current military chief of staff Abdul Rashid Dostum and counter-narcotics chief Gen. Mohammed Daoud as being involved in the narcotics trade. All three have denied committing crimes. Another slide presentation identified 12 governors, police chiefs and lower-ranking officials that the U.S. military wanted removed from office. The men were involved in activities including drug trafficking, recruiting of Taliban fighters and active support for Taliban commanders, according to the presentation, which also named the military's preferred replacements. The briefing said that efforts against Afghan officials were coordinated with U.S. special operations teams and must be approved by top commanders as well as military lawyers who apply unspecified criteria set by Defense Secretary Donald H. Rumsfeld. The military also weighs any ties that any official has to President Hamid Karzai and members of his Cabinet or warlords, as well as the risk of destabilization when deciding which officials should be removed, the presentation said. One of the men on the military's removal list, Sher Mohammed Akhundzada, was replaced in December as governor of Helmand province in southern Afghanistan. After removing him from the governor's office, Karzai appointed Akhundzada to Afghanistan's Senate. The U.S. military believed the governor, who was caught with almost 20,000 pounds of opium in his office last summer, to be a heroin trafficker. The provincial police chief in Helmand, Abdul Rahman Jan, whom U.S. forces suspect of providing security for narcotics shipments, kept his job. Though U.S. officials continue to praise Pakistan as a loyal ally in the war on terrorism, several documents on the flash drives show the military has struggled to break militant command and supply lines traced to Pakistan. Some of the documents also accused Pakistan's security forces of helping militants launch cross-border attacks on U.S. and allied forces. Militant attacks on U.S. and allied forces have escalated sharply over the last half year, and once-rare suicide bombings are now frequent, especially in southern Afghan provinces close to infiltration routes from Pakistan. A document dated Oct. 11, 2004, said at least two of the Taliban's top five leaders were believed to be in Pakistan. That country's government and military repeatedly have denied that leaders of militants fighting U.S.-led forces in Afghanistan operate from bases in Pakistan. The Taliban leaders in Pakistan were identified as Mullah Akhtar Osmani, described as a "major Taliban facilitator for southern Afghanistan" and a "rear commander from Quetta" in southwest Pakistan, and Mullah Obaidullah, said to be "responsible for planning operations in Kandahar." At the time, fugitive Taliban leader Mullah Mohammed Omar, his second-in-command Mullah Berader, and three other top Taliban commanders were all suspected of being in southern or central Afghanistan, according to the military briefing. Another document said the Taliban and an allied militant group were working with Arab Al Qaeda members in Pakistan to plan and launch attacks in Afghanistan. A map presented at a "targeting meeting" for U.S. military commanders here on Jan. 27, 2005, identified the Pakistani cities of Peshawar and Quetta as planning and staging areas for terrorists heading to Afghanistan. One of the terrorism groups is identified by the single name "Zawahiri," apparently a reference to Ayman Zawahiri, Osama bin Laden's deputy and chief strategist in Al Qaeda. The document said his attacks had been launched from a region south of Miram Shah, administrative capital of Pakistan's unruly North Waziristan tribal region. In January, a CIA missile strike targeted Zawahiri in a village more than 100 miles to the northeast, but he was not among the 18 killed, who included women and children. Other documents on the computer drives listed senior Taliban commanders and "facilitators" living in Pakistan. The Pakistani government strenuously denies allegations by the Afghan government that it is harboring Taliban and other guerrilla fighters. An August 2004 computer slide presentation marked "Secret" outlined "obstacles to success" along the border and accused Pakistan of making "false and inaccurate reports of border incidents." It also complained of political and military inertia in Pakistan. Half a year later, other documents indicated that little progress had been made. A classified document from early 2005 listing "Target Objectives" said U.S. forces must "interdict the supply of IEDs (improvised explosive devices) from Pakistan" and "interdict infiltration routes from Pakistan." A special operations task force map highlighting militants' infiltration routes from Pakistan in early 2005 included this comment from a U.S. military commander: "Pakistani border forces [should] cease assisting cross border insurgent activities." Special correspondent Wesal Zaman in Kabul contributed to this report. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Apr 11 01:20:08 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 11 Apr 2006 00:20:08 -0500 (CDT) Subject: [ISN] Florida county posts residents' sensitive data on public Web site Message-ID: http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,110389,00.html By Jaikumar Vijayan APRIL 10, 2006 COMPUTERWORLD The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents in Florida's Broward County are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on the county's Web site. A county official said the information available on the Web is in full compliance with state statutes that require counties to post public documents on the Internet. The information has been available on the Internet for several years and poses a serious risk of identity theft and fraud, said Bruce Hogman, a county resident who informed the Broward County Records Division of the problem about two weeks ago. The breach stems from the county's failure to redact, or remove, sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures, passport numbers, green card details and bank account information. "Here is the latest treasure trove available to identity thieves, and it is free to the public, courtesy of the Florida state legislature in its great Internet savvy," Hogman said. The easy availability of such sensitive data also poses a security threat at a time of heightened terrorist concerns, he said. Sue Baldwin, director of the Broward Count Records Division, said the county is aware of Hogman's concerns but said that her office is in compliance with state laws requiring all state recorders to maintain a Web site for official records. As part of its statutory requirements, the public records search section of www.broward.org contains images of public records dating back to 1978, many of which are likely to contain sensitive information such as Social Security numbers, she said. According to Baldwin, certain documents recorded after June 5, 2002, such as military discharges, family court records, juvenile court records, probate law documents and death certificates are automatically blocked from the public record under current Florida law. But the same information recorded prior to the June 2002 cutoff has been posted on the county site, she said. Up to now "recorders have no statutory authority to automatically remove Social Security, bank account and driver's license numbers," from public records, she said. A new statute set to take effect Jan. 1, 2007, will require county recorders to remove Social Security numbers, bank account numbers and credit card and debit card numbers from public documents before posting documents online, she said. To ensure compliance with the requirement, Broward County issued a Request for Letters of Interest from vendors of redaction software in February 2005 and has already selected Aptitude Solutions Inc. for the work, Baldwin said. "The software will be used to redact information from all images displayed on the county records Web site," including those already posted, Baldwin said. "I do not know how long the actual process will take, but we intend to comply with the statutory requirements, including deadline." Until that time, individuals who want sensitive information removed from an image or a copy of a public record can individually request that in writing, she said. Such a request must specify the identification page number that contains the Social Security number or other sensitive information, she said. "We have provided information pertaining to requesting redaction of protected information on our Web site at www.broward.org/records, since 2002," Baldwin said. Since Hogman expressed his concerns, the county has made the redaction request information more prominent on its Web site and is also working on creating a special e-mail box for handling redaction requests. "Aside from making the redaction request process as user-friendly and speedy as possible, I do not have the independent authority to take any additional action regarding removing material from the public records," she said. Baldwin added that the information available on the Web is also freely available for public purchase and inspection at the county offices. "Professional list-making companies have always purchased copies of records and data from recorders to use in the creation of specialized marketing lists, which they sell," she said. So too have title insurance underwriters and credit reporting agencies. Hogman, who wants the records taken down until a solution is found, said he has contacted several people -- including state legislators, both of the state's U.S. senators, the FBI and the U.S. Federal Trade Commission. So far, he has not heard back from anyone except Baldwin. "In my estimation, 'do nothing' is not a good solution because it leaves the information out there for public viewing" he said. From isn at c4i.org Tue Apr 11 01:20:25 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 11 Apr 2006 00:20:25 -0500 (CDT) Subject: [ISN] Embedded Experts: Fix Code Bugs Or Cost Lives Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=185300011 By Rick Merritt EE Times April 10, 2006 San Jose, Calif. - The Therac 25 was supposed to save lives by zapping tumors with targeted blasts of radiation. Instead, the device delivered massive overdoses that killed three patients and injured several others because of software glitches by a lone programmer whose code was never properly inspected and tested. The Therac 25 was just one of dozens of examples cited by speakers at last week's Embedded Systems Conference here to drive home a point: People's lives as well as millions of dollars in investments often depend on software engineering, but too many projects fail for lack of good programming discipline and management support. And the problems may get worse as programmers face the additional challenges of handling multicore devices. Indeed, an annual survey of several thousand embedded engineers polled recently by EE Times and Embedded Systems Design magazine showed that the need for better software debug tools is a major concern, with test and debug taking up more time than any step in a project development. "This is the only industry left where we can ship products with known defects and not get sued. How long do you think that will last?" asked Jack Ganssle, a consultant and author who presented a class on lessons learned from embedded-software disasters. "We aren't afraid of software, but we need to be, because one wrong bit out of 100 million can cause people to die," said Ganssle, who said he has worked on more than 100 embedded projects, including the White House security system. "As embedded systems grow in complexity, the software becomes an ever more important piece. Right now, 50 percent of our DSP spending is on the software side," said Gerald McGuire, general manager of the DSP group at Analog Devices Inc. (Norwood, Mass.), which employs more than 200 software engineers. As software grows in importance, it is not necessarily becoming more reliable. According to one report, 80 percent of software projects fail because they are over budget, late, missing key features or a combination of factors. Another report suggests that large software systems of more than a million lines of code may have as many as 20,000 errors, 1,800 of them still unresolved after a year. "We can't get rid of faults," said Lorenzo Fasanelli, a senior embedded-software specialist for Ericsson Labs in Italy. But engineers can speak up about faults, learn from them and rewrite code to proactively find and minimize them, he added. "We cannot advance the state of the art without studying failure," said Kim Fowler, an author and systems architect who delivered an ESC talk called "Fantastic Failures." War stories There are plenty of failures from which to learn. Ganssle cited another radiation system that killed 28 people in a series of tests in Panama in May 2001 before the U.S. Food and Drug Administration shut down the company that made it. Inspections of software after the crash of a U.S. Army Chinook helicopter revealed 500 errors, including 50 critical ones, in just the first 17 percent of code tested. "Why did they inspect software only after people died?" asked Ganssle, who said a court case on the crash is still in litigation. Some pacemakers have stimulated hearts to beat at rates of 190 beats a minute, prompting companies to provide software updates delivered to the implanted devices using capacitive coupling. Unfortunately, other pacemaker patients have had their devices inadvertently reprogrammed when walking through metal detectors. In 2003, the pacemaker of a woman in Japan was accidentally reprogrammed by her rice cooker. A Thai politician had to have police bust the windows on his BMW 745i after a software glitch caused the electric doors and windows to freeze in a locked state, trapping him inside. Ford recalled some models of its 2000 Explorer because lights and wipers would not work in some circumstances. And the 2004 Pontiac Grand Prix faced a software recall for a leap-year fault. Part of the problem lies in poor engineering discipline, such as a lack of adequate testing, improper error handling and inherently sloppy languages. Management issues, including a demand for ever more features in compressed schedules, and tight budgets are also to blame. "We need to test everything up front and integrate testing into the design process. Then we need to believe the data we get when we do test," said Ganssle. When engineers make a change because of a failed test, they often neglect to go back to the beginning of the test suite to make sure the changes haven't introduced new errors, said Dave Stewart, chief technology officer of Embedded Research Solutions Inc. (Annapolis, Md.) in an ESC session on the top problems in real-time software design. Engineers need to create error-handling modes in their programs, and the modes must exist as just another state for their systems and treat errors as one of many possible inputs, Stewart added. Fasanelli of Ericsson gave a detailed prescription for how to find, report and minimize faults in embedded software. Programmers must make it a standard practice to classify all inputs and states of a system and note any illegal inputs or edge states, whether or not they affect a program's ability to run, he said. In addition, programs should routinely track and report their own performance, idle times and memory integrity. Creating such debug features may affect a system's cost, but that will be offset by reduced maintenance, Fasanelli said. "Exception handling is particularly hard to test because it's hard to generate the exceptions. These tend to be the most poorly tested parts of code," said Ganssle. Riding a rough C Ironically, today's most popular programming languages, C and C++, are among the most error prone. That's because C compilers have plenty of latitude to compile and link - without providing any diagnostics ? code that can produce serious run-time errors, especially when ported to a new processor. "There are a lot of little goodies in C that programmers are not fully aware of," said Dan Saks, an author who has documented nearly 40 "gotchas" he presented in a session at ESC. "The lesson is to understand what you can assume and what you can't." For instance, C doesn't define the number of bits in a byte, though header files can query a processor and adjust the program if the CPU does not support the usual 8-bit byte. Likewise, the common practice of subtracting pointers can result in creating a character of an undefined type, said Saks, president of consulting firm Saks & Associates (Springfield, Ohio). "The use of C is really criminal," said Ganssle. "C will compile a telephone directory, practically. I guess we use C because we think debugging is fun." For every 1,000 lines of code, C can generate 500 errors in a worst case, 167 errors on average or 12.5 mistakes for automatically generated code, said Ganssle. That compares with 50 errors worst case, 25 average and 4.8 for auto-generated code using the Ada language, he said. The Spark language emerging from Europe is even better, generating just four errors on average per 1,000 lines of code, he claimed. C is used in half the development projects done today, according to the results from the 2006 Embedded Market Survey, the 14th such annual poll of engineers working on embedded-design projects. The survey showed that the C++ programming language is gaining in acceptance, however. ESD editor-in-chief Jim Turley, who presented the annual embedded-market survey results last week, said fully half of the respondents cited C as their primary programming language. Nonetheless, support for C was down from the 2005 survey, albeit only by 3 percent. By contrast, the C++ language gained this year, coming in at 28 percent, and respondents predicted a 4 percent increase in C++ adoption next year. The survey showed that relatively few engineers - just a few percent - use Java. Matlab, LabView and UML are used about as frequently for embedded projects, although Java garners more attention because of its use in the graphical user interface portion of many systems. "Almost every language is losing ground to C++," said Turley, who suggested that many design teams have evaluated Java but found it lacking in performance and development tools. Asked about tool selection, 53 percent of embedded engineers said the quality of the debugger was their most important criterion in choosing a development suite. Only about 13 percent said open-source content is an important selection criterion. When it comes to operating systems, however, open-source OSes such as Linux are gaining significant support. Fully 20 percent of respondents said they use an open-source OS, with many design teams relying on a commercially distributed form of Linux. Turley said that one reading of the operating system responses would suggest Linux is gaining support quickly, since "just five years ago the very term 'open source' didn't mean anything." However, other survey questions showed that a declining number of respondents, compared with the 2005 survey, are considering Linux, prompting Turley to conclude that "that the charm of Linux has cooled." Management must take its share of the blame for the software situation. "Often we are in an overconstrained situation. We have too many features to deliver in too short a time frame," said Fowler at his "Fantastic Failures" session. "The problem is, adding features requires lots of regression testing. The thing to do is ask whether the feature can be saved for the next upgrade - [otherwise] you are just setting yourself up for failure. "We as engineers need to come up with persuasive ways to warn management" by relating stories of past failures or the implications of long feature lists and tight budgets and schedules, he added. Tired engineers were a factor in several aerospace disasters in which programmers worked 60- to 80-hour weeks in the months before a launch, Ganssle said. Skimpy budgeting is another factor in failures, as seen most clearly in civil-engineering disasters. In 1940, officials found a way to build the Tacoma Narrows Bridge for half an initial estimate and did so, but the bridge famously collapsed in high winds after just four months in service. Likewise, the MGM Grand Hotel in Las Vegas saved $200,000 by not using sprinklers but paid out more than $200 million in court and rebuilding costs after a disastrous fire, Ganssle said. In the confines of a software project, "spending $2,000 on tools might save you $100,000 in programming effort," said Stewart of Embedded Research Solutions. [...] - Additional reporting by Richard Goering and David Lammers Copyright ? 2005 CMP Media LLC From isn at c4i.org Wed Apr 12 01:51:02 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 12 Apr 2006 00:51:02 -0500 (CDT) Subject: [ISN] Gifted student nailed for instigating virile computer virus Message-ID: http://www.thanhniennews.com/education/?catid=4&newsid=14398 April 12, 2006 The author of the Pretty Girl computer virus, a former gifted student from Tran Phu School in Hai Phong was traced down on Tuesday, after setting lose the destructive virus for two full days. B.H.N., 21, now studying at a non-IT university in Ha Noi, phoned in a confession Tuesday morning and sent letters to newspapers and news sites explaining his role in crafting the bug after Nguyen Tu Quang, director of a leading Vietnamese anti-virus software provider BKIS, traced the source of the worm. The former gifted student shut down his domain which acted as the nest for the destructive Xrobots worm, aka "Gai Xinh" (Pretty girl) in other websites. The sophisticated worm, evolving to its 2nd version within the first day, managed to storm some 20,000 computers in Vietnam in two days with arousing invitations like "Gai Xinh" (Pretty Girl), "phim hay" (great movie). In his letter, the student passed off the stunt as "a study and research exercise trial." The worm author admitted trialing "Pretty Girl" through botnet - computer jargon for a collection of software robots, or bots that run autonomously while learning counter denial-of-service attacks or DoS. A DoS is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity by consuming the victim's network bandwidth, or overloading the computer. The young programmer admitted the stunt "got out of hand." Two disruptive days The xRobots worm, first appeared at noon on Monday, uses Yahoo Messenger to infect computers when users click on an instant-messenger contact link. Clicking on the link sends an instant message with the same link to all Yahoo contacts, which helped the virus infect 2,400 computers per hour, said Quang. Besides, xRobots also disables Windows computer registries, said experts in informatics. Quang said the sophistication of the virus was impressive, reflecting the growing skill of Vietnamese programmers and hackers even as the country races to train information-technology professionals. 'This is the dark side of IT development,' Quang said, adding, ?He must be a good programmer to be able to write such a quickly destructive virus.' The virus poses little further threat worldwide, however, because its messages inviting users to view photos of beautiful women are only written in Vietnamese. By Tuesday, BKIS had developed a cleaning system on its website for infected computers. Since 1993, about 30 computer viruses have originated in Vietnam, but Pretty Girl is the first to use instant messaging, Quang said. The incident also showed the naivet? of Vietnamese Internet users in face of threats from hackers and other kinds of cyber crimes, he added. Source: VnExpress, Vietnamnet - Compiled by Thanh Tuan From isn at c4i.org Wed Apr 12 01:51:16 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 12 Apr 2006 00:51:16 -0500 (CDT) Subject: [ISN] Cyberattackers can exploit Pentium self-defense Message-ID: http://www.fcw.com/article94004-04-07-06-Web By Michael Arnone Apr. 7, 2006 VANCOUVER, British Columbia - Your computer could hand itself over to cyberattackers when it's trying to cool off. That warning galvanized the information technology security experts gathered this week at the CanSecWest/core06 conference here. Computers with Intel Pentium processors can be hijacked through a built-in mode designed to protect the processor's motherboard, said Lo?c Duflot, a security engineer and researcher for the scientific division of France's Central Directorate for Information Systems Security. "Unused, legacy or routinely used functionalities can be used to circumvent operating system security functions," Duflot said. The vulnerability affects every computer that runs on x86 architecture, including the millions that the U.S. government and industry use, said Dragos Ruiu, the conference's organizer. He is a Canadian computer security consultant for businesses, governments and the U.S. military. Pentium computers usually run in Protected Mode, the 32-bit environment where the operating system and applications reside, Duflot said. But when conditions that could threaten the motherboard occur, such as the processor getting too hot, the computer interrupts Protected Mode and freezes and stores its activity. The computer then switches to System Management Mode, a 16-bit environment that loads code stored in System Management RAM (SMRAM) to handle the particular emergency, Duflot said. Once the code runs, the System Management Mode then tells the computer to return to Protected Mode and normal operations. Cyberattackers can take over a computer by causing it to interrupt operations and enter System Management Mode, Duflot said. They can enter the SMRAM and replace the default software with custom software that gives them full administrative privileges, he said. To gain access, all they have to do is close the SMRAM and trigger the new software, Duflot said. Such attacks are insidious because they happen out of sight of security measures at the operating system or application level, Duflot said. The computer has no way of interrupting the System Management Mode code and is defenseless against whatever the assailant wants to do, including keeping the operating system frozen and inaccessible. Some chipsets map the SMRAM in the same location as video RAM, making it vulnerable to exploits used on video RAM, Duflot said. Those same chipsets allow access to SMRAM in Protected Mode if attackers have the right code to modify the computer's settings, he said. For the past seven years, CanSecWest has been a conference of, by and for hard-core code gurus who create the software that businesses and governments use. More than 300 cybersecurity experts and computer hackers from 40 countries gathered to swap cutting-edge information, tips and tricks. CanSecWest attracts managers of technical groups within companies and government agencies, Ruiu said. It also attracts hackers who come to learn new techniques to exploit computer networks. The conference presents the latest in what helpful and malicious hackers are doing, said Eric Byres, a member of the research faculty at the British Columbia Institute of Technology. "What's shown here will be on the Web next year and script kiddie material in three," Byres said. From isn at c4i.org Wed Apr 12 01:51:31 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 12 Apr 2006 00:51:31 -0500 (CDT) Subject: [ISN] NSA concerned over computer phone service Message-ID: http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060411-013136-5394r 4/11/2006 WASHINGTON, April 11 (UPI) -- U.S. National Security Agency officials are concerned about a computer phone call service owned by eBay. EBay, the online auction house, last year purchased Skype, an online service that lets people converse through their computers. Its 75 million users place voice calls over the Internet. The calls sound clear. They are free, because phone carriers aren't used. And because of the Internet's diffused architecture and its facility for privacy, Skypesters' identities, their locations, and the substance of their conversations can be undetectable. Skype and other widely used Internet communications devices, including e-mail, threaten the NSA's ability to gather intelligence and to do so legally, National Journal reported Monday. For more than four years, without warrants and by order of President George W. Bush, the NSA has hunted for terrorists by intercepting communications between people in the United States and people abroad suspected of links to terrorism. The legality of that order is being hotly debated in Congress. Bush says that the 27-year-old Foreign Intelligence Surveillance Act, which governs domestic eavesdropping for intelligence purposes, doesn't adequately address Internet-based communications. However, in the opinion of some legal scholars and intelligence practitioners, lawmakers haven't faced this fact. Until they do, the NSA remains on shaky legal ground and at a strategic disadvantage against terrorists, who may rely on the Internet above all other tools for plotting their attacks, National Journal said. When FISA became law in 1978, even rudimentary e-mail was years away from use. The law "did not anticipate the development of global communications networks," Kim Taipale, a technology law scholar and a member of the Task Force on National Security in the Information Age, a nonpartisan panel supported by the Markle Foundation that has produced assessments of technology's role in counter-terrorism, told National Journal. ? Copyright 2006 United Press International, Inc. All Rights Reserved From isn at c4i.org Wed Apr 12 01:51:45 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 12 Apr 2006 00:51:45 -0500 (CDT) Subject: [ISN] Oracle's oops on security flaw Message-ID: http://news.com.com/Oracles+oops+on+security+flaw/2100-1002_3-6060128.html By Joris Evers Staff Writer, CNET News.com April 11, 2006 Oracle accidentally let slip details last week on a security flaw it has yet to patch. The business software giant is usually secretive about security and critical of researchers who publicly discuss flaws in Oracle products. But on April 6, it itself published a note on its MetaLink customer Web site with details about an unfixed flaw, Alexander Kornbrust, an independent researcher who specializes in Oracle security, said on his Web site on Monday. Oracle confirmed the accidental posting. "Information regarding a security vulnerability was inadvertently posted to MetaLink," a representative for the company said Tuesday. "We are currently investigating events that led to the posting." The flaw in question affects versions 9.1.0.0 through 10.2.0.3 of Oracle's database software running on any operating system. Not only did the posting reveal details of the vulnerability, it also included computer code to test it, said Kornbrust, who runs Germany's Red Database Security and often hunts for bugs in Oracle products. The MetaLink posting was taken down. Yet, because of the posting, Kornbrust believes the issue is now public knowledge and the bug information should be shared publicly. "Database administrators and developers who missed the note on MetaLink should know of this vulnerability, in order to avoid or mitigate the risk, if possible, while waiting for a patch from Oracle," Kornbrust said. The flaw opens the door to privilege escalation, meaning that database users with limited privileges could take advantage of it to gain more rights. "Depending on the architecture of the application, it is possible to modify data, escalate privileges--for example, change database passwords," Kornbrust wrote. The vulnerability arises from an error in handling certain "views" created by unprivileged users, according to security analysts at the French Security Incident Response Team. The FrSIRT deems the issue of "moderate risk." Oracle has no fix publicly available, but the next edition in its regular Critical Patch Update is scheduled for release on Tuesday. "We plan to provide our customers a patch that addresses this vulnerability in a future quarterly Critical Patch Update," the Oracle representative said, but could not say if it would arrive next week. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed Apr 12 01:52:06 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 12 Apr 2006 00:52:06 -0500 (CDT) Subject: [ISN] Argentina extradites Spanish hacker Message-ID: http://www.theregister.co.uk/2006/04/11/argentina_extradites_spanish_hacker/ By John Leyden 11th April 2006 A hacker who's suspected of stealing hundreds of thousands of euros from online bank accounts has been extradited from Argentina to Spain. Jos? Manuel Garc?a Rodr?guez, 24, dubbed (rather uncharitably) by the Argentinians as "the fat Spaniard", faces up to 40 years imprisonment if convicted of various cybercrime offences. Garc?a Rodr?guez (whose online handle is Tasmania) fled his native Spain two years ago. Nine international arrest warrants were issued against him before he was eventually tracked down and arrested in Carcara??, Argentina in July 2005. ? From isn at c4i.org Wed Apr 12 01:52:27 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 12 Apr 2006 00:52:27 -0500 (CDT) Subject: [ISN] Hackers Access Financial Data At UMDNJ Message-ID: http://wcbstv.com/topstories/local_story_099123340.html Apr 9, 2006 (AP) NEWARK Computer hackers were able to gain access to the Social Security numbers and other confidential financial information of almost 2,000 University of Medicine and Dentistry of New Jersey students and alumni, university officials said. UMDNJ kept the electronic break-in quiet while it investigated if the information -- including the tuition aid and loan information of about 700 students and 1,150 alumni -- could be used by the hackers. So far, officials believe the information was accessed, but initial reports suggest that no information was taken. However, computer experts are still investigating the incident. "We know it was hacked into because there were some things on it that did not belong -- pranks and games," UMDNJ interim President Bruce C. Vladeck told The Sunday Star-Ledger. The breech was discovered Feb. 24 by UMDNJ's office of Business Conduct, although officials did not disclose when the incident itself occurred. Robert Johnson, interim dean of UMDNJ's New Jersey Medical School, sent letters to students on Friday notifying them they had been "exposed to an increased risk of identity theft." This hacking incident came on the heels of another incident in February, in which hackers tried to get into the university's networks. However, officials said that attempt was unsuccessful because the payroll computer the hackers were trying to break into contained only test data and not actual payroll information. ? 2006 CBS Broadcasting Inc. All Rights Reserved. From isn at c4i.org Wed Apr 12 01:52:46 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 12 Apr 2006 00:52:46 -0500 (CDT) Subject: [ISN] Scot accused of hacking US defence systems faces extradition Message-ID: http://www.theherald.co.uk/news/59898.html BILLY BRIGGS April 12 2006 A man born in Glasgow and accused of hacking into the most sophisticated IT systems on the planet and paralysing a US naval base soon after the September 11 attacks could face extradition and 60 years in prison if a court decision goes against him today. Gary McKinnon, 40, is accused of breaking into American defence computers but is contesting an attempt to extradite him, fearing he could be branded a terrorist and face indefinite incarceration. The US government claims he accessed 97 government computers over a one-year period, causing ?370,000-worth of damage. One allegation relates to Mr McKinnon deleting operating system files and logs from computers at US Naval Weapons Station Earle after the September 11 attacks, rendering the base's entire network of more than 300 computers inoperable. Mr McKinnon, who admits to unauthorised access using his home computer and Microsoft Windows at his London home, is fighting extradition, arguing he could face up to 60 years in prison or incarceration in Guantanamo Bay. In an interview with Channel Four, Mr McKinnon said if he was tried in the US it would be by military commission and, if so, there was no appeal allowed because President Bush himself reserved the exclusive right of review. He is fearful he could be taken beyond the reach of the US judicial system and sent to Guantanamo Bay, where he would have no access to courts. Unemployed Mr McKinnon, of Wood Green, north London, said: "It (the damages claim) is completely false. An extradition offence must be worth one year in prison. "One IT offence worth a year in prison must be $5000 of damage. So amazingly every machine I was on I am accused of causing $5000 of damage." Mr McKinnon, who claims he was only trying to obtain information about UFOs, said the accusation that he single-handedly brought down a whole system was "scary stuff" and he was sure this was "not possible". But counsel for the US government claimed Mr McKinnon left a note on an army computer saying US foreign policy was akin to government-sponsored terrorism. The note said: "It was not a mistake that there was a huge security stand down on September 11th last year... I am SOLO. I will continue to disrupt at the highest levels." The hearing at Bow Street Magistrates' Court in London is due to finish today. From isn at c4i.org Thu Apr 13 04:02:47 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 13 Apr 2006 03:02:47 -0500 (CDT) Subject: [ISN] Midshipmen compete in NSA security drill Message-ID: http://www.boston.com/news/local/connecticut/articles/2006/04/12/midshipmen_compete_in_nsa_security_drill/ April 12, 2006 ANNAPOLIS, Md. -- Midshipmen at the Naval Academy took part in a simulated battle Tuesday, defending their computer systems against an attack by hackers from the National Security Agency in Fort Meade. The Mids were guarding their network against intrusions by NSA experts, who were sniffing around on servers, sneaking into systems and adding fake users, complete with passwords, that could allow unauthorized access. The intruders even induced the dreaded blue screen of death on a Navy machine. This combat was part of the sixth annual Cyber Defense Exercise, in which all the nation's service academies compete to see who can best defend an information network from the NSA team. Navy won last year's event. This year's competitors, besides Navy, are the U.S. Military Academy in West Point, N.Y., the U.S. Air Force Academy in Colorado Springs, Colo., the U.S. Merchant Marine Academy in Kings Point, N.Y., the U.S. Coast Guard Academy in New London, Conn., and the U.S. Air Force Institute of Technology in Ohio. "It's a really practical application of what we learn in class," said Alison Teoh, 20, a junior and computer science major who is running the administrative side of the competition for Navy. "It's definitely dramatic as well, staying up four days straight and being slammed with attacks all the time by NSA." About a dozen Mids worked in a room with more than 20 computers Tuesday, and some said they planned to work through the night during the competition, sleeping only four or five hours a day during the four-day event, The (Baltimore) Sun. The Midshipmen were optimistic about the competition, pointing out that the servers of other military academies had been disabled longer than theirs. Participants will be graded on how they respond to the events, how effectively they defend and recover from the efforts of the NSA hackers' efforts to disable their systems. Jonathan Kindel, 22, a senior majoring in information technology and national security affairs, said his major combined technical study with the increasing importance of defense systems. "I know enough now to manage skills as a program manager, but there's also a political science twist to all of it," he said. "You get to learn the impact of this stuff on an international playground." From isn at c4i.org Thu Apr 13 04:03:00 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 13 Apr 2006 03:03:00 -0500 (CDT) Subject: [ISN] Breach Exposes Ross-Simons Credit Card Information Message-ID: http://www.turnto10.com/consumerunit/8649210/detail.html April 12, 2006 Rhode Island retailer Ross-Simons said the personal information of thousands of credit card applicants may have been compromised. NBC 10 Consumer Reporter Audrey Laganas reported that about 32,000 accounts were potentially at risk. All of the accounts belong to customers who applied for a Ross-Simons credit card between October 2004 and April 4 of this year. Ross-Simons said a data breach resulted in the unauthorized access of credit card application data, including Social Security numbers, credit card numbers, expiration dates and other personal information. Ross-Simons said it is notifying all affected customers and will help them minimize any risk created by the breach. The company is offering 12 months of free credit bureau monitoring for affected customers, NBC 10 reported. The retailer said it verified the breach on April 4 and reported it to the FBI. "The cause of the external system breach has been identified and corrected. Private label customer application information is no longer being stored by Ross-Simons," a news release said. Ross-Simons did not disclose specifics of how the breach happened or how it was discovered. The company said it has hired an independent third party to conduct an immediate external audit of its security procedures. Ross-Simons customers can call (888) 838-0815 for additional information. A list of frequently asked questions is posted on the Ross-Simons Web site. Copyright 2006 by turnto10.com. All rights reserved. From isn at c4i.org Thu Apr 13 04:03:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 13 Apr 2006 03:03:20 -0500 (CDT) Subject: [ISN] Border Security System Left Open Message-ID: http://www.wired.com/news/technology/0,70642-0.html By Kevin Poulsen Apr, 12, 2006 A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News. The documents raise new questions about the $400 million US-VISIT program, a 2-year-old system aimed at securing the border from terrorists by gathering biometric information from visiting foreign nationals and comparing it against government watch lists. The Aug. 18 computer failure led to long lines at international airports in Los Angeles, San Francisco, Miami and elsewhere, while U.S. Customs and Border Protection, or CBP, officials processed foreign visitors by hand, or in some cases used backup computers, according to contemporaneous press reports. Publicly, officials initially attributed the failure to a virus, but later reversed themselves and claimed the incident was a routine system failure. But two CBP reports obtained under the Freedom of Information Act show that the virulent Zotob internet worm infiltrated agency computers the day of the outage, prompting a hurried effort to patch hundreds of Windows-based US-VISIT workstations installed at nearly 300 airports, seaports and land border crossings around the country. "When the virus problems appeared on (CBP) workstations Thursday evening, the decision was made to push the patch, immediately, to the ... US-VISIT workstations. Most workstations had received the patch by midnight and US-VISIT was back in operation at all locations," reads a CBP summary of the incident. The Department of Homeland Security's US-VISIT program office declined to comment on the documents. Former White House cybersecurity adviser Howard Schmidt says the incident is typical of a large agency struggling with complex networks and evolving threats. "We've got catching-up to do in all areas, particularly areas having to do with national security and public safety," says Schmidt. "I hope you and I, 10 years from now, look back and say, 'Wow, I'm glad we survived that.'" Launched in January 2004, and expanded since then, US-VISIT is a hodgepodge of older databases maintained by various government agencies, tied to a national CBP-run network of Windows 2000 Professional workstations installed at U.S. points of entry. The system has processed more than 52 million visitors, and allowed border officials to intercept more than 1,000 wanted criminals and immigration violators, according to DHS. Some US-VISIT locations are now testing gear to read new RFID-equipped passports. While the idea of US-VISIT is universally lauded within government, the program's implementation has faced a steady barrage of criticism from congressional auditors concerned over management issues and cybersecurity problems. Last December, the DHS inspector general reported that the program might be vulnerable to hackers. The nearly 6-year-old Windows 2000 operating system was a particularly burdensome choice on Aug. 9, when Microsoft announced a vulnerability in the software's plug-and-play feature that allowed attackers to take complete control of a computer over a network. In an unusually quick mating of vulnerability with attack, it took only four days for a virus writer to launch an internet worm, called Zotob, that spread through the security hole. Operating somewhat more slowly, it took CBP officials until Aug. 16 -- a full week after Microsoft released a patch for the hole -- to start pushing the fix to CBP's Windows 2000 computers. But because of the array of peripherals hanging off of the US-VISIT workstations -- fingerprint readers, digital cameras and passport scanners -- they held off longer on fixing those machines, for fear that the patch itself might cause a disruption. "The push was not made to the US-VISIT workstations during the initial install due to concerns with the possible impact of the patch on the unique workstation configurations," reads one of the CBP reports. Officials -- not unreasonably, say security experts -- wanted to test the patch before installing it. But as a consequence, hundreds of computers networked to sensitive law enforcement and intelligence databases were left with a known vulnerability -- a security hole rated "critical" by Microsoft because it allows attackers to take control of a machine remotely. It wasn't until Zotob made itself at home on the CBP network Aug. 18 that the agency launched a fevered effort to secure the US-VISIT terminals, which sit on local area networks that are in turn connected to CBP's wide area network. Even as officials raced to install the patches, the US-VISIT computers were failing at major U.S. entry points around the country, including airports in Dallas, Houston, Los Angeles, Miami, New York, San Francisco and Laredo, Texas, according to press reports at the time. A DHS spokesman told the Associated Press the next day that a virus caused the outages. But in December, a different DHS spokesman told CNET News.com that there was no evidence that a virus was responsible, and that it was merely one of the routine "computer glitches" one expects in any complex system. The newly released documents call that claim into question. The government did not part with the pages lightly. After an initial FOIA request was rebuffed, Wired News filed a federal lawsuit, represented by Megan Adams, a law student at the Stanford Law School Cyberlaw Clinic. Only then did CBP release six pages of heavily redacted documents, including one page that is completely blacked out. (The lawsuit is ongoing.) The redactions leave it unclear whether the virus itself shuttered the system, or whether the patch, or the process of installing it, contributed to the outage. For example, one sentence reads, "Initial reports confirmed that the US-VISIT workstations were (redacted) impacted" by the virus. The blacked-out portion might as easily read "severely" as "not." Other redactions appear less tactical: A public Microsoft security bulletin is included, but with the bulletin number (MS05-039) blacked out. Perhaps most significantly, the pages do not reveal how the Zotob virus made its way onto the private CBP network -- an ominous migration that demonstrates that computers used in protecting U.S. borders are accessible, via some path, from the public internet, and could be subject to tampering. "That machine was reachable from some network, that was connected to some other network, that was connected to the internet," says Tim Mullen, a Windows security expert and CIO of security firm AnchorIS. "There was some series of connections that manifested itself in those machines getting compromised." A September report by the DHS inspector general found computer security at CBP wanting. In a scan of 368 devices on CBP networks, investigators identified 906 security vulnerabilities rated as medium or high risk. They criticized CBP for failing to implement a comprehensive security testing program, among other issues. "Our vulnerability assessments identified security concerns resulting from inadequate password controls, missing critical patches, vulnerable network devices and weaknesses in configuration management," the report concludes. "These security concerns provide increased potential for unauthorized access to CBP resources and data." In a second report in December focused on US-VISIT, the inspector general concluded that the mainframe databases at the backend of the system were generally secure. But investigators found vulnerabilities elsewhere in the system's architecture that "could compromise the confidentiality, integrity and availability of sensitive US-VISIT data." In particular, the report found system vulnerabilities at the U.S. points of entry where the US-VISIT workstations are operating. It blames the weaknesses on poor communications between administrators in the field and those at US-VISIT's Virginia data center. In February, the Government Accountability Office -- Congress' investigative arm -- followed up with its own investigation of the program, faulting US-VISIT for not having an overall security plan. Besides management issues, the system has been criticized as a slapdash effort at stringing older technology together into a modern security screening system. "Biometrics have been introduced into an antiquated computer environment," the 9/11 Commission noted of the program. "Replacement of these systems and improved biometric systems will be required." Schmidt agrees, though he says the problem is hardly limited to US-VISIT. "We have to start moving at industry speed, not government speed, when it comes to the deployment of new technologies," says Schmidt. Instead of running Windows 2000, "I'd be racing to run the beta of the next generation of operating system ... and not worry about legacy stuff that we know isn't going to be supported too much longer and has had issues." Prior to infecting CBP, the Zotob virus reportedly caused disruptions at The New York Times, ABC and CNN's headquarters in Atlanta, as well as some offices on Capitol Hill. In late August, the FBI announced the arrest of two men in connection with the worm: 18-year-old Farid "Diabl0" Essebar in Morroco, and a 21-year-old Turkish man named Atilla Ekici, known online as "Coder." From isn at c4i.org Thu Apr 13 04:04:21 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 13 Apr 2006 03:04:21 -0500 (CDT) Subject: [ISN] Recon 2006: speaker lineup announcement Message-ID: Forwarded from: Recon RECON 2006 - http://recon.cx Montreal, Quebec, Canada 16 - 18 June 2006 We are pleased to announce the final speaker lineup selection for the RECON conference. RECON is a computer security conference being held in Montreal. The conference offers a single track of presentations over the span of three days. ---------------------------------------- * Guest speakers: Anthony de Almeida Lopes: Multi-cavity NOP-infection Operating System-Independent x86 Virus Bunnie: to be announced David Hulton: Breaking Wi-Fi... Faster! Joe Stewart: OllyBone - Semi-Automatic Unpacking on IA-32 Spoonm: IDARub * Speakers: Christopher Abad - Advancements in Anonymous eAnnoyance Pedram Amini - PaiMei and the Five Finger Exploding Palm RE Techniques Sharon Conheady - Social Engineering for Penetration Testers Dennis Cox - Network Devices an Insiders View Fabrice Desclaux and Kostya Kortchinsky - Vanilla Skype Mathieu Desnoyers - Tracing for Hardware, Driver and Binary Reverse Engineering in Linux Fravia - Reversing our searching habits "Power searching without Google" Alex Ionescu - Subverting Windows 2003 SP1 Kernel Integrity Protection Luis Miras - Fix Bugs in Binaries Alexander Sotirov - Reverse Engineering Microsoft Binaries Michael Sutton - Fuzzing - Brute Force Vulnerability Discovery Ted Unangst - Secure Development with Static Analysis Woodmann - The legality of RCE ...more to come ---------------------------------------- Recon is also offering three training courses this year. * Packet Mastering the Monkey Way Learn how to write scanners, sniffers and packet flooders using libpcap, libdnet, and libevent. Instructor: Jose Nazario and Marius Eriksen Dates: 14-15 June 2006 * Advanced Reverse Engineering Learn how to unpack Packers and Protectors, and how to analyse Polymorphic viruses Instructor: Nicolas Brulez Dates: 13-15 June 2006 * Introduction to Reverse Engineering Learn how you can reverse engineer programs to understand their inner workings Instructor: Nicolas Brulez Dates: 19-21 June 2006 For more details on the trainings go to http://recon.cx/en/training.html ---------------------------------------- Recon 2005 papers and videos : http://2005.recon.cx/recon2005/papers/ From isn at c4i.org Thu Apr 13 04:04:40 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 13 Apr 2006 03:04:40 -0500 (CDT) Subject: [ISN] Network security firm explores IPO Message-ID: http://www.baltimoresun.com/business/bal-bz.sourcefire13apr13,0,7066560.story?coll=bal-business-headlines By Stacey Hirsh Sun reporter April 13, 2006 Martin Roesch's technology company was started in 2001 the same way many others begin - from his living room. During its first year, Roesch's network security firm Sourcefire Inc. was running shipping and receiving from the foyer and conducting data operations from what is now the in-law suite at his Eldersburg home. "It was definitely a startup," recalled Roesch, 36, who is now the company's chief technology officer. Five years later, Sourcefire has grown to 150 employees with offices around the world, including two at its Columbia headquarters. The network security software Roesch developed is an industry leader. And despite last month's high-profile disappointment when the government blocked the $225 million sale of Sourcefire to Israeli-based Check Point Software Technologies Ltd. because of security concerns, executives say the company is poised to move forward. Sourcefire is considering an initial public offering, executives said. And with the Check Point deal off, executives said the company's main focus is growing the business, gaining market share and improving profits. Michele Perry, Sourcefire's chief marketing officer, said the company is "gunning for a fourth-quarter IPO." "Last year, that was one of the options we had on the table that we were moving toward, and Check Point came out of the woodwork and tried to acquire us," Perry said. "So we're just back on our plan." Wayne Jackson, Sourcefire's chief executive officer, was more measured in his remarks. "We want to be in a position to be a public company in that time frame," Jackson said in an interview at his office this week. Jackson, 44, said that Sourcefire's focus is to aggressively grow its business, so that the decision of when - or whether - to take the company public is within their control. Sourcefire announced in October that it would be acquired by Check Point. But the acquisition raised national security issues and was under investigation by the Committee on Foreign Investment in the United States, the same agency that investigated Dubai Ports World's bid to run some operations at six U.S. ports including Baltimore's. Check Point announced late last month that it was pulling out of the deal. With the Check Point deal behind them, Jackson said, Sourcefire is no longer focused on being acquired. He said the company has consulted with a bank about financing strategies to help it expand. Sourcefire has been profitable since the fourth quarter of 2005, Jackson said, while declining to provide specifics. Sourcefire has the potential to be a billion-dollar company as it grabs a chunk of markets beyond intrusion prevention, Jackson said. He sees an IPO as one financing option but says it's more of a starting point than a finish line. "Like any manager, I'd like to have as many options as I possibly can, so keeping the company strong enough to do [an IPO] is something I'd like to do, but it's not a management goal," Jackson said. "We're growing the company because we see a huge opportunity to be an industry leader." Jeffrey W. Englander, an independent analyst who follows the information security industry, says going public is an attractive option for Sourcefire and returns them to the path they were on before the Check Point deal. Englander has no financial relationship with Sourcefire. Sourcefire makes open-source intrusion prevention technology called Snort, which analyzes network traffic to protect against hackers. The company also makes software to manage that data. Additionally, Sourcefire makes real-time network awareness technology, which maps out exactly what the network looks like. The intrusion detection and prevention market is expected to reach $700 million this year, Englander said. And Sourcefire's real-time network awareness adds a feature to the technology that many companies are looking for, he said. "That's their secret sauce," Englander said. "It will not only prevent threats but look at different threats within your network, look at the configuration of your network, see where there are potential vulnerabilities and work to remediate those vulnerabilities in your network." Snort, which Roesch invented, is a free product, and the code is available for anyone to see. But Englander said Sourcefire does not have any true direct competitors for its real-time network awareness technology. Englander estimates that Sourcefire will have sales of about $53 million this year. Kathy Smith, a principal with Renaissance Capital, a Greenwich, Conn., IPO research and investing firm, said it's a good time to be going public. The average stock price of companies that have gone public this year is up 21 percent from their IPO price, with about half of that return coming from the first day's trading. There have been 46 IPOs this year, compared with 38 for the corresponding period last year, according to Renaissance Capital. Smith said technology companies typically make up about a third of the IPOs each year. But investors, who were burned when the tech bubble burst, are being more discriminating these days. In 2000, only 26 percent of the firms that went public were profitable. By last year, that number was up to 69 percent, according to data from Renaissance Capital. "It's still a good time for a technology company to go public - the market is very healthy," Smith said. "However, it cannot be a company that doesn't have substance, because investors are selective," he said. Jackson acknowledges that he was disappointed when the Check Point deal fell through, because he hates losing at anything. (His hobby is competitive race car driving, which he says requires putting aside fears of going fast and focusing on a complex set of variables in a challenging environment, like running a technology startup.) Jackson said he felt better a day after the deal fell through when he thought about Sourcefire's value. He said the company's $225 million price tag during the Check Point deal was based on the business as of a year ago, when the company was not yet profitable. Jackson expects 2006 to be Sourcefire's first profitable year. Englander, the information security analyst, agrees that an IPO would not be the be-all, end-all for Sourcefire. It's a financing option that could give it more cash to grow the business, either organically or through acquisition. "It gives them the additional resources they need to expand the business, and it would give them a public currency to make acquisitions, should they desire," Englander said. Until then, Roesch and Jackson are working at their Columbia technology company where - as with the startups of the tech boom - the break room offers Xbox, a foosball table, and free soda and candy. But the sprawling offices are a far cry from the Eldersburg living room where the company began. Copyright ? 2006, The Baltimore Sun From isn at c4i.org Fri Apr 14 02:32:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 14 Apr 2006 01:32:57 -0500 (CDT) Subject: [ISN] 'Red Hackers Alliance' seen behind attacks on U.S. sites Message-ID: http://www.worldtribune.com/worldtribune/06/front2453839.0770833334.html Special to World Tribune.com EAST-ASIA-INTEL.COM Thursday, April 13, 2006 China's information warfare expertise comes in part from a group called the "Red Hackers Alliance," U.S. officials said. Chinese-origin hackers are responsible for tens of thousands of computer attacks on U.S. government networks, the officials said. The "Alliance" which identifies itself as "a network security research organization made up of Chinese patriotic hackers," specializes in network security, "patriotic hacker training," and software development, according to the group's Internet site. Unlike western private groups and networks which spread by word of mouth and clicks of the mouse, the "Alliance" operates like a government- or party-backed organization. A Hong Kong-based specialist said China has a budget for hiring the best IT graduates from U.S. universities to hone its cyberwar capabilities. "They've got the money, and they are spending it," he said. The "Alliance" claims to have "liaison officers" in provinces and cities across China and is currently recruiting "patriotic hackers" to fill posts in some regions. The group's offerings include: patriotic hacker courses, software, alliance services, and special training. The group also provides information and software downloads on a variety of hacker tools, literature and other services. The group has marketed a patriotic hacker book and has held meetings in Shanghai. Copyright ? 2006 East West Services, Inc. From isn at c4i.org Fri Apr 14 02:33:24 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 14 Apr 2006 01:33:24 -0500 (CDT) Subject: [ISN] Data Leaks Persist From Afghan Base Message-ID: Forwarded from: William Knowles http://www.latimes.com/news/nationworld/world/la-fg-disks13apr13,0,1166178.story?coll=la-home-headlines By Paul Watson Times Staff Writer April 13, 2006 BAGRAM, Afghanistan - A computer drive sold openly Wednesday at a bazaar outside the U.S. air base here holds what appears to be a trove of potentially sensitive American intelligence data, including the names, photographs and telephone numbers of Afghan spies informing on the Taliban and Al Qaeda. The flash memory drive, which a teenager sold for $40, holds scores of military documents marked "secret," describing intelligence-gathering methods and information - including escape routes into Pakistan and the location of a suspected safe house there, and the payment of $50 bounties for each Taliban or Al Qaeda fighter apprehended based on the source's intelligence. The documents appear to be authentic, but the accuracy of the information they contain could not be independently verified. On its face, the information seems to jeopardize the safety of intelligence sources working secretly for U.S. Special Forces in Afghanistan, which would constitute a serious breach of security. For that reason, The Times has withheld personal information and details that could compromise military operations. U.S. commanders in Afghanistan said an investigation was underway into what shopkeepers at the bazaar describe as ongoing theft and resale of U.S. computer equipment from the Bagram air base. The facility is the center of intelligence-gathering activities and includes a detention center for suspected members of Al Qaeda and other terrorist groups flown in from around the world. "Members of the Army's Criminal Investigation Command are conducting an investigation into potential criminal activity," a statement said. The top U.S. commander here, Army Lt. Gen. Karl Eikenberry, has ordered a review of policies and procedures for keeping track of computer hardware and software. "Coalition officials regularly survey bazaars across Afghanistan for the presence of contraband materials, but thus far have not uncovered sensitive or classified items," the statement added. The credibility and reliability of some intelligence sources identified in the documents is marked as unknown. Other operatives, however, appear to be of high importance, including one whose information, the document says, led to the apprehension of seven Al Qaeda suspects in the United States. One document describes a source as having "people working for him" in 11 Afghan cities. "The potential for success with this contact is unlimited," the report says. Even the names of people identified as the sources' wives and children are listed - details that could put them at risk of retaliation by insurgents who have boasted about executing dozens of people suspected of spying for U.S. forces. The drive includes descriptions of Taliban commanders' meetings in neighboring Pakistan and maps of militants' infiltration and escape routes along its border with Afghanistan. In another folder, there is a diagram of a mosque and madrasa, or Islamic school, where an informant said fugitive Taliban leader Mullah Mohammed Omar had stayed in Pakistan. Another document describes in detail how a member of Pakistan's Inter-Services Intelligence agency, or ISI, the Taliban's former mentors, tried to recruit an Afghan spying for the U.S. by promising him $500 a month. Some of the documents can't be opened without a password, but most are neither locked nor encrypted. Numerous files indicate the flash drive may have belonged to a member of the Army's 7th Special Forces Group (Airborne), based at Ft. Bragg, N.C. The unit is operating in southern Afghanistan, where a U.S.-led coalition is battling a growing insurgency. Some of the computer files are dated as recently as this month, while others date to 2004. The clerk who sold the computer drive said an Afghan worker smuggled it out of the Bagram base Tuesday, a day after The Times first reported that military secrets were available at several stalls at the bazaar. The 1-gigabyte flash drive sold at the bazaar Wednesday is almost full and contains personal snapshots, Special Forces training manuals, records of "direct action" training missions in South America, along with numerous computer slide presentations and documents marked "secret." There is also a detailed "Site Security Survey" describing the layout of the Special Forces unit's "Low Visibility Operating Base" in southwestern Afghanistan. Another document outlines procedures for defending the base if it comes under attack, and there are several photographs of the walls and areas inside the perimeter. The drive holds detailed information on a handful of Afghan informants identified by name and the number of contacts with U.S. handlers. In some cases, photographs of the sources are attached. A report on a spy involved with a code-named operation says the Afghan has been used in "cross border operations." But it cautions that an American officer "has come to the conclusion that Contact may or may not be as security conscious as thought to be or expected." The report describes a potential "low-level source" who reportedly has "brought in active and inactive Taliban and Al Qaeda associates/operators who have expressed a desire to repatriate/end conflict peacefully." The man is identified as a former ISI agent in the 1980s, during the U.S.-backed mujahedin war against Soviet troops in Afghanistan. He also provided a document on Al Qaeda's cell structure to the CIA, the report adds. The document also names the man's wife and children and lists his cellphone number. It describes the informant as very punctual, with a good sense of humor. Politically, it adds, he is "much like a Republican in the United States." The computer files also provide a rare look at how the U.S. military contracts and pays its Afghan spies, and the commitments they make in signed contracts, written in English. In a two-page "Record of Oral Commitment," marked "secret" and dated Jan. 28, 2005, a source agreed to work for the U.S. Army by providing information on Al Qaeda, the Taliban and an allied militia, the Hizb-i-Islami, led by fugitive warlord Gulbuddin Hekmatyar. "The source will be paid $15 USD for each mission he completes that has verified information," the agreement stipulates. "This sum will not exceed a total of $300 USD in a 1-month period," the report says. The sum rises to $500 a month for information "deemed of very high importance." And there are serious consequences for any breaches of the commitment, such as failing to disclose information on the terrorist organizations or missing either of two meetings scheduled for each month. The penalty for "using his new skills to participate in activities that are deemed" anti-U.S. or against the Afghan government is "termination with prejudice," according to the document. Another document describes how an Afghan informant for the U.S. military said he was contacted by an official from Pakistan's Embassy, who asked the Afghan to spy for the ISI. A high-level ISI official then offered the Afghan $500 a month and other incentives, the document says. The report adds that the ISI official "said that he's looking for an U.S. Embassy employee to aid in the bombing of the embassy that [he] is planning." The ISI official promised he would pay the Afghan $100,000 after the destruction of the embassy in Kabul. The report concludes: "Everything that [Pakistani] told the Source could be made up or inflated as to look good and exciting to the Source; a possible ploy to get the Source to 'sign up' for the ISI . However, my 'gut' tells me otherwise, and this guy really is trying to recruit my source for the other side." Special correspondent Wesal Zaman in Kabul contributed to this report. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Apr 14 02:33:41 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 14 Apr 2006 01:33:41 -0500 (CDT) Subject: [ISN] Microsoft's Security Disclosures Come Under Fire Message-ID: http://www.eweek.com/article2/0,1895,1949279,00.asp By Ryan Naraine April 13, 2006 Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of "misleading" customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11. That bulletin, rated "critical," contained patches for a remote code execution hole in Windows Explorer, the embedded file manager that lets Windows users view and manage drives, folders and files. However, as Murphy found out when scouring through the fine print in the bulletin, the update also addressed what Microsoft described as a "publicly disclosed variation" of a flaw that was reported in May 2004 (CVE-2004-2289.) In an entry posted to the SecuriTeam blog, Murphy noted that the vulnerability that is documented was privately reported, but the "variation" that was also patched has been publicly known for 700+ days. "In that case, the issue that is truly the 'variation' is the issue that was discovered and reported privately after the public disclosure," he said. "[The] information as published is extremely misleading and Microsoft's choice not to document a publicly reported vulnerability is not one that will be for the benefit of its customers' security," Murphy said. In an interview with eWEEK, Murphy said another "throwaway line" in the bulletin also raised questions about whether a flaw he reported in August 2005 was silently fixed. The bulletin refers to a "Defense in Depth change" that ensures that consistent prompting occurs in "Internet zone drag and drop scenarios." That wording, Murphy said, "sounds suspiciously like an attempt to plug the vulnerability I reported publicly in February, which is CVE-2005-3240." Murphy originally reported that vulnerability to the MSRC in August 2005, but held off on publishing the details for six months. During that time, Murphy and MSRC officials haggled over the severity of the bug and Microsoft made it clear it had no plans to issue a security update to provide a fix, Murphy said. The company said the fixes would be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. "Microsoft's internal risk assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft," Murphy said. "I disagree with the technical conclusion behind Microsoft's decision and I further find the time frame of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude," he said. Murphy has not yet tested the patch to determine whether the drag-and-drop issue was actually fixed, but, even without testing, he argues that the way the information was released leaves everyone guessing. "Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn't patch phantom vulnerabilities that don't exist or unrealistic science-fiction attack scenarios. Microsoft's under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot," he said. "You simply don't know what the patches are for. It's virtually impossible to make a determination about a deployment time frame if not deploying a patch has the potential to place you at an additional, unknown risk. As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information," Murphy said. Murphy said the MS06-015 bulletin "should be revised or completely rewritten, with the objective of providing sensible, coherent and complete information to customers." Microsoft, based in Redmond, Wash., declined requests for an interview to discuss the issue. Instead, the company sent a statement to eWEEK to stress that all the publicly disclosed vulnerabilities fixed by MS06-015 are addressed in the bulletin documentation, listed under the "Vulnerability Details" section and denoted by their individual CVE numbers. "[We] have a working relationship with Matt and, based on our ongoing discussions with him, view his blog posting as welcome feedback for how we can continue to improve our security bulletins," the statement read. The statement said "all publicly disclosed vulnerabilities" excludes Murphy's report, but even that claim is "false," Murphy said. "The bulletin patches a CVE that doesn't have its own individual denotation. The bottom line is, Microsoft's claim that every 'publicly disclosed vulnerability' is denoted specifically is bizarre, because they've yet to answer one of the criticisms in the blog post, which is that they don't provide meaningful information about this 'variation' that's allegedly patched," he said. Regarding Microsoft's statement, Murphy added, "That still doesn't answer the question of where this other 'Defense in Depth' change was originated. There's no specific threat that it's identified as correcting, so it seems almost random." Ironically, these questions about transparency and disclosure come less than a month after an MSRC official criticized Apple for the way it handles security guidance to customers. "Look, the only way you can tackle security issues is by getting out ahead of them and clearly communicating to your users the threat, and the clear guidance on how to be safe," MSRC program manager Stephen Toulouse said in response to what he described as the "recent trials and tribulations of Apple in the security space." Now, Murphy said, the shoe is on the other foot and Microsoft is just as guilty as Apple. "Every time Microsoft seems to be getting the security pitch right, one gets thrown in the dirt. Microsoft needs a new ball," he said. From isn at c4i.org Fri Apr 14 02:34:07 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 14 Apr 2006 01:34:07 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-15 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-04-06 - 2006-04-13 This week : 72 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Tuesday, Microsoft issued the long awaited patch for the "Extremely Critical" createTextRange() vulnerability in Internet Explorer, which was originally discovered by Secunia Research and disclosed to Microsoft on 13th February for a co-ordinated disclosure. However, on 22nd March the vulnerability was publicly disclosed by an independent third party and exploit code was soon created and published by different researchers. Microsoft also issued patches for other critical vulnerabilities, for more details see the following Secunia Advisories: http://secunia.com/SA19617 http://secunia.com/SA19623 http://secunia.com/SA18957 http://secunia.com/SA19583 http://secunia.com/SA19606 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 2. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 3. [SA19534] ClamAV Multiple Vulnerabilities 4. [SA19495] Linux Kernel SYSFS Local Denial of Service Vulnerability 5. [SA19218] Flash Player Unspecified Code Execution Vulnerabilities 6. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 7. [SA19553] Cisco Optical Networking System 15000 Series Multiple Vulnerabilities 8. [SA19556] phpMyAdmin Cross-Site Scripting Vulnerabilities 9. [SA19569] Hosting Controller "forum.mdb" Exposure of User Credentials 10. [SA19552] Cisco 11500 Content Services Switch HTTP Compression Denial of Service ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19583] Microsoft Data Access Components RDS.Dataspace ActiveX Vulnerability [SA19617] Outlook Express Windows Address Book File Vulnerability [SA19606] Microsoft Windows Explorer COM Object Handling Vulnerability [SA19569] Hosting Controller "forum.mdb" Exposure of User Credentials [SA19566] SAXoPRESS "url" Parameter Directory Traversal Vulnerability [SA19623] Microsoft FrontPage Server Extensions Cross-Site Scripting UNIX/Linux: [SA19619] Debian update for horde3 [SA19608] SUSE update for clamav [SA19571] SUSE Updates for Multiple Packages [SA19570] Trustix updates for multiple packages [SA19567] Gentoo update for clamav [SA19564] Mandriva update for clamav [SA19557] Ubuntu update for kaffeine [SA19644] Ubuntu Updates for Multiple Packages [SA19624] SGI ProPack XFree86 Multiple Vulnerabilities [SA19607] SGI ProPack kernel Multiple Vulnerabilities [SA19597] Mandriva update for sash [SA19591] Debian update for moodle [SA19590] Debian update for cacti [SA19586] Matt Wright Guestbook Script Insertion Vulnerabilities [SA19572] xzgv JPEG Image Parsing Heap Overflow Vulnerability [SA19565] Mandriva update for mplayer [SA19555] Debian update for libphp-adodb [SA19589] Debian mnogosearch Insecure Password Storage Security Issue [SA19614] VegaDNS "cid" Parameter SQL Injection Vulnerability [SA19598] Mandriva update for openvpn [SA19595] Shadowed Portal Pages Module Cross-Site Scripting [SA19587] Cherokee Web Server Cross-Site Scripting Vulnerability [SA19561] HP-UX update for wu-ftpd [SA19558] Mailman Private Archive Script Cross-Site Scripting [SA19638] Sun Solaris LDAP2 Client Commands Security Issue [SA19560] HP-UX Unspecified "su" LDAP Netgroup Vulnerability [SA19559] fbida fbgs Insecure Temporary File Creation Vulnerability [SA19577] Debian update for libimager-perl [SA19627] Sun Solaris "sh" Process Denial of Service Vulnerability [SA19573] Linux Kernel "__keyring_search_one()" Denial of Service Other: Cross Platform: [SA19630] AzDGVote "int_path" File Inclusion Vulnerabilities [SA19628] Simplog Multiple Vulnerabilities and Security Issues [SA19625] phpListPro "returnpath" File Inclusion Vulnerability [SA19588] Autonomous LAN Party File Inclusion Vulnerability [SA19576] Dokeos File Inclusion Vulnerabilities [SA19634] MvBlog Script Insertion and SQL Injection Vulnerabilities [SA19618] Cyrus SASL DIGEST-MD5 Pre-Authentication Denial of Service [SA19613] JBook Multiple Vulnerabilities [SA19611] Confixx Pro Cross-Site Scripting and SQL Injection Vulnerabilities [SA19609] Clansys "showid" SQL Injection Vulnerability [SA19604] Dokeos "topic" Parameter SQL Injection Vulnerability [SA19602] XBrite Members "id" SQL Injection Vulnerability [SA19601] dnGuestbook admin.php SQL Injection Vulnerability [SA19600] PHPOpenChat ADOdb Insecure Test Scripts Security Issues [SA19593] Shopweezle Multiple SQL Injection Vulnerabilities [SA19592] apt-webshop-system Multiple Vulnerabilities [SA19584] Chipmunk Guestbook "username" SQL Injection Vulnerability [SA19580] Gallery Unspecified Script Insertion Vulnerabilities [SA19578] MAXdev MD-Pro "topicid" SQL Injection Vulnerability [SA19568] MWNewsletter Multiple Vulnerabilities [SA19563] MAXdev MD-Pro ADOdb "server.php" Insecure Test Script Security Issue [SA19554] Andy's PHP Knowledgebase Cross-Site Scripting and Script Insertion [SA19636] Manila Multiple Cross-Site Scripting Vulnerabilities [SA19635] Tritanium Bulletin Board register.php Cross-Site Scripting [SA19629] Autogallery Cross-Site Scripting Vulnerability [SA19622] interaktiv.shop Cross-Site Scripting Vulnerability [SA19610] PHPWebGallery Multiple Cross-Site Scripting Vulnerabilities [SA19603] JetPhoto Server "name" and "page" Cross-Site Scripting [SA19594] Web+Shop "deptname" Parameter Cross-Site Scripting [SA19582] Jupiter Content Manager "layout" Cross-Site Scripting [SA19579] Clever Copy connect.inc Information Disclosure Security Issue [SA19562] vBulletin vBug Tracker Module "sortorder" Cross-Site Scripting [SA19556] phpMyAdmin Cross-Site Scripting Vulnerabilities [SA19574] Oracle Database Access Restrictions Bypass Vulnerability [SA19599] PHP "phpinfo()" Cross-Site Scripting and Security Bypass [SA19575] Imager JPEG/TGA Image Processing Denial of Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19583] Microsoft Data Access Components RDS.Dataspace ActiveX Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-11 A vulnerability has been reported in Microsoft Data Access Components (MDAC), which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19583/ -- [SA19617] Outlook Express Windows Address Book File Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-11 A vulnerability has been reported in Microsoft Outlook Express, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19617/ -- [SA19606] Microsoft Windows Explorer COM Object Handling Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-11 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19606/ -- [SA19569] Hosting Controller "forum.mdb" Exposure of User Credentials Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-04-07 Syst3m_f4ult has reported a security issue in Hosting Controller, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19569/ -- [SA19566] SAXoPRESS "url" Parameter Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-04-12 Data Security has reported a vulnerability in SAXoPRESS, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19566/ -- [SA19623] Microsoft FrontPage Server Extensions Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-11 A vulnerability has been reported in Microsoft FrontPage Server Extensions, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19623/ UNIX/Linux:-- [SA19619] Debian update for horde3 Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, System access Released: 2006-04-13 Debian has issued an update for horde3. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks, and by malicious people to disclose sensitive information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19619/ -- [SA19608] SUSE update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-11 SUSE has issued an update for clamav. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19608/ -- [SA19571] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2006-04-10 SUSE has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/19571/ -- [SA19570] Trustix updates for multiple packages Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2006-04-10 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious people to gain knowledge of potentially sensitive information, potentially cause a DoS (Denial of Service), and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19570/ -- [SA19567] Gentoo update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-10 Gentoo has issued an update for clamav. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19567/ -- [SA19564] Mandriva update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-10 Mandriva has issued an update for clamav. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19564/ -- [SA19557] Ubuntu update for kaffeine Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-07 Ubuntu has issued an update for kaffeine. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19557/ -- [SA19644] Ubuntu Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-04-13 Full Advisory: http://secunia.com/advisories/19644/ -- [SA19624] SGI ProPack XFree86 Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2006-04-12 SGI has acknowledged some vulnerabilities in SGI ProPack, which potentially can be exploited by malicious, local users to gain escalated privileges and potentially by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19624/ -- [SA19607] SGI ProPack kernel Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, DoS Released: 2006-04-11 SGI has acknowledged some vulnerabilities in SGI ProPack, which can be exploited by malicious, local users to cause a DoS (Denial of Service), gain knowledge of potentially sensitive information, and gain escalated privileges, and by malicious people to cause a DoS or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19607/ -- [SA19597] Mandriva update for sash Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-04-11 Mandriva has issued an update for sash. This fixes some vulnerabilities, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application or potentially execute arbitrary code. Full Advisory: http://secunia.com/advisories/19597/ -- [SA19591] Debian update for moodle Critical: Moderately critical Where: From remote Impact: System access, Exposure of system information, Manipulation of data, Cross Site Scripting, Security Bypass Released: 2006-04-10 Debian has issued an update for moodle. This fixes two security issues and some vulnerabilities, which can be exploited by malicious people to disclose system information, conduct cross-site scripting attacks, execute arbitrary SQL code, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19591/ -- [SA19590] Debian update for cacti Critical: Moderately critical Where: From remote Impact: System access, Exposure of system information, Manipulation of data, Cross Site Scripting, Security Bypass Released: 2006-04-10 Debian has issued an update for cacti. This fixes two security issues and some vulnerabilities, which can be exploited by malicious people to disclose system information, conduct cross-site scripting attacks, execute arbitrary SQL code, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19590/ -- [SA19586] Matt Wright Guestbook Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-10 Some vulnerabilities have been discovered in Matt Wright Guestbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19586/ -- [SA19572] xzgv JPEG Image Parsing Heap Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-10 A vulnerability has been reported in xzgv, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19572/ -- [SA19565] Mandriva update for mplayer Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-04-10 Mandriva has issued an update for mplayer. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19565/ -- [SA19555] Debian update for libphp-adodb Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, System access Released: 2006-04-10 Debian has issued an update for libphp-adodb. This fixes two security issues and some vulnerabilities, which can be exploited by malicious people to disclose system information, conduct cross-site scripting attacks, execute arbitrary SQL code, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19555/ -- [SA19589] Debian mnogosearch Insecure Password Storage Security Issue Critical: Moderately critical Where: Local system Impact: Exposure of sensitive information Released: 2006-04-11 Andrew Pam has discovered a security issue in Debian mnogosearch, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/19589/ -- [SA19614] VegaDNS "cid" Parameter SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-04-11 Ph03n1X has discovered a vulnerability in VegaDNS, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19614/ -- [SA19598] Mandriva update for openvpn Critical: Less critical Where: From remote Impact: System access Released: 2006-04-11 Mandriva has issued an update for openvpn. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19598/ -- [SA19595] Shadowed Portal Pages Module Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-10 Liz0ziM has reported a vulnerability in Shadowed Portal, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19595/ -- [SA19587] Cherokee Web Server Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-10 Ruben Garrote Garcia has reported a vulnerability in Cherokee, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19587/ -- [SA19561] HP-UX update for wu-ftpd Critical: Less critical Where: From remote Impact: DoS Released: 2006-04-07 HP has issued an update for wu-ftpd. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19561/ -- [SA19558] Mailman Private Archive Script Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-07 A vulnerability has been reported in Mailman, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19558/ -- [SA19638] Sun Solaris LDAP2 Client Commands Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-04-12 A security issue has been reported in Sun Solaris, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/19638/ -- [SA19560] HP-UX Unspecified "su" LDAP Netgroup Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-04-07 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19560/ -- [SA19559] fbida fbgs Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-04-10 Jan Braun has reported a vulnerability in fbida, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19559/ -- [SA19577] Debian update for libimager-perl Critical: Not critical Where: From remote Impact: DoS Released: 2006-04-10 Debian has issued an update for libimager-perl. This fixes a vulnerability, which can be exploited by malicious people to crash certain applications on a vulnerable system. Full Advisory: http://secunia.com/advisories/19577/ -- [SA19627] Sun Solaris "sh" Process Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-04-12 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19627/ -- [SA19573] Linux Kernel "__keyring_search_one()" Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-04-11 A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19573/ Other: Cross Platform:-- [SA19630] AzDGVote "int_path" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-12 SnIpEr_SA has discovered a vulnerability in AzDGVote, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19630/ -- [SA19628] Simplog Multiple Vulnerabilities and Security Issues Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, System access Released: 2006-04-12 Some vulnerabilities and security issues have been discovered in Simplog, which can be exploited by malicious people to disclose system information, conduct cross-site scripting and SQL injection attacks, execute arbitrary SQL code, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19628/ -- [SA19625] phpListPro "returnpath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-12 Aesthetico has discovered a vulnerability in phpListPro, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19625/ -- [SA19588] Autonomous LAN Party File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-10 Codexploder'tq has discovered a vulnerability in Autonomous LAN Party, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19588/ -- [SA19576] Dokeos File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-11 Two vulnerabilities have been discovered in Dokeos, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19576/ -- [SA19634] MvBlog Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-12 Some vulnerabilities have been reported in MvBlog, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19634/ -- [SA19618] Cyrus SASL DIGEST-MD5 Pre-Authentication Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-11 Mu Security has reported a vulnerability in Cyrus SASL library, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19618/ -- [SA19613] JBook Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-11 Some vulnerabilities have been discovered in JBook, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19613/ -- [SA19611] Confixx Pro Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-12 Snake_23 has reported two vulnerabilities in Confixx Pro, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19611/ -- [SA19609] Clansys "showid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-11 snatcher has discovered a vulnerability in Clansys, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19609/ -- [SA19604] Dokeos "topic" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-11 Alvaro Olavarria has discovered a vulnerability in Dokeos, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19604/ -- [SA19602] XBrite Members "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-10 snatcher has discovered a vulnerability in XBrite Members, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19602/ -- [SA19601] dnGuestbook admin.php SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-11 snatcher has discovered a vulnerability in dnGuestbook, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19601/ -- [SA19600] PHPOpenChat ADOdb Insecure Test Scripts Security Issues Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, System access Released: 2006-04-11 Two security issues have been discovered in PHPOpenChat, which can be exploited by malicious people to disclose system information, execute arbitrary SQL code, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19600/ -- [SA19593] Shopweezle Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-10 r0t has reported multiple vulnerabilities in Shopweezle, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19593/ -- [SA19592] apt-webshop-system Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-10 r0t has reported some vulnerabilities in apt-webshop, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19592/ -- [SA19584] Chipmunk Guestbook "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-12 Dr.Jr7 has reported a vulnerability in Chipmunk Guestbook, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19584/ -- [SA19580] Gallery Unspecified Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-10 Some vulnerabilities have been reported in Gallery, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19580/ -- [SA19578] MAXdev MD-Pro "topicid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2006-04-10 king_purba has discovered a vulnerability in MAXdev MD-Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19578/ -- [SA19568] MWNewsletter Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-07 Some vulnerabilities have been discovered in MWNewsletter, which can be exploited by malicious people to conduct script insertion attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19568/ -- [SA19563] MAXdev MD-Pro ADOdb "server.php" Insecure Test Script Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2006-04-11 A security issue has been reported in MAXdev MD-Pro, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19563/ -- [SA19554] Andy's PHP Knowledgebase Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-06 Brian has discovered some vulnerabilities in Andy's PHP Knowledgebase, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/19554/ -- [SA19636] Manila Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-12 d4igoro has discovered some vulnerabilities in Manila, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19636/ -- [SA19635] Tritanium Bulletin Board register.php Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-12 Some vulnerabilities have been discovered in Tritanium Bulletin Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19635/ -- [SA19629] Autogallery Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-12 0o_zeus_o0 has discovered a vulnerability in Autogallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19629/ -- [SA19622] interaktiv.shop Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-12 r0t has reported a vulnerability in interaktiv.shop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19622/ -- [SA19610] PHPWebGallery Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-11 Psych0 has discovered multiple vulnerabilities in PHPWebGallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19610/ -- [SA19603] JetPhoto Server "name" and "page" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-11 0o_zeus_o0 has reported some vulnerabilities in JetPhoto Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19603/ -- [SA19594] Web+Shop "deptname" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-11 r0t has reported a vulnerability in Web+Shop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19594/ -- [SA19582] Jupiter Content Manager "layout" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-04-11 KaDaL-X has discovered a vulnerability in Jupiter Content Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19582/ -- [SA19579] Clever Copy connect.inc Information Disclosure Security Issue Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-04-11 M.Hasran Addahroni has discovered a security issue in Clever Copy, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19579/ -- [SA19562] vBulletin vBug Tracker Module "sortorder" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-07 r0t has reported a vulnerability in the vBug Tracker module for vBulletin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19562/ -- [SA19556] phpMyAdmin Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-07 Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19556/ -- [SA19574] Oracle Database Access Restrictions Bypass Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-04-11 A vulnerability has been reported in Oracle Database, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19574/ -- [SA19599] PHP "phpinfo()" Cross-Site Scripting and Security Bypass Critical: Not critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-04-10 Maksymilian Arciemowicz has reported some vulnerabilities in PHP, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19599/ -- [SA19575] Imager JPEG/TGA Image Processing Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2006-04-10 Ole Kasper Olsen and Kjetil Kjernsmo have reported a vulnerability in Imager, which can be exploited by malicious people to crash certain applications on a vulnerable system. Full Advisory: http://secunia.com/advisories/19575/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Apr 14 02:34:19 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 14 Apr 2006 01:34:19 -0500 (CDT) Subject: [ISN] Texas works on P2P policy Message-ID: http://www.fcw.com/article94067-04-13-06-Web By Dibya Sarkar Apr. 13, 2006 Fearing that state computer systems will be jeopardized, Texas state technology officials are planning to restrict the use of peer-to-peer file-sharing applications among agencies, departments, boards and commissions. Gov. Rick Perry issued an executive order April 5 directing the state Department of Information Resources to devise a policy prohibiting the unauthorized or illegal use of such software programs and also permitting their use for government business and law enforcement purposes that won't pose a risk to computer systems. Peer-to-peer (P2P) software, such as Napster, Kazaa and Grokster, allows Internet users to search, download and share files -- usually music, videos, software and other types of media files -- directly from one another's computers. As opposed to a traditional client-server model, P2P networks are composed of nodes that serve as clients and servers to other nodes on the network. Perry's executive order states that "without adequate protections and procedures in place, the use of peer-to-peer file-sharing software can result in the presence of viruses and malicious programs on state information management system computers and networks, and consume network resources, resulting in the creation of inefficiencies in the performance of those systems." Any statewide policy, however, would not apply to the legislative and judicial branches or to the state's constitutional officers, although they could adopt it, the executive order states. Other state governments have enacted similar P2P use policies. From isn at c4i.org Fri Apr 14 02:34:39 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 14 Apr 2006 01:34:39 -0500 (CDT) Subject: [ISN] Bug Bounties Exterminate Holes Message-ID: http://www.wired.com/news/columns/0,70644-0.html By Jennifer Granick Apr, 12, 2006 Money changes everything. Just when security researchers and software companies seemed to reach a consensus on the contentious issue of publicizing information about computer security flaws, businesses that sell vulnerability information are disturbing the peace. Last week, at the CanSecWest computer security conference in Vancouver, Canada, I debated the ways commercialization has changed vulnerability reporting during a panel discussion that included independent researchers as well as executives and employees from Oracle, Novell, Intel, 3Com and iDefense. My conclusion is that more commercialization means more private control, and that is not a good thing for security. A few years ago, hackers and software vendors vigorously argued whether researchers should go public with security flaws so users could protect themselves and demand better products from vendors, or if they're better off keeping the information quiet so as not to aid malicious attackers. Eventually, consensus formed around a middle ground called "responsible disclosure": Researchers would generally report their discovery of flaws, but withhold information useful to attackers until after vendors issued a patch. Meanwhile, vendors would publicly credit the researcher with finding the flaw. The practice recognized the importance of public disclosure, but sought to balance it against the danger of providing easy-to-use tools to wannabes and script kiddies. The d?tente has not been perfect. Computer security professionals, including Oracle's Darius Wiles on our panel, continue to disagree over how much information adequately informs the public without helping attackers. Researchers continue to disagree with software vendors about the amount of time it takes to fix problems in good faith. And not all researchers or companies adhere to the responsible disclosure framework, though many do. Also, as college student and researcher Matt Murphy pointed out, we ask a lot from the researcher, who performs a valuable and labor-intensive service in finding bugs, only to give the information to the vendor, in exchange for nothing more than the promise of a shout-out. Into this gap, a new type of security company has emerged: information brokerage firms that pay researchers a finder's fee for security holes. Michael Sutton from iDefense told us that his company, which pays between a few hundred dollars and $10,000 for a vulnerability, reports the information first to the affected vendors, then passes it on to paid subscribers. Terri Forslof's company, 3Com, also pays a bounty for bugs, and uses the information to improve its TippingPoint intrusion-prevention system. I have advised two businesses that had plans to auction vulnerabilities to the highest bidder on eBay. (After talking with me, each decided not to take the risk.) Some vendors have decided to pay researchers directly for bugs. For example, Mozilla has a Bug Bounty Program that gives researchers $500 and a T-shirt for their finds. I see real benefits to the public, researchers and vendors from this trend to commercialization: An information broker may be better than the researcher at communicating and working with the vendor. A reputable broker may have better luck than an unknown researcher in getting the vendor to take a security problem seriously and deal with it in a timely manner. Meanwhile, the researcher gets both credit and financial compensation. The promise of compensation will incentivize more research, and more research means more bugs are found. But commercialization can also be dangerous. Foreign governments, corporate spies, the mafia, terrorists and spammers want vulnerabilities that no one else knows about and for which there are no patches. These groups have always been motivated to gain control of vulnerability information at any price, even before information brokerage became relatively commonplace. Some members of the CanSecWest audience worried that commercialization makes it easier for researchers to sell to the highest bidder, even if the highest bidder has criminal intentions. I'm more concerned that commercialization, while it promotes discovery, will interfere with the publication of vulnerability information. The industry adopted responsible disclosure because almost everyone agrees that members of the public need to know if they are secure, and because there is inherent danger in some people having more information than others. Commercialization throws that out the window. Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem. The insiders who know about the flaw could exploit it, attacking those systems whose administrators remain unaware. Even if that doesn't happen, the broker business depends on customers feeling the need to pay for early notification. Toby Kohlenberg from Intel somewhat rhetorically asked the brokers on our panel whether they expected a company that wants all the up-to-date security information to subscribe to multiple brokerage services at a potential cost of up to $1 million a year. Now that information brokers pay researchers for information, they are going to want to control what happens with that information. Michael Sutton, director of the iDefense Lab, says his company has no plans to sue researchers or customers who redistribute vulnerabilities without permission. Unauthorized disclosure, Sutton says, "is part of the business." But at some point, an information broker that wants to prevent researchers, customers and insiders from disclosing to nonpaying members of the public will seek protection in intellectual property law. Copyright law can prevent a broker's paying customers from redistributing a patch to those who have not paid. Trade secret law can prevent insiders or entities under nondisclosure agreements from informing the public about a flaw. Patent law can prevent even those who independently discover the flaw from testing for it or patching it. Murphy and some other panelists argued that vendor purchase programs like Mozilla's work better than information broker programs because they are the most responsible form of disclosure, and vendors can use financial incentives to drive research toward the most dangerous flaws. Yet, vendors have already demonstrated that they're willing to claim intellectual property infringement when researchers seek to disclose vulnerability information about their products. I have represented security companies that wanted to publish information about a flaw, but were informed by the vendor that they would be sued for trade secret violations if they did so. In the criminal case of United States v. Bret McDanel, a now-defunct internet messaging service convinced the Department of Justice to prosecute a man who had the temerity to inform customers that the service was insecure. More recently, Cisco Systems sued researcher Michael Lynn for disclosing a flaw in its routers. Cisco asserts that its concern was not for the company's reputation, but for customers' security. Regardless, if courts accept the theory that Cisco has property rights in vulnerability information, it gives fuel to those who want to hide that information for private gain rather than public good. Now that vulnerability information is a commodity, there's more pressure for the law to protect that information as a business asset, rather than encourage its disclosure in the public interest. We are already living in a failed, broken computer security market. The average customer doesn't have the knowledge to demand better security so vendors don't have an incentive to provide it. Commercialization exacerbates the problem by casting vulnerabilities as a market commodity -- no different than software or songs. But it is different. Like clean air or public parks, the public needs vulnerability information. Yet, like polluters or real estate developers, there are private interests willing to pay big bucks to ensure that information is only useful to a select few. Vulnerability disclosure plays a special role in promoting public security. As vulnerability brokerages grow, policy makers and courts must recognize that this is not just another information market. -=- Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. From isn at c4i.org Fri Apr 14 02:32:41 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 14 Apr 2006 01:32:41 -0500 (CDT) Subject: [ISN] A thirst for knowledge Message-ID: http://technology.guardian.co.uk/weekly/story/0,,1752257,00.html Wikipedia and other online databases provide a soupy morass of information, but where can we find the variety of views that leads to wisdom April 13, 2006 The Guardian "Just who would want to vandalise an entry on cheese?" wonders Skip, a Wikipedia administrator. Watching the online encyclopaedia's raw submission queue in real time can be unnerving. The online reference site that anyone can edit is defaced 20 times a minute and cheese, it seems, is one of the most popular targets for creative embellishment. In the administrator's console, another fresh article - Wikipedia has more than a million now - scrolls past: "James is my fren," it reads in its entirety. Robert McHenry, a former editor-in-chief of Encyclopaedia Britannica, has described Wikipedia as "a game without consequences". BBC Radio 1's afternoon DJs recently took turns to deface each other's entries live on air. MPs have joined in, too. But as Skip begins to guide me through the arcane and often Kafkaesque bureaucracy of Wikipedia, vandalism starts to look like the least of its problems. Skip isn't his real name or his Wikipedia identity. It's a pseudonym the 30-year-old Silicon Valley IT professional uses as he documents the inner machinations of the project, along with a dozen other Wikipedia administrators, on a site called WikiTruth ( www.wikitruth.info ). Wikipedia, endlessly replicated on the web, is one example of a glut of hazy information, the consequences of which we have barely begun to explore, that the internet has made endlessly available. Is Wikipedia really the best the net can offer - and if it isn't, where should we be looking for the answers? While plenty of people nurse resentments against Wikipedia, having failed to win a consensus for their views, Skip's colleagues at WikiTruth have a different motivation. Branding themselves the true keepers of the flame, they argue Wikipedia's wounds are self-inflicted and unnecessary. When the business author Nicholas Carr identified last October a typically banal Wikipedia entry ( http://tinyurl.com/8mr5x ), he prompted a rare admission. Wikipedia's co-founder and site owner Jimmy Wales agreed, calling the examples Carr cited "horrific crap". Yet these articles were mature, Carr pointed out, and had been edited hundreds of times. Might the mass participation be hurting, not helping? Gradual deterioration This gradual deterioration afflicts any utopian online space, and Skip ruefully notes even the best Wikipedia work - its catalogue of featured articles of the week - degenerates once out of the spotlight. That isn't true, of course, of printed work such as Britannica's entries. But the encyclopaedia company has been hit hard, first by the arrival of CD-Rom-based rivals such as Microsoft's Encarta in 1993, and then the net. In 1996 it laid off its door-to-door sales staff. In 1999 it launched a website. The rise of Wikipedia as an "online encyclopaedia" has added to the pressure. Now, though, Britannica has been taking the offensive. The company strongly rebutted a study conducted by journalists at Nature magazine that compared Wikipedia favourably to Britannica, and which was accompanied by an editorial plea for the scientific community to contribute to the project. The study blind-tested extracts from each site with experts, and was widely reported as showing them to be of comparable quality. "It should have said 31% less reliable and worse written," McHenry says of the Nature study. Britannica, meanwhile, says the study was biased towards Wikipedia. "It's offensive to lump these gross offences against publishing with a typo in Britannica," says its executive editor Theodore Pappas. Britannica said Nature cited passages not in the encyclopedia and criticised it for refusing to publish the referees' reports. Nature says it stands by its report and can't release the full reports for confidentiality reasons. Nature's news editor Jim Giles denies the journal had identified itself closely in the Wikipedia camp. "Each has its merits," he says. "In our editorial, we simply argued that Wikipedia has potential and scientists can help realise that potential." Britannica's president Jorge Cauz identifies a homogeneity online he finds unsettling. "Internet discourse has the ability to negate the diversity of voices, and no one can differentiate between truth and myth," he says. "It's a hall of mirrors," agrees Michael Gorman, the Briton who is president of the American Library Association (ALA), "and it's very addictive." But for participants, the appeal fades, notes Skip. Some of Wikipedia's most valued contributors have left in the past year, with two waves of departures in recent months, he says. Former administrators speak of burnout, brought on by bureaucratic warfare. Now Wikipedia faces a fork. If it tightens its open approach, it risks losing its most active participants, for whom Wikipedia is a utopian cause. Away from the hurly-burly of Wikipedia, even current events can seem oddly remote and processed once they are viewed online. Google News, for example, employs computer algorithms similar to those used in spam filters to identify and present the news. In looking for similarities, the news is homogenised and breaking stories fail to rise to prominence. For the veteran researcher Daniel Brandt, who taught CIA whistleblower Philip Agee how to use computers, much of what a human editor provides is lost. "What's gone is any sense of 'a scoop' or 'an important development' or 'new information that puts a new slant on an ongoing story'. There's no authority, no perspective and no sense of historical continuity. It's a dumbing-down process," says the Texas-based Brandt. Google News had a serendipity now missing, mourns the veteran blogger Jorn Barger. When it appeared in 2002, "the top article might come from anywhere in the world or in small-town America but people complained, I guess, that unwelcome perspectives were getting too much prominence and Google tweaked the algorithm," Barger wrote last year. How then are we coping with this glut of unreliable information? Some are doing better than others, suggests Will Davies, a senior fellow at the Institute of Public Policy Research. For Davies, the accumulation of information is no substitute for critical thinking and the problem is it begins to provide its own self-justification. "It's a false supposition we can endlessly delay having to interpret and judge things by stacking more and more bits of data in front of us," he says. "That data is a comfort blanket in a way - we all do this. People are becoming addicted to getting more information all the time. You can see it when they get out their BlackBerrys as soon as they've stepped off a plane." For the former journalist and author Dan Gillmor, this aggregation of information technology enables is synonymous with wisdom. "My readers by definition know more than me," he said recently. "They have facts we don't know." But is the widespread availability of technology generating such wisdom or even improving our learning? For the ALA's Gorman, who in the 1990s wrote for librarians an influential guide to evaluating technology trends, such claims are risible. "No one would tell you a student using Google today is producing work as good as they were 20 years ago using printed sources. Despite these amazing technical breakthroughs, these technologies haven't added to human wellbeing." Davies agrees. "It hasn't made us addicted to education," he notes. Nor do the skills required to aggregate information quickly and multitask between information streams encourage understanding. Byproducts of businesses And while technology enthusiasts celebrate the destruction of old industries, Gorman warns technology has failed to create economic conditions to take their place. Quality information costs money to edit but the best online collections of data - in what is sometimes called the "deep web" - are byproducts of successful print businesses. Lose these, he suggests, and we're left with the banality of Google and Wikipedia. Davies is more optimistic. People will return to traditional publishers as they see the consequences of the wiki approach, he thinks, and there will be an audience for both. But supposing these businesses sur-vive. Will the world be able to read them? Google's relationships with publishers are fraught - its Print project is the subject of lawsuits - but this dispute may be of less lasting significance than we think. In the US in the 1980s, a movement was born to bring the best of these expensive information collections to the public, free at the point of delivery. This movement predated the public internet and may yet transform it beyond recognition. Libraries began to negotiate collectively for access to databases, which their copyright holders today would never let the public view through Google. The members of San Francisco's Public Library, for example, can access the full Encyclopaedia Britannica, Lexis Nexis and more than 70 databases from any browser, simply by entering their library card number. It hasn't been easy, points out Susan Hildreth, the city's former chief librarian and now California State Librarian. The state's sheer size steers some database owners to making deals with smaller regional libraries. But it's not difficult to imagine churches or community groups taking advantage of such a model. It's been a success and real library usage has increased, she says. For Davies, we can be proud we have made a success of the technology infrastructure - laying down the pipes - but we have neglected the social institutions necessary to make them work. Obstacles remain to bringing the successful collective licensing model to the UK. It costs money and Gorman notes funding for US libraries is higher than for Britain's impoverished public services. And the utopian dreams of what Carr calls the "cult of the amateur" die hard. "It's hard to tell someone who's devoting 40 hours a week to Wikipedia that it's going to fail," says Skip. "But it will." He returns to his console. Somewhere in cyberspace, a Wikipedia editor is correcting the encyclopaedia's article for cheese. Andrew Orlowski is San Francisco bureau chief for The Register (www.theregister.co.uk) From isn at c4i.org Fri Apr 14 02:34:51 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 14 Apr 2006 01:34:51 -0500 (CDT) Subject: [ISN] NASA hacker to speak at security show Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39263341,00.htm Tom Espiner ZDNet UK April 13, 2006 Gary McKinnon will be joined by other hackers and security experts on a panel discussion at the Infosecurity conference this month Gary McKinnon faces the prospect of an indefinite stay in Guantanamo Bay, but this won't prevent him from appearing on a panel discussing hacking at a UK security conference, it was revealed on Thursday. The NASA hacker is currently fighting extradition to the US in what has been a protracted trial. He is charged with gaining unauthorised access to 97 US government computers, including machines belonging to NASA and the US Department of Defense. He claims he was searching for evidence of UFOs. McKinnon appeared at Bow Street Magistrate's Court on Wednesday for an extradition hearing. His defence argued that he should not be extradited as he could be tried under America's tough anti-terrorism laws. This could see him sent to Guantanamo Bay and imprisoned for up to 60 years. The prosecution produced an unsigned note from the US Embassy, which they claimed was a guarantee that McKinnon would not be tried under Military Order Number One. The Order allows suspected terrorists to be tried under military law, or held indefinitely without trial under the orders of the US president. The defence argued that the diplomatic note was not legally binding as it had not been signed. "It's not worth the paper it's written on," McKinnon said outside the court. McKinnon will be joined on the panel by Robert Schifreen, who in 1985 became the first person ever to be tried by a jury in connection with computer hacking. Schifreen broke into the BT Prestel network at system manager level and accessed an account belonging to HRH The Duke of Edinburgh. He was charged with forgery, but ultimately acquitted by the House of Lords after legal proceedings which lasted three years. The Computer Misuse Act came into force in 1990, which outlaws the unauthorised modification of computer systems. Also appearing on the panel will be security expert Bob Ayers, who had a 29-year career with the US Department of Defense. His principal IT security related assignment was with the Defense Intelligence Agency where he served as chief of the Intelligence Information System Computer Security Program. Ayers will be joined by open source Web application security expert Ivan Ristic. The panel will kick off at 1445 BST at Infosecurity Europe on the 27 April in London. From isn at c4i.org Mon Apr 17 02:34:52 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 17 Apr 2006 01:34:52 -0500 (CDT) Subject: [ISN] Nigeria: Fight Against Cybercrime, Legislation As Rescue Message-ID: http://allafrica.com/stories/200604140071.html Gboyega Akinsanmi Lagos April 13, 2006 A computer crime as well as cyber survey conducted recently indicated that Nigeria is the most internet fraudulent country in Africa. Besides, the same report further stated that the giant of Africa is ranked third among others identified with cyber fraud and computer crime in the world. The report contained in a global computer crime and security survey brought stakeholders in Information and Communication Technology (ICT) in Nigeria together at Heinrich Boll Foundation (HBF) Conference Hall to discuss how to facilitate information security, reduce security breaches, and steps to contain cyber crime in Africa. Dr. Martins Ikpehai, chief executive officer, Computer Audit and Security Associates Ltd, Lagos heightened tension of the participants when he disclosed that the third world war might be fought on the computer considering how different attacks were being launched through internet. Ikpehai, expressing concerns on how terrorists have been distorting information on internet, said internet facility has recently become an instrument of terrorism. He reiterated that the third world war might be fought on computers as terrorist groups like Al Queada have been taking advantages of internet facilities to launch attacks and invectives. This development, he stressed, has called for concerted efforts among stakeholders, civil society groups, corporate bodies and government institutions to join forces together to rid the continent of the imminent terrorist attacks through the use of information technology. "Law enforcement agencies such as Economic and Financial Commission (EFCC), Independent Corrupt Practice and other related offences Commission (ICPC), State Security Service (SSS), the Nigeria Police among others play prominent roles in the fight against the new trend of social vice. "Computer security and cyber crime awareness should be created with a view to sensitising all users of the internet facility with the emerging indicators of crime and fraud being committed through computer. "Need now arises to the surviving mega banks, oil multinationals, business conglomerates and communication firms from untold sorrow which the cyber criminals have resolved to inflict on most businesses" he said. All participants at the three-day conference agreed in various papers presented that the law enforcement agencies and judiciary in the continent have roles to play in devising ways of curbing internet fraud and enhancing their skills in computer security and risk management. Participants at the conference, upholding the standpoint of the internet group's president, unanimously stated that the diplomats, international legal practitioners and international institutions have roles to play in ensuring that legal provisions at the international level. Sensitising them with the effort by the internet group to outlaw the practice, Ajayi said the group had sponsored Computer Security and Cybercrime Bill in the National Assembly, and that its passage would mark the beginning of the war against internet crime in the country. He explained that "it is not enough to ensure that the bill is passed. But there is also need to create a centre where the victims of security breaches can lodge complaints. The Nigeria Internet Group has set up Cybercrime and Security Support Centre mainly to serve this purpose." Messer Bankole Olubamise, the executive director, Development Information Network (DevNet) said the security breaches has become so rife and frequent that it required concerted efforts of stakeholders in the industry to bring an end to computer crime in the country. He said: "variants of cybercrime include unauthorised access, theft of proprietary info, denial of service, inside net abuse, financial fraud, misuse of public web application system penetration, laptop theft, and abuse of wireless network, sabotage telecom fraud and web site defacement. "There is need to devise means to stop perpetrators of internet crime. There is need to secure the present global village, mega businesses and the posterity from the protracted evil of cyber crime without delay," he said. Olubamise, drawing inferences from the 2005 Computer Crime and Security Survey conducted by the CSI and FBI, said it was necessary for information stakeholders to conduct survey and research with a view to containing cyber-related crimes and computer security breaches. Worried by challenges that face African countries, Mr. Jide Awe, who presented paper on Building Global Competitiveness through Computer Security Education, Awareness, Training and Certification, said lack of understanding, education, training, unclear policies of government, insufficient information security and low confidence exhibited in Africa's e-business. He charged the information security expertise in the continent to identify threats to computer security, protect both internal and external threats, and human error has been a major threat to cyber security which need be addressed with care and skill acquisition and enhancement. Giving more insights on how such crimes can contained, Awe said since survey indicated that human action contributed more to security failure than technological weaknesses, more people need be educated to understand security threats, vulnerabilities and other breaches. Participants from different African countries resolved to establish African Information Security Association (AISA) at the end of the conference with a view to promoting knowledge and creating awareness about computer security and cybercrime on the continent. It was resolved in a communiqu? that AISA would serve to promote global best practices in information, computer and internet security, campaign against cybercrime, conduct annual survey on information security, promote legislation and regulations and create linkages and networks in Africa. Copyright ? 2006 This Day. All rights reserved. From isn at c4i.org Mon Apr 17 02:35:14 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 17 Apr 2006 01:35:14 -0500 (CDT) Subject: [ISN] Police blotter: Wells Fargo not required to encrypt data Message-ID: http://news.com.com/Police+blotter+Wells+Fargo+not+required+to+encrypt+data/2100-1030_3-6061400.html By Declan McCullagh Staff Writer, CNET News.com April 14, 2006 "Police blotter" is a weekly CNET News.com report on the intersection of technology and the law. What: Wells Fargo Bank customers sue after their personal financial data was stolen from a contractor that had not encrypted the information. When: U.S. District Judge David Doty in Minnesota ruled on March 16. Outcome: Wells Fargo was found not to be negligent because the information was never misused by the thieves. What happened, according to court documents: Wells Fargo had hired Regulus Integrated Solutions to print monthly statements for certain customers who had mortgages and student loans from its subsidiaries. In October 2004, thieves stole computers from Regulus with unencrypted customer information including names, addresses, Social Security numbers and account numbers. A few weeks later, Wells Fargo alerted its customers and offered to provide identity protection services. There has never been any indication to date that thieves did anything with the data (in other words, they appear to have been after the computer hardware instead). Nevertheless, two of the bank's customers, Kristine Forbes and Morgan Koop, filed a class action suit anyway. They claimed that Wells Fargo was liable for emotional distress (including fear, anxiety and worry), negligence, breach of contract and breach of fiduciary duty. Forbes and Koop claimed that Wells Fargo owed them a cash payout because they had to spend extra time monitoring their credit reports. Judge Doty rejected those arguments, saying the pair of would-be class action plaintiffs had not actually suffered damages. "Plaintiffs have shown no present injury or reasonably certain future injury to support damages for any alleged increased risk of harm," he wrote, and granted the bank's motion for summary judgment. This is not the first decision of its type. In February, CNET News.com reported that a federal court tossed out a lawsuit against a student-loan provider that did not encrypt a customer database that was subsequently stolen. That judge's reasoning was similar: The data had not been misused. (Some data breach bills in Congress and state legislatures also urge the use of encryption.) Excerpt from the court's opinion: "Plaintiffs contend that the time and money they have spent monitoring their credit suffices to establish damages. However, a plaintiff can only recover for loss of time in terms of earning capacity or wages. Plaintiffs have failed to cite any Minnesota authority to the contrary. Moreover, they overlook the fact that their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized. "In other words, the plaintiffs' injuries are solely the result of a perceived risk of future harm. Plaintiffs have shown no present injury or reasonably certain future injury to support damages for any alleged increased risk of harm. For these reasons, plaintiffs have failed to establish the essential element of damages. Therefore, summary judgment in favor of defendant on plaintiffs' negligence claim is warranted. "Plaintiffs also bring a claim for breach of contract against Wells Fargo. To establish their claim, plaintiffs must show that they were damaged by the alleged breach. For all of the reasons discussed above, plaintiffs have failed to establish damages. Therefore, summary judgment in favor of defendant on plaintiffs' breach of contract claim is warranted." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Mon Apr 17 02:33:36 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 17 Apr 2006 01:33:36 -0500 (CDT) Subject: [ISN] Farmers use computer to steal 9 Hondas Message-ID: http://www.chinadaily.com.cn/china/2006-04/17/content_569280.htm Shanghai Daily 2006-04-17 Two Anhui Province farmers have been charged with stealing nine cars using a computer hacker program, Shanghai's Minhang District prosecutors said yesterday. Prosecutors said this is the city's first case involving computers adopted to steal cars. So far no technological fix is available to prevent this kind theft, they said. Lao Hu and Zhong Zhou, who received a junior middle school education, didn't invent the high-tech approach themselves. Lao paid 40,000 yuan (US$4,938) for a set of special tools for high-grade car maintenance, including a computer, a special tool and a special key. Because the computer program was designed especially for Honda cars, this brand became Lao's target, authorities said. He went to the city early this year to work with Zhong to steal Hondas, after he used the equipment to steal a car in Guangzhou, prosecutors said. Late-night hobby Their "hobby" was to take a late-night stroll on the street with a large computer bag. When they found a target, Zhong was usually in charge of keeping watch while Lao opened the car door with the special tool and connected the computer loaded with the program for the car, prosecutors allege. After the hacker program in the computer outsmarted the car's theftproof system, he started the car with the special key, and the whole process took only two minutes, prosecutors said. The duo allegedly stole nine Honda cars in this way in the city from January to March and sold the cars for about 40,000 yuan each. On March 4, the suspects drove a stolen car whose plate had been changed to Cixi of Zhejiang Province. They had planned to sell the car. But that Honda aroused suspicion of the Zhejiang police. The police checked their certificates and found they weren't the car owner. From isn at c4i.org Mon Apr 17 02:34:36 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 17 Apr 2006 01:34:36 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - April 14th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 14th, 2006 Volume 7, Number 16n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for dia, sash, mailman, libimager, libphp, moodle, cacti, sudo, zope, horde, xscreensaver, gnome, alsa-utils, system-config-printer, xsane, cario, subversion, netpbm, gnbd-kernel,shadow-utils, cman-kernel, ghostscript, checkpolicy, libsemanage, selinux-policy, eclipse-changelog, gaim, squirrelmail, ClamAV, mplayer, and openvpn. The distributors include Debian, Fedora, Gentoo, Mandriva, and SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Developing A Security Policy Create a simple, generic policy for your system that your users can readily understand and follow. It should protect the data you're safeguarding, as well as the privacy of the users. Some things to consider adding are who has access to the system (Can my friend use my account?), who's allowed to install software on the system, who owns what data, disaster recovery, and appropriate use of the system. A generally accepted security policy starts with the phrase: "That which is not expressly permitted is prohibited" This means that unless you grant access to a service for a user, that user shouldn't be using that service until you do grant access. Make sure the policies work on your regular user account, Saying, ''Ah, I can't figure this permissions problem out, I'll just do it as root'' can lead to security holes that are very obvious, and even ones that haven't been exploited yet. Additionally, there are several questions you will need to answer to successfully develop a security policy: * What level of security do your users expect? * How much is there to protect, and what is it worth? * Can you afford the down-time of an intrusion? * Should there be different levels of security for different groups? * Do you trust your internal users? * Have you found the balance between acceptable risk and secure? You should develop a plan on who to contact when there is a security problem that needs attention. There are quite a few documents available on developing a Site Security Policy. You can start with the SANS Security Policy Project. http://www.sans.org/resources/policies/ Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave at guardiandigital.com) ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New dia packages fix arbitrary code execution 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122244 * Debian: New sash packages fix potential arbitrary code execution 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122245 * Debian: New mailman packages fix denial of service 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122246 * Debian: New libimager-perl packages fix denial of service 7th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122274 * Debian: New libphp-adodb packages fix several vulnerabilities 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122279 * Debian: New moodle packages fix several vulnerabilities 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122280 * Debian: New cacti packages fix several vulnerabilities 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122281 * Debian: New sudo packages fix privilege escalation 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122282 * Debian: New zope-cmfplone packages fix unprivileged data manipulation 12th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122324 * Debian: New horde3 packages fix several vulnerabilities 12th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122327 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 5 Update: xscreensaver-4.24-2 6th, April, 2006 Don't leak zombie processes with the GL SlideShow ScreenSaver http://www.linuxsecurity.com/content/view/122254 * Fedora Core 5 Update: GConf2-2.14.0-1 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122255 * Fedora Core 5 Update: liboil-0.3.8-1.fc5 6th, April, 2006 This update rebases liboil to 0.3.8 to help resolve issues required by packages in Fedora Extras. http://www.linuxsecurity.com/content/view/122256 * Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5 6th, April, 2006 This update corrects a problem where kerberos credentials weren't being properly refreshed when a user successfully authenticates in the unlock dialog. http://www.linuxsecurity.com/content/view/122257 * Fedora Core 5 Update: alsa-utils-1.0.11-4.rc2 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122258 * Fedora Core 5 Update: system-config-printer-0.6.151.2-1 6th, April, 2006 With no configured printers, it was not possible to disable automatic browsing for shared printers. http://www.linuxsecurity.com/content/view/122259 * Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5.1 6th, April, 2006 This update fixes problems detecting idle activity. http://www.linuxsecurity.com/content/view/122260 * Fedora Core 5 Update: xsane-0.99-2.2.fc5.4 7th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122269 * Fedora Core 5 Update: cairo-1.0.4-1 7th, April, 2006 An updated version of the cairo package fixes several bugs, among them a bug which could lead to Pango crashes with corrupt fonts. http://www.linuxsecurity.com/content/view/122270 * Fedora Core 4 Update: sane-backends-1.0.17-0.fc4.2 7th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122271 * Fedora Core 5 Update: subversion-1.3.1-2.1 7th, April, 2006 This update includes the latest upstream release of Subversion, version 1.3.1. This release includes a number of minor bug fixes and improvements. http://www.linuxsecurity.com/content/view/122272 * Fedora Core 5 Update: netpbm-10.33-0.fc5 7th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122273 * Fedora Core 5 Update: gnbd-kernel-2.6.15-5.FC5.25 8th, April, 2006 Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64. http://www.linuxsecurity.com/content/view/122283 * Fedora Core 4 Update: netpbm-10.33-0.FC4 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122284 * Fedora Core 5 Update: shadow-utils-4.0.14-6.FC5 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122285 * Fedora Core 5 Update: cman-kernel-2.6.15.1-0.FC5.18 8th, April, 2006 Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64. http://www.linuxsecurity.com/content/view/122286 * Fedora Core 5 Update: dlm-kernel-2.6.15.1-0.FC5.16 8th, April, 2006 Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64. http://www.linuxsecurity.com/content/view/122287 * Fedora Core 5 Update: GFS-kernel-2.6.15.1-5.FC5.19 8th, April, 2006 Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64. http://www.linuxsecurity.com/content/view/122288 * Fedora Core 5 Update: ghostscript-8.15.1-7.2 10th, April, 2006 A problem with converting PS and EPS files into PDF has been fixed. Also, Japanese fonts have been added to the default font path. http://www.linuxsecurity.com/content/view/122300 * Fedora Core 5 Update: checkpolicy-1.30.3-1.fc5 11th, April, 2006 Update SELinux policy to current rawhide to fix many policy problems http://www.linuxsecurity.com/content/view/122309 * Fedora Core 5 Update: libsemanage-1.6.2-2.fc5 11th, April, 2006 Update SELinux policy to current rawhide to fix many policy problems http://www.linuxsecurity.com/content/view/122310 * Fedora Core 5 Update: libsepol-1.12.4-1.fc5 11th, April, 2006 Update SELinux policy to current rawhide to fix many policy problems http://www.linuxsecurity.com/content/view/122311 * Fedora Core 5 Update: selinux-policy-2.2.29-3.fc5 11th, April, 2006 Update SELinux policy to current rawhide to fix many policy problems http://www.linuxsecurity.com/content/view/122312 * Fedora Core 5 Update: eclipse-changelog-2.0.2_fc-1 11th, April, 2006 This is a bug-fix update for the Eclipse ChangeLog plugin. It includes fixes to the formatting of multiple ChangeLog entries by the same person. http://www.linuxsecurity.com/content/view/122314 * Fedora Core 4 Update: gaim-1.5.0-16.fc4 11th, April, 2006 This update fixes Bug #185222 where gaim would crash when you use the buddy blocking feature with the MSN protocol. It also contains a minor logging fix. http://www.linuxsecurity.com/content/view/122315 * Fedora Core 5 Update: gaim-1.5.0-16.fc5 11th, April, 2006 This update fixes Bug #185222 where gaim would crash when you use the buddy blocking feature with the MSN protocol. http://www.linuxsecurity.com/content/view/122316 * Fedora Core 4 Update: squirrelmail-1.4.6-5.fc4 12th, April, 2006 This update fixes revert Squirrelmail encoding behavior for Chinese and Korean languages, in addition to the Japanese fix of the previous update. http://www.linuxsecurity.com/content/view/122325 * Fedora Core 5 Update: squirrelmail-1.4.6-5.fc5 12th, April, 2006 This update fixes revert Squirrelmail encoding behavior for Chinese and Korean languages, in addition to the Japanese fix of the previous update. http://www.linuxsecurity.com/content/view/122326 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: ClamAV Multiple vulnerabilities 7th, April, 2006 ClamAV contains multiple vulnerabilities that could lead to remote execution of arbitrary code or cause an application crash. http://www.linuxsecurity.com/content/view/122275 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated clamav packages fix vulnerabilities 7th, April, 2006 Damian Put discovered an integer overflow in the PE header parser in ClamAV that could be exploited if the ArchiveMaxFileSize option was disabled (CVE-2006-1614). http://www.linuxsecurity.com/content/view/122276 * Mandriva: Updated mplayer packages fix integer overflow vulnerabilities 7th, April, 2006 Multiple integer overflows in MPlayer 1.0pre7try2 allow remote attackers to cause a denial of service and trigger heap-based buffer overflows via (1) a certain ASF file handled by asfheader.c that causes the asf_descrambling function to be passed a negative integer after the conversion from a char to an int or (2) an AVI file with a crafted wLongsPerEntry or nEntriesInUse value in the indx chunk, which is handled in aviheader.c. http://www.linuxsecurity.com/content/view/122277 * Mandriva: Updated openvpn packages fix vulnerability 10th, April, 2006 A vulnerability in OpenVPN 2.0 through 2.0.5 allows a malicious server to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable. Updated packages have been patched to correct this issue by removing setenv support. http://www.linuxsecurity.com/content/view/122302 * Mandriva: Updated openvpn packages fix vulnerability 10th, April, 2006 Tavis Ormandy of the Gentoo Security Project discovered a vulnerability in zlib where a certain data stream would cause zlib to corrupt a data structure, resulting in the linked application to dump core (CVE-2005-2096). http://www.linuxsecurity.com/content/view/122303 * Mandriva: Updated xscreensaver packages fix clear-text password vulnerability 11th, April, 2006 Rdesktop, with xscreensaver < 4.18, does not release the keyboard focus when xscreensaver starts, which causes the password to be entered into the active window when the user unlocks the screen. Updated xscreensaver packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/122313 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: clamav various problems 11th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122308 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Apr 17 02:35:39 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 17 Apr 2006 01:35:39 -0500 (CDT) Subject: [ISN] IE patch breaks Siebel client Message-ID: http://www.networkworld.com/news/2006/041406-ie-patch-breaks-siebel.html By Robert McMillan IDG News Service 04/14/06 Significant changes made in a security patch from Microsoft to the way Internet Explorer processes ActiveX can cause Siebel 7 client software to lock up and become unusable. The Siebel problem is one of several issues that prompted Microsoft to release a "compatibility patch" in conjunction with this month's security updates, which undoes the ActiveX changes for another 60 days. The ActiveX changes in question were made in response to a 2003 court ruling, which found that Microsoft had violated a software patent held by Eolas Technology and the University of California. Microsoft has been including the changes in optional releases of Internet Explorer for months, now, but on Tuesday they were rolled into a set of security patches, called MS06-013, effectively making them mandatory. MS06-013 changes the way ActiveX processes dynamic content, forcing some users to click on pop-up "tool tip" windows before being able to run things like Flash or Quicktime animation. But with Siebel client software, which runs inside a browser using ActiveX controls, the application can appear to be completely broken, according to Wayne Smiley, operations manager with Quest Software in Aliso Viejo, Calif. "In most cases it shows you the proper thing, but you can't actually interact with it," he said. "It's like it's frozen in front of you." Smiley, who is in the early stages of rolling out a company-wide IE update has also added the Microsoft compatibility patch in order to keep his Siebel software working. Thanks to that, he says he has experienced "no issues so far." But he believes that there may be other Siebel users who were unaware of the ActiveX issue. "It was by sheer luck that we happened to stumble on this before it was an issue," Smiley said. "I'll bet a lot of people got caught completely off guard." Though there have been some reports of problems with "very minor" issues with the Eolas ActiveX changes following Tuesday's security update, the Siebel issue is "the only one that seems to have a larger impact," said Gary Schare, director of IE product management with Microsoft. Oracle Corp., which completed its acquisition of Siebel in January of this year, plans to issue a software patch that fixes this problem in May, the company said Friday. This will be just in time for users like Smiley, because Microsoft's compatibility patch is expected to be available only until June. In fact, Oracle's plan to patch the problem just one month before Microsoft's deadline is too close for comfort, according to some users. "If [Oracle] doesn't act quickly even a 60-day reprieve won't be adequate," said one IT consultant working with a client who has 3,200 users, who asked not to be identified without the approval of his customer. "Business apps like Siebel aren't the kind you can just upgrade and patch on a whim. There will be at least seven business days of testing before my current client can release the Siebel patch to production, and that is on their expedited release." From isn at c4i.org Mon Apr 17 02:39:04 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 17 Apr 2006 01:39:04 -0500 (CDT) Subject: [ISN] At Afghan Bazaar, Military Offers Dollars for Stolen Data Message-ID: Forwarded from: William Knowles http://www.nytimes.com/2006/04/15/world/asia/15afghanistan.html By CARLOTTA GALL April 15, 2006 BAGRAM, Afghanistan, April 14 - An American military officer, flanked by six powerfully built bodyguards, stood in the muddy streets of the bazaar here on Friday buying up all the computer flash drives he could find, handing out cash for the finger-thin components that have been disappearing by the score - some of them with copies of secret military files - from the air base nearby. This was clearly the United States military's way of dealing with the news, reported by The Los Angeles Times on Monday, that sensitive military information stored on portable computer drives could be found on sale in the bazaar outside the base at Bagram. The military has ordered an investigation into the allegations and a review of security policy regarding computer hardware and software. But to retrieve the lost material, the military decided to rely on the almighty dollar. Pulling a clump of cash out of his pocket, the officer, who wore a bulletproof vest and a pistol at his side, but no name tag, joked and gently haggled with Afghans proffering the drives. He ended up paying what is, for here, a considerable sum: $35 apiece for most of them. Afghan boys, clearly acting for others, held out handfuls of flash drives, some looking brand new and others with marks of use. "Slow down," the officer said every so often to his translator as the clamor rose around him. "I'll pay, I'll pay, there's no problem." A burly Special Forces soldier guarded the officer's back and moved away youths who kept swarming around to see what was going on. The officer declined to comment about his activity, but when asked if this was the best way the military could retrieve stolen computer material, he nodded. "They're not bad people," he said. Shopkeepers said the military had considered raiding the ramshackle bazaar, which stretches on both sides of the road for a few hundred yards leading to the entrance of the base. But the shop owners refused to comply, and the local government administrator convinced the military that paying for the goods would be a more successful ploy, one shopkeeper said. The tiny shops in the bazaar are crammed with electronic goods, military gear and Western foodstuffs, most of which appeared to have come from the air base. Military cots stand out in front of the stores, and sleeping bags, military boots and camouflage uniforms are stacked at the entrances, some of them clearly used and perhaps discarded. Inside, every shop has a glass counter of military watches, sunglasses, knives and flashlights. Boxes of energy bars, muscle-building supplements and Tabasco sauce line the shelves. Some goods are still in plastic cases and have clearly come from the store on the base, but the low prices - T-shirts carrying price tags of $24.99 sell for just $4 in the Afghan shops - suggest that they did not arrive legally. One shopkeeper had dusty laptop computers piled in a corner and a half-dozen battered DVD players on his counter. Two of the computers had broken screens, but a third seemed to be in working order. They were selling for $100 each. "They collect a lot of the stuff from the rubbish," one teenager said. But another shopkeeper, who declined to give his name, said, "We know most of it is stolen." The small group of American soldiers ignored most of the contraband on Friday, but after a couple of hours trawling through the shops they carried off some camouflage clothing in large plastic bags, and a cloth bag full of a few hundred flash drives. They had bought up virtually every flash drive in the bazaar and must have spent thousands of dollars. "Sold out - they bought them all," said one shopkeeper. "But come tomorrow, we'll have more." [...] *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Apr 17 02:46:17 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 17 Apr 2006 01:46:17 -0500 (CDT) Subject: [ISN] 10 Infamous Moments In Security Research Message-ID: http://www.informationweek.com/security/showArticle.jhtml?articleID=185301327 InformationWeek Apr 17, 2006 1. SQL Slammer - Researcher David Litchfield presents findings at Black Hat one week after Microsoft issues its SQL patch. Slammer worm that exploits that flaw dramatically slows Internet traffic in 2003. 2. Windows Plug and Play - Internet Security Systems researchers in April 2005 discover Windows vulnerability that lets attacker take control of affected systems and remotely execute code. By August, Zotob worm exploits it. 3. Cisco IOS heap overflow - Former ISS researcher Michael Lynn in July 2005 shows hackers could take control of a company's network. Cisco had issued a patch in April, but it still sues Lynn over the speech. The suit is later dropped. 4. Windows Metafile - Researcher H.D. Moore and others post exploit code of this flaw in January, and researcher Ilfak Guilfanov writes unauthorized workaround. This prompts Microsoft to issue a patch five days ahead of schedule. 5. Oracle transparent data encryption - Red-Database-Security researcher Alexander Kornbrust reports vulnerability in January 2006; Oracle patches it the same month. 6. Oracle PLSQL gateway - Litchfield in January shows Black Hat attendees a vulnerability in Oracle's Procedural Language extension to SQL. Oracle has yet to patch. 7. Apple Mac iChat - An unknown person posts on MacRumors.com an external link to the OSX/Leap.a Trojan on Feb. 13, 2006, the first virus for the Apple Mac OSX platform. 8. Internet Explorer createTextRange() - Researcher Andreas Sandblad discovers flaw in March that lets hackers install malwarelike keystroke loggers. eEye Digital Security issues a patch. 9. Internet Explorer HTA files - Dutch researcher Jeffrey van der Stad in March alerts Microsoft to problem with how IE processes HTML apps. Van der Stad pares back information about the bug on his Web site when Microsoft complains. 10. Sendmail SMTP server software - ISS in March finds vulnerability in this popular Internet E-mail transfer agent. Sendmail issues patch immediately. From isn at c4i.org Tue Apr 18 03:02:32 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 18 Apr 2006 02:02:32 -0500 (CDT) Subject: [ISN] Linux Security Week - April 17th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 17th, 2006 Volume 7, Number 16n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Strengthen Security with an Effective Security Awareness Program," "Intro Build your own gateway firewall," and "Technical Foundations of Hacking." --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Strengthen Security with an Effective Security Awareness Program 12th, April, 2006 Awareness programs shouldn't be confused with training. Training deals with developing specific skill sets. The objective of awareness programs is to focus the attention of employees on maintaining the confidentiality, integrity, and availability of information assets. It allows them to recognize IT security concerns and respond appropriately (Wilson and Hash, 2003). http://www.linuxsecurity.com/content/view/122320 * SearchSecurity.com's Intrusion Defense School 14th, April, 2006 Your organization's ability to fend off spyware, viruses and increasingly savvier attacks hinges on the strength and cohesion of your intrusion defense strategy. Intrusion Defense School puts the pieces of intrusion defense -- antivirus, antispyware, IDS/IPS, etc. -- in perspective to help you implement a strategy that meets your organization's needs. http://www.linuxsecurity.com/content/view/122339 * The weakest link in the security chain? You 13th, April, 2006 Human error was responsible for nearly 60 per cent of information security breaches last year, a new study has found. According to the fourth annual CompTIA (Computing Technology Industry Association) study on information security and the workforce, released on Tuesday, this figure is significantly higher than the number in 2004, when 47 per cent of security breaches were blamed on human error alone. http://www.linuxsecurity.com/content/view/122331 * THC-IPV6 Attack Toolkit 10th, April, 2006 A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library. This code was inspired when I got into touch with IPv6, learned more and more about it. http://www.linuxsecurity.com/content/view/122296 * Security problems in Cisco devices 11th, April, 2006 Cisco has published two security advisories to warn of problems in several of its devices. Products affected are Cisco ONS 15000 Series Common Control Cards, Cisco Transport Controller (CTC) and Cisco 11500 Content Services Switch. http://www.linuxsecurity.com/content/view/122298 * Intro Build your own gateway firewall 11th, April, 2006 Learn how to build your own gateway firewall using FreeBSD and old PC parts. The firewall will consist of the PF firewall, Snort IDS, various IPS applications, Squid proxy, and some intuitive web interfaces for auditing. The cost of this project should be between free and $200 depending on your resourcefulness. I built mine for free using spare parts that were stockpiled in personal storage and parts that the USMC was throwing away, but you can build one from used and/or new parts for dirt cheap. http://www.linuxsecurity.com/content/view/122301 * DNS Cache Poisoning - The Next Generation 11th, April, 2006 The old problem of DNS cache poisoning has again reared its ugly head. While some would argue that the domain name system protocol is inherently vulnerable to this style of attack due to the weakness of 16-bit transaction IDs, we cannot ignore the immediate threat while waiting for something better to come along. There are new attacks, which make DNS cache poisoning trivial to execute against a large number of nameservers running today. The purpose of this article is to shed light on these new attacks and recommend ways to defend against them. http://www.linuxsecurity.com/content/view/122306 * Hacking Network Printers 11th, April, 2006 Hack a printer you say, what kind of toner have you been smoking, Irongeek? Well, I'm here to tell you, there's more that can be done with a printer to compromise network security than one might realize. In the olden days a printer may not have been much of a concern other than the threat from folks dumpster diving for hard copies of the documents that were printed from it, but many modern printers come network aware with embedded Operating Systems, storage and full IP stacks. This article will attempt to point out some of the more interesting things that can be done with a network based printer to make it reveal information about its users, owners and the network it's part of. http://www.linuxsecurity.com/content/view/122307 * The Enemy Inside 13th, April, 2006 For many years external security threats received more attention than internal security threats, but the focus has changed. While viruses, worms, Trojans and DoS are serious, attacks perpetrated by people with trusted insider status employees, ex-employees, contractors and business partners pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside. The reason insider attacks "hurt" disproportionately is that insiders can and will take advantage of two important rights: trust and physical access. http://www.linuxsecurity.com/content/view/122334 * Build Effective Security Awareness Program 14th, April, 2006 You've developed a world class security program. Your technology-based defenses are cutting edge. Your security team is well trained and ready to handle anything that comes its way. So you're done, right? Not quite. One of the most important pieces of an effective information asset defense is missing employee awareness. http://www.linuxsecurity.com/content/view/122335 * Disturbing developments in DDoS attacks 14th, April, 2006 Traditional DDoS of course is when an attacker uses thousands of centrally controlled zombie machines to direct millions of packets at a single destination. Most web servers shrivel up and die when subjected to that much attention. According to Barrett even the upstream infrastructure cannot withstand some of these attacks. The firewalls, routers, sometimes even the ISP go off line. A recent new technique is for the zombies to all perform DNS look-ups causing a failure of the DNS server for the target to die, effectively taking down a site without even hitting it directly. http://www.linuxsecurity.com/content/view/122341 * Case Of The Lucrative Lure 12th, April, 2006 "Hand me the boot disk." I said as I motioned to Scrap with my right paw. My left paw was busy making sure that the IDE cables were securely fastened to the suspect's hard drive and the clone drive. "Ah, acquiring a drive in DOS with Encase. This is so old school." Scrap mumbled as he fetched an Encase boot disk from his site bag. http://www.linuxsecurity.com/content/view/122322 * ISS announces Proventia Server for Linux 12th, April, 2006 Internet Security Systems announced Linux support for its Proventia Server Intrusion Prevention System product line. Key features of Proventia Server for Linux include vulnerability-based intrusion prevention, Buffer Overflow Exploit Prevention (BOEP) and support for Red Hat Enterprise Linux and SuSE Linux Enterprise Servers. http://www.linuxsecurity.com/content/view/122317 * Linux and Viruses Explained 13th, April, 2006 Attack and shut down Linux or Unix related servers most likely shut down a virus means of getting to another machine. Windows servers that makes up under 30 percent of the servers in The Internet. If all Windows Servers are shut down in The Internet. The Internet will still be operating. No point writing a virus if it stops itself from spreading. Common sense. So common sense would say do not attack Linux. http://www.linuxsecurity.com/content/view/122333 * When a product is better than the company 11th, April, 2006 As a product tester, I always tell people: The product speaks for itself. White papers, customer wins, marketing spin: None of that counts. I don't have to be convinced by a public relations person that the product is good, because good products prove themselves in our lab. In 2004, when I last tested mail security appliances, CipherTrust's IronMail was on our short list as a top finalist. It's a good product, and it proved itself in our labs. http://www.linuxsecurity.com/content/view/122305 * Security 'network' to speed up anti-hacker tools 13th, April, 2006 A new cyber-security 'network' hopes to speed up the development of products that could plug dangerous gaps in businesses' IT defences. http://www.linuxsecurity.com/content/view/122330 * Tips For Creating Strong Passwords You Can Remember 10th, April, 2006 One of the problem with passwords is that users forget them. In an effort to not forget them, they use simple things like their dog's name, their son's first name and birthdate, the name of the current month- anything that will give them a clue to remember what their password is. http://www.linuxsecurity.com/content/view/122292 * Researcher: Web services security risks largely ignored 10th, April, 2006 During a conference presentation, researcher Alex Stamos outlined how a number of Web services technologies, including the AJAX (Asynchronous JavaScript and XML) and the XQuery query language could be exploited by hackers to dig up secret information and attack systems. Web services is a catch-all expression used to describe a form of distributed computing that uses standards based on XML (Extensible Markup Language) to simplify the job of programming software. One of its key tenets is that Web services applications are extremely portable and can easily interact with different types of software. http://www.linuxsecurity.com/content/view/122294 * Targeted Phishing Attacks 11th, April, 2006 Phishers are using a lesson learned from virus and worm writers to improve their chances of success. Over time virus and worm authors discovered that is was not necessarily the malicious payload of their craft that was alerting the internet community that trouble was on the way. It was the "Internet noise" they created while looking for vulnerable hosts. This noise resulted from increased traffic to specific ports or in bandwidth-crippling floods of attempted connections to every single host within a large subnet or domain. http://www.linuxsecurity.com/content/view/122297 * RealNetworks rep to Linux: DRM or die! 11th, April, 2006 A RealNetworks vice president voiced a few inflammatory opinions during LinuxWorld Boston last Tuesday. The RealNetworks rep in question, Jeff Ayars, said that Linux as a consumer platform would be dead unless DRM capabilities are built into the OS itself. "The consequences of Linux not supporting DRM would be that fixed-purpose consumer electronics and Windows PCs would be the sole entertainment platforms available," Ayers said. "Linux would be further relegated to use in servers and business computers, since it would not be providing the multimedia technologies demanded by consumers." http://www.linuxsecurity.com/content/view/122304 * Miaow to kitten-based authentication 12th, April, 2006 Web developers have taken the idea of Captchas - challenge-response systems that are often used to stop the automatic creation of webmail accounts by spammers - forward in a fun way by using images of kittens instead of distorted images of letters. KittenAuth features nine pictures of cute little animals, only three of which are feline. A user demonstrates that there's a human in front of machine by selecting the three kittens among these images. http://www.linuxsecurity.com/content/view/122318 * Pentium computers vulnerable to cyberattack 12th, April, 2006 The built-in procedure that Intel Pentium-powered computers use to blow off their digital steam could put users in hot water by making the machines vulnerable to cyberattacks, computer security researchers announced at the CanSecWest/core06 conference last week. When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity, said Loc Duflot, a computer security specialist for the French government's Secretary General for National Defense information technology laboratory. http://www.linuxsecurity.com/content/view/122319 * Magnetic Data Recovery 13th, April, 2006 The majority of today's businesses rely in some way upon computer systems to handle the tasks of everyday commerce. These businesses are increasingly using computers to work with their internal and external documents, depending more and more on digital storage every day. Most attention has been focused on well-known problems such as viruses, exploits, etc. Attacks by intruders and insiders have led to billions of dollars in lost revenue and expended effort to fix these problems. http://www.linuxsecurity.com/content/view/122328 * Fear sells. Read the report 13th, April, 2006 Every two years the show serves as forum for the announcement of the DTI's Information Security Breaches Survey, touted as the UK's most authoritative look at security breaches. Latterly the lead up to the report has been accompanied by a string of press releases, sponsored by security vendors, highlighting a particular facet of security that (no surprise here) help to illustrate the importance of the particular firm's technology. http://www.linuxsecurity.com/content/view/122329 * Design Flaw in Human Brain Prevents Detection of Phishing Websites 13th, April, 2006 "Why Phishing Works" is a recent study (PDF) that examines phishing website techniques. The most visually deceptive website spoof in the study was able to fool 90% of the study's participants. That 90% figure includes the most technically advanced users among the participants. It was the look, not the spoofing of security features that did the job - something that our resident phishing expert found quite interesting. http://www.linuxsecurity.com/content/view/122332 * On the Insecurities of the Internet 14th, April, 2006 Among the most popular stereotypes related to Cyberterrorism, is that of terrorists shutting down the Internet, or to put it in another way, denying access to the desperse and decentralized Internet infrastructure by attacking the Internet's root servers the way it happened back in 2002 -- knowing Slashdot's IP in such a situation will come as a handy nerd's habit for sure. Outages like these would eventually result in a butterfly effect, such as direct monetary losses and confidence in the today's E-commerce world. http://www.linuxsecurity.com/content/view/122340 * Social Engineering a Police Officer 14th, April, 2006 Really nice social engineering example. Note his repeated efforts to ensure that if he's stopped again, he can rely on the cop to vouch for him. Woe is Carl Bordelon, a police officer for the town of Ball, La. His dashboard camera captured (below) his questioning of Richard Lee McNair, 47, on Wednesday. Earlier that same day, McNair had escaped from a federal penitentiary at nearby Pollock, La., reportedly hiding in a prison warehouse and sneaking out in a mail van. Bordelon, on the lookout, stopped McNair when he saw him running along some railroad tracks. http://www.linuxsecurity.com/content/view/122343 * When 'delete' is not enough 10th, April, 2006 It was only a single digit in a 20-page Microsoft Word contract between two partners, but Scott Cooper earned his fee several years ago when he found it. Cooper, a computer forensics expert, learned that the numeral "1" had been scrubbed in some later versions of this digital document. This gave his client, a partner in a software company that had recently been sold, just a 5 percent rather than a 15 percent share in the company. If the change had gone undetected, the partner would have received $32 million rather than his rightful $96 million payout. http://www.linuxsecurity.com/content/view/122293 * RFDump 10th, April, 2006 RFDump is a backend GPL tool to directly interoperate with any RFID ISO-Reader to make the contents stored on RFID tags accessible. This makes the following types of audits possible: Test robustness of data-structures on the reader and the backend-application; Proof-of-concept manipulations of RFID tag contents; Clone / copy & paste User-Data stored on RFID tags; Audit tag-security features. http://www.linuxsecurity.com/content/view/122295 * Enterprises struggling with privacy management 12th, April, 2006 Enterprises are under increasing pressure to safeguard the privacy and security of personal data, but the complexity of the task is making it difficult to meet higher expectations, a Hewlett-Packard Co. (HP) project manager said Tuesday. The pressure is coming from consumers and governments, who want greater control over how data is retained and managed, said Pete Bramhall, project manager at HP's lab in Bristol, England. Internally, enterprises are grappling with the cost and complexity in dealing with distributed networks. http://www.linuxsecurity.com/content/view/122323 * US security agency scrutinises secure storage device 12th, April, 2006 The US National Security Agency (NSA) and Treasure Department have expressed interest in a secure storage device that hard drive manufacturer Seagate is developing. Seagate spokesperson Michael Hall told vnunet.com that the company has met with the two US government agencies over its Momentus 5400 FDE technology. He said that the agencies are investigating the device's implications on their ability to fight organised crime, but stressed that so far they are only gathering information. http://www.linuxsecurity.com/content/view/122321 * Can UK law stop criminal hackers? 14th, April, 2006 MPs are preparing to get tough on hackers as the law on computer misuse and hacking is up for a revamp. For some years now, critics of the Computer Misuse Act (CMA) 1990 have said that gaps in the legislation have made it very hard to prosecute anyone. http://www.linuxsecurity.com/content/view/122342 * Kernel Mode Ircbot 8th, April, 2006 The world of malware and rootkits has evolved a lot over the last two years, the most significant developments have been in the sophistication of rootkits. In case the term "rootkit" doesn't mean much, a rootkit is basically a program that subverts the operating system, and allows the attacked to hide certain files and programs from the user. It usually will also provide a hidden backdoor into the system, and will hide network connections made through the backdoor from the user. http://www.linuxsecurity.com/content/view/122278 * Technical Foundations of Hacking 10th, April, 2006 The Transmission Control Protocol/Internet Protocol (TCP/IP) suite is so dominant and important to ethical hacking that it is given wide coverage in this chapter. Many tools, attacks, and techniques that will be seen throughout this book are based on the use and misuse of TCP/IP protocol suite. Understanding its basic functions will advance your security skills. This chapter also spends time reviewing the attacker's process and some of the better known methodologies used by ethical hackers. http://www.linuxsecurity.com/content/view/122291 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Apr 18 03:02:47 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 18 Apr 2006 02:02:47 -0500 (CDT) Subject: [ISN] Hacked computers receive updated spam tool Message-ID: http://www.computerworld.com/securitytopics/security/virus/story/0,10801,110599,00.html By Jeremy Kirk APRIL 17, 2006 IDG NEWS SERVICE Computers infected with a well-known piece of malware began downloading a new spam tool Sunday night used by hackers to send unwanted e-mail. Malware writers working as part of the infamous Bagle spam gang began sending a new spamming tool Sunday night to thousands of hacked computers, said Mikko Hypponen, chief research officer at F-Secure Corp., a security company in Helsinki, Finland. If a computer is infected with the Bagle worm, a hacker can download other malicious programs to the machine. In turn, those programs can send out spam to other machines without the knowledge of the user. Once a computer is under their control, malware writers can upgrade the malicious software they have installed. Last night, machines infected with Bagle variants were downloading the new spam tool from a server in Slovakia hosting a real-estate Web site. "This is the way virus writers can upgrade the infected machines," Hypponen said. "It's like [Microsoft Corp's] Windows update for viruses." The download link was buried within the Web site, and it's unlikely the owners had any idea it was being used. Last night, the link was cut off, Hypponen said. But within hours, a French site hosted in the U.S. was hosting a link with the malware, Hypponen said. The Internet service provider hosting that site has been contacted, but so far, the link remains active, he said. F-Secure uses automated tools to poll URLs used by virus writers to host bad malware, Hypponen said. About 99% are decoys, set up to throw off attempts to track them down. But when a site suddenly becomes active, Hypponen said, efforts are made to contact the Internet service providers to shut them down. From isn at c4i.org Tue Apr 18 03:01:39 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 18 Apr 2006 02:01:39 -0500 (CDT) Subject: [ISN] Internet Use In Zimbabwe Limited Message-ID: http://www.bernama.com.my/bernama/v3/news.php?id=192201 April 18, 2006 HARARE, April 18 (SNNi/New Ziana) -- Experts say the tough regulatory environment in Zimbabwe has stifled the use of Internet, which is the fastest and most preferred mode of communication. Africaonline, one of Africa's biggest Internet service providers, said that there were many reasons for this. "Internet development in Zimbabwe has been bad because of low pricing, poor infrastructure, low computer penetration and low interest of its appreciation," said the provider. It said this trend was common across the content, except South Africa and Egypt. Africaonline said players should pool resources to get cheaper ways of providing Internet services in Africa. "The future of Internet service providers in liberalised markets lies in them engaging partners and merging," it said. Most African countries, including Zimbabwe, lag behind in technological development in the world. A 2002 survey showed that out of 800 million people in Africa, one in 13 had access to television and one in four to telephone and one in 160 to Internet. Pay television was accessible to one in 1,400 people. Experts said computer crime was a local global problem. Though hacking was not commonly reported in Zimbabwe, experts believed that it existed clandestinely. A computer security company said underdeveloped markets were targets as those in Europe had advanced ways of detecting the crime quickly. On the local market hacking was common in E-banking, it said. "Some security files have been accessed. The victims have decided not to publicise it because that would kill their integrity," said the company. -- BERNAMA Copyright ? 2006 BERNAMA. All rights reserved. From isn at c4i.org Tue Apr 18 03:03:03 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 18 Apr 2006 02:03:03 -0500 (CDT) Subject: [ISN] DHS still gearing up response to cyberthreats Message-ID: http://www.gcn.com/online/vol1_no1/40422-1.html By William Jackson GCN Staff 04/17/06 The nation faces a real threat to its critical infrastructure while the Homeland Security Department still struggles to develop the systems needed to assess and respond to those risks, the department's head of cybersecurity said today. "We believe there is a significant cyber-risk in this country," Andy Purdy, acting director of the National Cyber Security Division, said at the 2006 International Conference on Network Security, being held in Reston, Va. "We can take no solace from the fact that we haven't seen the attacks yet." As the lead agency for IT security, DHS is the point of contact for collaboration with the IT industry in the development of a risk management plan as part of the national infrastructure protection plan. But critics have complained that cybersecurity has been too low a priority within the department. A newly created assistant secretary position would help to address this issue, but that office has yet to be filled. "Homeland Security is working with the White House on coming up with a candidate," Purdy said. He said an announcement is expected "in the near future." The two great challenges for DHS now in IT security are developing a national cyber-response system to provide risk management for IT threats, and developing a process for sharing information about threats and vulnerabilities among agencies and with the private sector. The problem right now is not a lack of information, but a lack of organization, Purdy said. "There are so many players, so many different people doing different things," he said. Lack of communication has long been a problem in IT security. Information about threats and vulnerabilities often is seen as proprietary and sensitive, and owners within and outside of government tend to hold on to the information as long as possible. Some elements of a system for sharing information already are in place, such as a host of industry-specific information sharing and analysis centers which communicate with lead government agencies for their sectors. But many in the private sector still are leery about sharing information with the government and there is no system to coordinate information sharing between industry sectors and various federal agencies. Also lacking is an engine for collating this data so that it can become useful intelligence. Some in Purdy's audience were skeptical of Homeland Security's ability to create a risk analysis system without comprehensive reporting requirements used by other departments to produce useful statistics. Purdy acknowledged this difficulty and said DHS still is waiting on a comprehensive data collection system. From isn at c4i.org Tue Apr 18 03:03:23 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 18 Apr 2006 02:03:23 -0500 (CDT) Subject: [ISN] What's the next security threat? Message-ID: http://news.com.com/Whats+the+next+security+threat/2100-7349_3-6061341.html By Ron Condon Special to CNET News.com April 17, 2006 In January this year, 20-year-old Jeanson James Ancheta pleaded guilty in a California court to charges that he had broken into government computers and taken control of them for purposes of fraud. He had planted Trojan software on the systems at the China Lake Naval Facility in California's Mojave Desert, enabling him to manipulate computers on the network there. He had then used the computers to generate hits on Web site advertisements, for which the advertisers paid according to the traffic they received. It sounds like an overelaborate and harmless prank, except that Ancheta admitted the scam had netted him $60,000 before it had been detected. Furthermore, it emerged that he controlled some 400,000 computers around the world, which he could manipulate remotely to do his bidding--to generate advertisement traffic, to send out infected software to more vulnerable computers, to pump out spam. Ancheta is typical of the new breed of criminal on the Internet, motivated by money and determined to work by stealth. The spyware or Trojan horses they plant on unsuspecting users' machines do not draw attention to themselves, but once installed, they work as slaves to their remote masters. Users are rarely aware that their machines have been hijacked. The system continues to work, albeit slightly more slowly at times, and they have no control over the secret tasks it is being asked to perform. Bot networks, which are armies of these hijacked computers, have become the predominant feature of the Internet threat landscape. According to security company CipherTrust, more than 180,000 PCs are turned into zombies every day, and that figure is continually rising. The botnets are used by their owners to defraud Internet advertisers, as in Ancheta's case, or they can be rented out by the hour to those who want to carry out cheap mass-mailing campaigns. Extortionists may also rent them to launch denial-of-service attacks on legitimate Web sites. These professional operations are taking over where the traditional hobbyist hackers left off. "We are seeing less of the big virus outbreaks such as Sasser and Blaster, and so some people believe the situation is getting better, when in fact it is getting worse," said Mikko Hypponen, chief research officer at security company F-Secure. "The bad boys are getting more professional and doing more targeted attacks." He sees botnets as a major problem that cannot be easily fixed, because the hijacked machines are mostly home PCs connected to an ADSL line. "It takes a lot of end-user support to explain to a grandmother how to configure the computer. So most ISPs are not doing anything about it," he said. New phishing grounds Most analysts forecast that phishing attacks too will continue to grow in number and in sophistication. David Sancho, an antivirus engineer at security company Trend Micro, gave an example of a recent attack in Germany which pretended to come from an electricity company. It asked recipients to check their bill by clicking on an attached PDF document, which is how the genuine electricity company operates. But the attachment in this case had a suffix of .pdf.exe, and planted a Trojan on the user's machine. "Once active, it monitors every Internet connection, every access to Web pages and access to the bank, and reports it back to the creator of the Trojan," Sancho said. "It is smarter, because they don't have to set up a fake server." F-Secure's Hypponen also forecast that phishers will find ways to crack the one-time passwords that some banks have introduced as a security measure. In one case, the user has a list of authorization codes on a slip of paper sent by the bank. "The target is fooled into logging into a fake bank, where they ask for his authorization code. The fake bank logs into the real bank with the one-time password and moves money around. Then it gets back to the customer, says there has been a problem and asks him to give the next code," Hypponen said. The biggest problem for the phishers, he said, is finding new suckers to fool. As more people become aware of phishing attacks, the attackers are going for smaller targets and into different languages, such as Greek, Czech and Finnish. While Windows PCs remain the prime target for attacks, prepare to see more activity targeted at the mobile phone. F-Secure says it has now detected 179 cell phone viruses and estimates that some tens of thousands of handsets are infected. Nokia has reacted by launching handsets with antivirus protection built in, and the newly released version 9 of the Symbian operating system has improved security, so it may be possible to nip some mobile viruses in the bud. Or maybe not. F-Secure recently detected the first malicious Java software on a cell phone, meaning it could affect most handsets, and not just the high-end models, Hypponen said. And in March, he spotted a Trojan horse that plants itself on the cell phone and calls a premium rate number in Russia, each time clocking up five euros ($6.04) for the criminal who sent it. Even so, the rapidly growing world population of broadband users means that botnets will continue to be the main focus for Internet criminals. All of the people in the Rogues Gallery of the world's top 10 spammers, on the Spamhaus Project Web site, are constantly topping up their networks with new zombie machines owned by people with little concept of security. And they do not restrict themselves to mass e-mailing--their activities extend into child pornography, extortion and fraud. And botnets open up another danger, according to Dave Rand, chief technologist for Internet content security at Trend Micro. Their combined computing power could be used to decrypt Internet traffic, he says. If that were to happen (and there is no sign of it yet), it could bring e-commerce to a grinding halt. Ron Condon reported for Silicon.com from London. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue Apr 18 03:03:45 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 18 Apr 2006 02:03:45 -0500 (CDT) Subject: [ISN] Does open source encourage rootkits? Message-ID: http://www.networkworld.com/news/2006/041706-open-source-rootkits.html By Ellen Messmer Network World 04/17/06 Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community. In its "Rootkits" report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems. "The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com," says Stuart McClure, senior vice president of global threats at McAfee Rootkit.com's 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it's na?ve to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit. "It's there to educate people," says Hoglund, who's also the co-author with James Butler of the book Rootkits: Subverting the Windows Kernel. "The site is devoted to the discussion of rootkits. It's a great resource for anti-virus companies and others. Without it, they'd be far behind in their understanding of rootkits." No one with a profoundly malicious intent would post his rootkit on the site, because it would be publicly analyzed for detection purposes, Hoglund says. He concedes, however, that out of the tens of thousands of Rootkit participants, there are bound to be those whose intent is to exploit rather than learn. Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways. "We need those open source people," says David Perry, global director of education at Trend Micro. "They uncover things. It's a laboratory of computer science. They demand the intellectual right to discuss this." That said, Perry notes there are a lot of hacker wannabes who would be drawn to using the Rootkit site "as one-stop shopping for them to pick up the tools." Designing a rootkit is a complex programming process. Hoglund says there are probably no more than 20 or 30 main types today, along with a wide number of variants. Detecting rootkits has become a software research frontier, but eradicating them and what they hide is proving even more difficult. "I don't think it's fair to say Root kit.com is abetting the spread of rootkits. They were present before Rootkit.com," says co-author Butler, CTO at Komoku. Komoku is getting ready to release a rootkit-detector code-named Gamma. Butler says Rootkit.com has made it easier to use such software. "Technology being deployed today is now more sophisticated than it was two years ago. It's very advanced," he says. "Eradication is extremely difficult to do in 100% of the cases, while restoring a system and keeping it stable," Butler says. Some rootkits that can get into the [basic input/output system] might make it advisable "to throw the computer away" if you want to be sure you got rid of the rootkit, he says. A Microsoft official offered similar advice two weeks ago at the InfoSec Conference in Orlando. Rootkits with names including HackerDefender, AFXRootkit, PWS-Progent and FURootkit are cited by McAfee as among the most prevalent today. The trend is toward embedding stealth technologies with varying forms of spyware and malware, such as Backdoor-CEB, AdClicker-BA, W32/Feebs, Backdoor-CTV, Qoolaid, PWS-LDPinch, Opanki.worm, and W32/Sdbot.worm. This makes it harder to detect and eradicate spyware, adware and other unwanted code, McAfee's McClure says. The growing fear in the security world is that it won't be long before someone creates a worm that can scan networks for vulnerabilities and then effectively deliver a malicious payload - such as something that can wipe out files, change data or spy on organizations - that can be kept hidden by a well-made rootkit. "It's quite possible, once you've got a piece of code on someone's computer," Perry says. All contents copyright 1995-2005 Network World, Inc. From isn at c4i.org Tue Apr 18 03:03:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 18 Apr 2006 02:03:59 -0500 (CDT) Subject: [ISN] Virus-carrying IC chips may aid cyberterrorists Message-ID: http://www.yomiuri.co.jp/dy/features/science/20060418TDY03002.htm Kyoichi Sasazawa Yomiuri Shimbun Staff Writer Apr. 18, 2006 Integrated circuit chips can carry computer viruses, a group of researchers at Free University Amsterdam has discovered. The chips, which can be found in a number of items, including some new passports and Japan Railway Co.'s Suica train passes, send electronic information, such as numbers and identification data, to a computer system when passed over an IC reader. The Dutch group announced their findings last month during a meeting in Italy of the Institute of Electrical and Electronics Engineers. For the experiment, the scientists employed a small chip embedded in a card--about the same size as an IC card--that sent data of up to 1 kilobit, including instructions that could harm a computer, to a computer system. The system became infected with the virus. Though there are certain restrictions on which characters can be used in an IC chip, there is enough leeway to stop a computer from working, the researchers said. One member of the group pointed out that this discovery could lead to cyberterrorism on a world-wide scale, if someone were to forge an IC passport and use it to infect airport computers. The scientists warn that countermeasures, such as tightening cryptographic security, should be put in place as soon as possible. "I don't know what their conclusion was based on," one JR East employee said, defending the popular Suica card. IC passports, first advocated by the United States as they can carry biometric information, such as fingerprints, are gradually being introduced in Japan and other countries. Experts have warned, though, that personal information stored on the chips could be pilfered. "We've constructed the chips so they can't be altered," a Foreign Ministry official said. "But we might need to develop a means to deal with the problem if it becomes possible to manipulate the data stored on the chips." Tadao Saito, professor emeritus at Tokyo University, said: "The infection route for computer viruses has changed from floppy disks to the Internet. I wouldn't be surprised if we were to see another. Although the IC chips can't store much data, we still need to be cautious." From isn at c4i.org Wed Apr 19 01:44:44 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:44:44 -0500 (CDT) Subject: [ISN] Software insecurity: Plenty of blame to go around Message-ID: http://www.gcn.com/online/vol1_no1/40437-1.html By William Jackson GCN Staff 04/18/06 The reason software so often is not secure is the fault either of developers or of users. A free-wheeling debate on software security at the 2006 International Conference on Network Security in Reston today came to no clear consensus on responsibility for the disappointing quality of software. On the other hand, it was agreed that federal security certification programs could serve as models for improving private sector IT security. Or not. Andrew Lee, chief research officer for antivirus company Eset LLC of Coronado, Calif., blamed the problem of buggy software on a disconnect between developers and users. What seems proper and intuitive to a developer often is ignored by users, who do strange and terrible things with their applications. "We don't account for user behavior," Lee said. "Users are just really annoying." Even well-developed software often is too complex to ever be adequately tested, he added. Eric Cole of Lockheed Martin Corp. acknowledged that software often has flaws, but said that careful deployment would produce greater returns than more careful coding. "In a lot of cases, even though the bugs are still there, the impact to your organization can be mitigated," by use of a properly architected network with adequate safeguards. On the other hand, "even if you have good, solid software that is deployed wrong, you can be broken into." One audience member criticized the security and development communities for focusing on clever tricks for solving problems and deplored the lack of due diligence by organizations in designing networks and deploying software. "What is it about methodology that is a problem for organizations?" he asked. Stuart Katzke of the National Institute of Standards and Technology said that standards and guidelines developed by NIST could help provide that methodology. He said the suite of documents produced for the Federal Information Security Management Act effectively establish a level of due diligence for government IT systems. "It is likely to become due diligence for the private sector as well," he said. The NIST publications establish requirements for agencies to comply with FISMA. Development of the standards and supporting guidelines are the first phase of FISMA implementation, he said. "We're completing the last document now," Katzke said. That is Special Publication 800-53A, a security control assessment guide. NIST has begun the second phase of implementation, which is an accreditation program for security assessment providers. A third phase, development of a system to validate FISMA compliance tools, is "out in he future." "The framework that we have established for federal agencies is really applicable to any environment," Katzke said. He said NIST is working with the IEEE to standardize its suite of documents that would help any organization go through the categorization, assessment and accreditation process required of government systems by FISMA. Keith Beatty of Science Applications International Corp. went out on a limb by praising the oft-criticized Common Criteria program operated by NIST and the National Security Agency. The Common Criteria are an internationally recognized set of standards for evaluating security products. The goal is to ensure that products either meet a government performance profile, or at least perform the way the vendor claims they do. "I came from the private sector," Beatty said. "I see models in the government," such as Common Criteria and the Federal Information Processing Standards, "that are very good. It gives you a way to compare products." Others disagreed with the Common Criteria?s worth, complaining that it was more about paperwork than software quality. "You don't get your evaluation before the product goes out the door," one person said. The product already is in use before the evaluation is done, so "all it does is cost vendors a lot of time." And money. Evaluation can take months or years and can cost from hundreds-of-thousands to millions of dollars. One person said the Common Criteria evaluation was not worth the $150,000 "entry fee" a vendor could expect to pay unless the vendor had a government contract in hand that would justify the process. ? 1996-2006 Post-Newsweek Media, Inc. All Rights Reserved. From isn at c4i.org Wed Apr 19 01:44:59 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:44:59 -0500 (CDT) Subject: [ISN] Analysts Speak Out on the Wireless Security Hype Message-ID: http://www.eweek.com/article2/0,1895,1950790,00.asp By Matt Hines April 18, 2006 News Analysis: Some industry watchers contend that the threat of malware aimed at mobile handsets is over-hyped; others say enterprises preparing for such threats will be better off when attacks arrive. Security software vendor Kaspersky Labs joined the ranks of anti-malware specialists introducing applications designed for use on mobile devices with the launch of its new beta technology for smart phones running the Symbian operating system. Whether such tools should be in demand by enterprises remains a topic of debate among industry watchers. Kaspersky's introduction of its Anti-Virus Mobile beta is particularly interesting because an overwhelming majority of the mobile handset threats identified to this point have been aimed squarely at Symbian devices. And as recently as the third quarter of 2005, researchers at Gartner reported that Symbian accounted for two-thirds of the world's shipments of smart phones, powerful handheld devices with larger memories and more PC-like capabilities than today's popular handsets. While most experts concede that smart phones could be one of the technologies that drive a new wave of adoption of enterprise mobility tools, Gartner said the cutting-edge devices represented only 6.1 percent of all the handsets shipped worldwide during 2005. Those relatively small numbers, combined with the comparatively benign nature of today's mobile threats, leaves some industry analysts with the impression that software vendors are inflating the issue. "The mobile security threat is getting a bit too much hype, eventually there could be real attacks, but a lot has to happen before it becomes an issue people really need to worry about," said Sandra Palumbo, analyst with Boston-based Yankee Group. "The fact is that the things we've seen so far have had such a limited scope that it's not really worth focusing a great deal of attention on it; the vendors are guilty of aggressive marketing." Among the fundamental issues separating the nature of today's mobile threats from desktop viruses is the sheer diversity of devices and operating systems on the market, compared to Microsoft Windows' utter dominance of the PC world for almost two decades. Palumbo said that as smart phones and mobile business applications become more widely adopted, the most popular platforms will likely fall prey to malware code writers. But the analyst doesn't believe such a stage will be set until at least several years from now. Along with Kaspersky's new product beta, high-profile vendors including F-Secure, McAfee and Symantec have all introduced similar mobile anti-malware applications. F-Secure in particular has been outspoken in exhorting enterprises to begin more actively defending wireless devices. Some people may think the company is trying to cash in on the fear of mobile security emerging the next big sore sport for IT administrators, but someday those individuals will wish they had been more prudent in preparing for tomorrow's attacks, said Antti Vihavainen, vice president of mobile security at Helsinki-based F-Secure. "People in enterprise IT departments think that preparing in advance for something that might not happen is lame, but the fact is that it's very hard to recover after a problem begins; it's damage control," said Vihavainen. "People have the option to be prepared; some will take it, some won't, and what we've been trying to say is that things will get worse before they get better with mobile threats, unless there is decisive action taken by business users." Taking a more proactive approach to mobile security companies may also discourage handset hacks because there will be fewer opportunities for the first waves of attacks to cause serious problems, the executive said. The fact that most of today's mobile threats have been launched by so-called script kiddies, or hackers inspired more by the notion of making a name for themselves among fellow virus writers, and not by organized criminals, doesn't mean that more professional wireless malware code isn't already in the works, he said. The emergence of applications such as eBay's new PayPal Mobile wireless payment technology could also cause even more criminals to focus on the space. There is already some evidence to suggest that the threat of mobile security issues is alarming some enterprise customers to the point where they are putting plans to utilize new wireless applications on hold. In a study published in March by anti-virus market leader Symantec, the company found that over 60 percent of the 240 enterprises it polled were postponing the introduction of new wireless tools based on security fears. Some 82 percent of those companies responding to the survey said that they would rate the impact of mobile viruses as roughly the same, or even worse, than the fallout caused by more traditional IT threats. Those opinions illustrate the fact that mobile security is already a real-world concern, and with good reason, said Paul Miller, director of mobile and wireless solutions at Symantec. An impending explosion of smart phone adoption along with a lack of preparation by enterprises is setting the table for serious attacks, he said. "Most companies' security strategies are outdated when it comes to the adoption of wireless, and many aren't following the use of smart phones at all, so, some enterprises are headed for a breakdown when attacks come," Miller said. "We're not saying that people need to take their attention away from the desktop, as obviously there's a lot of activity there, but companies at least need to begin creating policies and putting them in place before it's too late and some problem overwhelms them." On the other side of the coin, at least one security applications vendor has become outspoken in its contention that mobile security concerns are being overstated. While there very well may come a time when companies need to be as concerned with mobile threats as they are with desktop attacks, encouraging customers to throw time and resources at wireless security efforts today will only hurt their ability to stay ahead of today's viruses, according to Sophos, an anti-virus applications provider based in Abingdon, United Kingdom. "There is so much virus activity on the desktop today that having software makers tell enterprises they need to worry about this big looming mobile security threat right now is a little bit unproductive for everyone," said Graham Cluley, senior technology consultant at Sophos. "It's not likely that most people will encounter mobile threats for some time to come; beyond creating device usage policies of some kind, I'm not sure what work needs to be done." In a survey conducted by the anti-virus provider in mid-2005, over 70 percent of the 250 IT workers polled by Sophos said they believed the current state of mobile threats to be over-hyped. Instead of looking at anti-malware solutions for mobile handsets, companies should be considering ways to extend their desktop password and enterprise data access policies onto new devices, Cluley said. "There's a lot of skepticism; most of the companies we speak to are saying that they know this isn't a significant threat," said Cluley. "Some of them may already be thinking about future, but they know that battle isn't taking place right now." One research company, Stamford, Conn.-based Gartner, is advising its customers to begin considering a timeframe for looking at mobile security issues without encouraging enterprises to go out and start investing in technologies today. John Pescatore, analyst with Gartner, said it will be at least another year until real mobile threats arrive. "People started hyping mobile security as far back as 2001, but we don't think it's going to become a real issue until at least the end of 2007," said Pescatore. The analyst said that at that time there will be more smart phones in use, greater heterogeneity among handset operating systems, and more openness among users in running mobile applications that involve executable programs running on wireless devices, a key for launching malware programs, he said. "Once people start sharing more executable e-mail attachments and accessing applications, more viruses and worms will inevitably be spread," said Pescatore. "But looking at what's out there today and trying to build anti-virus software for every type of handset on the market is probably just a big waste of money." From isn at c4i.org Wed Apr 19 01:44:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:44:21 -0500 (CDT) Subject: [ISN] Hands-on testing of the new Linux virus Message-ID: http://os.newsforge.com/article.pl?sid=06/04/17/1752213 By Joe Barr and Joe Brockmeier April 17, 2006 Thanks to one of our readers, NewsForge has obtained a copy of the widely reported Windows/Linux cross-platform "proof of concept" virus. News reports thus far on the code have contradicted themselves: some reported the virus can replicate itself on both Windows and Linux, others saying it has a viral nature only on Windows. Testing by both NewsForge staff and Hans-Werner Hilse may reveal why the confusion. Our tests shows the code's viral nature is sometimes -- but not always -- effective on both platforms, depending on the kernel being used. Of course, it's impossible for us to test every version of the kernel out there, but thus far, it looks like those prior to version 2.6.16 are susceptible, and at least some of those after that release are not. Here's how we tested at NewsForge. Our first test was run on an AMD64 box with a fresh install/update of Ubuntu Dapper Flight 5 386 with the 2.16.15-20-386 kernel, with the WINE and GHex -- a binary viewer/editor -- packages also installed. After unzipping the viral package (clt.zip) into an empty directory, we tested CLT.EXE by executing it under WINE in a subdirectory containing only a small executable and linkable format (ELF) file, called hello, written in assembler, that we created for the test. We ran CLT.EXE, and a small window popped up saying that the "dropper" -- as the code calls itself -- had executed successfully. When we examined the hello ELF file with GHex, however, it showed no signs of contagion -- not even the lines of text which were supposedly installed in lieu of the virus itself when run on Linux. We soon learned that the reason hello remained uninfected in the first test was that the hello executable file is too small, not because the viral code could not replicate on Linux. Another NewsForge staffer testing CLT.EXE under VMWare found that it did infect larger ELF files. Next, we copied the programs more, date, and ls from /bin into the test directory. When we ran CLT.EXE again, all three of those ELFs were infected. Each was 4,096 bytes larger than it had been before the test. But did those 4,096 additional bytes actually contain the viral code? Would the ELF files still execute? Those questions became the basis for our next test scenario. Instead of running CLT.EXE under WINE, we repeated the tests in a different directory, using uninfected copies of the same target programs, and then executing an infected version of ls in that directory. The only difference we could detect was that the pop-up window no longer appeared: more, ls, and date were all infected and hello remained untouched. [...] From isn at c4i.org Wed Apr 19 01:44:32 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:44:32 -0500 (CDT) Subject: [ISN] Oracle sews up multiple security holes Message-ID: http://news.com.com/Oracle+sews+up+multiple+security+holes/2100-1002_3-6062438.html By Joris Evers Staff Writer, CNET News.com April 18, 2006 As part of its quarterly patch cycle, Oracle on Tuesday released fixes for a long list of security vulnerabilities in many of its products. The Critical Patch Update delivers remedies for 14 flaws related to Oracle's Database products, five related to the Collaboration Suite, one in Application Server, 15 related to E-Business Suite and Applications, two in the Enterprise Manager, one in PeopleSoft's Enterprise portal and one in JD Edwards software. In addition to the security fixes, Oracle said it has made "significant" changes to an existing tool that checks for default accounts and passwords. The tool was released in January as a response to the "Oracle voyager" database worm, which exploits those default items. The business software maker has come under fire for being slow to patch security holes and for not collaborating well with researchers who find bugs. Oracle's chief security officer, Mary Ann Davidson, has responded in turn by saying bug hunters themselves can be a problem when it comes to product security. In its patch bulletin, the company credited a number of researchers with reporting vulnerabilities. These include Alexander Kornbrust of Red Database Security, Esteban Martinez Fayo of Application Security and David Litchfield of Next Generation Security Software, who claimed discovery of Oracle Database flaws in a posting to the Full Disclosure mailing list. From isn at c4i.org Wed Apr 19 01:45:14 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:45:14 -0500 (CDT) Subject: [ISN] Telecommuting security concerns grow Message-ID: http://www.networkworld.com/news/2006/042406-telecommuter-security.html By Ellen Messmer NetworkWorld.com 04/18/06 Telecommuting has become a way of life as more companies let employees work from home to do jobs that might otherwise be done on corporate premises. As a result, IT managers are adapting security policies to encompass home PCs. Last year an estimated 8.9 million telecommuters worked from home three or more days each month during regular business hours, according to IDC. A quarter of them worked exclusively from home. At places where home-based work has become the norm, IT managers say a key concern is ensuring each telecommuter's PC, typically granted remote access to a corporate LAN, keeps pace with office security guidelines. "We have a fair number of employees who are telecommuters," says Dan Lukas, lead security architect at Wisconsin-based Aurora Health Care, which operates 13 hospitals, as well as dozens of clinics, with about 25,000 employees. "We're driven by the business, not the technology." Several hundred Aurora employees work from home transcribing voice recordings made by physicians regarding their patients. These transcriptionists, situated all over the country, then remotely access Aurora's private-line network over the Internet to file each transcribed recording with a patient's online medical records. Other types of telecommuters at Aurora include radiologists, who can access the network to look at medical images. Kettering Medical Center Network, a group of five hospitals in Dayton, Ohio, with 7,000 employees and 1,200 physicians, is one of many hospitals that see growth in telecommuting. "More and more, physicians want access to their offices from home, and we're giving radiologists secure access so they can read images from home," says Bob Burritt, Kettering Medical Center Network's director of technology. According to IDC, healthcare is the industry in which telecommuting is most common, followed by the science and technical services arena, and manufacturing. Lukas says Aurora transcriptionists who telecommute are given PCs with a standard image on them for hospital applications and security, such as anti-virus. They also are required to use secure VPN access. The hospital is migrating from a Cisco IPSec VPN to a Juniper SSL VPN, since it doesn't require special agent-based software to deploy. Aurora's IT staff coordinate with a business manager in charge of these workers' assignments to ensure they have access only to the database resources they require. Another group of Aurora's telecommuters, teleradiologists, may be called upon at home to examine medical images stored in Aurora's multigigabyte storage-area networks and server-based repositories. With remote access a critical part of Aurora's daily operation, Aurora installed Lancope's StealthWatch intrusion-prevention system to repel denial-of-service attacks or break-in attempts. Despite the industry buzz about automated procedures for checking a user's anti-virus and patch updates before granting network access, Lukas says Aurora officials, who recently tested Cisco's Network Admission Control products, believe that for the moment it's not a mature technology and is too expensive. "It would cost us $50 per seat," he says. Telecommuting is growing in acceptance, with IDC predicting there will be 9.9 million telecommuters by 2009. A wide variety of organizations are offering telecommuter support. The Defense Information Systems Agency, which supports the military through technical services, is considering letting its 5,000 employees, many of whom live in Northern Virginia, telecommute at least a few days per week. The financial-services industry is stepping gingerly into telecommuting, with IT managers aware that government regulators and auditors will want to know about security controls on home-based computers. At Pennsylvania State Employee Credit Union in Harrisburg, Pa., a few dozen of its 650 employees, primarily the managers, are allowed to work from home, says Rob Ballard, IT support manager at PSECU. These telecommuters receive a standard-issue workstation from PSECU for home-based work, identical to what they are given in the office. In February, the credit union added Centennial Software's Device?Wall to its PCs to prevent USB mass-storage devices or iPods from gobbling data from any PC. DeviceWall also lets machines work in read-only mode and can limit Wi-Fi connections and use of CDs. "We are audited frequently by internal and external auditors, and as a financial institution, we are held to a high standard," says Ballard, noting PSECU wants telecommuting to mirror its office IT security practices. Consultant Tom Walsh recommends that organizations adopting telecommuting equip at-home employees with dedicated PCs to be used for work only. "Don't allow shared computers," says Walsh, noting that it's poor practice to mix business and a family's home-computer use. "Kids are too smart. They know how to get things like keyloggers, and it's happened." Walsh suggests a viable alternative might be installing a separate hard drive on a home computer with security controls that restrict access to all but the telecommuter. Beyond simply having a telecommuter's PC mirror office PCs, Walsh recommends that businesses enter into signed agreements with telecommuters on exactly how home-based PCs are to be used. This helps establish not only that the business owns it but also how it's to be used and maintained. A number of vendors, including CA with its Remote Unicenter, offer tools to manage Windows-based applications remotely. Sioux Fleming, director of product management at CA, says she has seen insurance companies and other large companies hire third-party technical services to be on call to fix machines when telecommuters have trouble far from corporate headquarters. While most companies deploy anti-virus software on telecommuter PCs, one type of security protection that's often overlooked is adding a desktop firewall, she notes. "Port attacks are a real thing," Fleming points out. "And while people inside the corporate LAN are probably protected at the gateway, people working at home are not." All contents copyright 1995-2005 Network World, Inc. From isn at c4i.org Wed Apr 19 01:45:24 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:45:24 -0500 (CDT) Subject: [ISN] Credit card conman used names of tycoons Message-ID: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2006/04/19/ncon19.xml By Stewart Payne 19/04/2006 A conman assumed the identities of millionaire businessmen whose names he took from magazine rich lists then applied for credit cards in their names. Youssef Babbou, 49, milked their bank accounts and travelled the world, staying in luxury hotels, hiring expensive cars, buying Rolex watches, diamonds from De Beers and spending ?10,000 in Harrods. Among the identities he assumed were those of Dennis Bakke, an author and golfing partner of former President Bill Clinton; the boss of a chain of Las Vegas casinos; and an inventor working on the space shuttle programme. He was arrested in Paris, where he was found to have 17 driving licences in the names of rich Americans and 25 false identities. He served four months for fraud in France and spent six months awaiting extradition to England. Yesterday he pleaded guilty at Croydon Crown Court to obtaining and attempting to obtain property by deception and obtaining services by deception. The court heard that Babbou, a Tunisian, had carried out frauds in America and had served a sentence in Italy for credit card fraud. Brendan Morris, prosecuting, said his method was always the same. He would ring an American Express call centre in the US to report the loss of a card. "As a result of being able to provide a certain amount of information, the loser can then specify a location where a replacement card can be provided," he said. "In these cases it was in London." Jailing Babbou for four years, Judge Stephen Waller said the case did not reflect "the whole criminality" but was sufficient for him to pass sentence. He ordered that Babbou be deported on his release. Det Insp Roy West said after the case that he believed Babbou had spent more than ?500,000 in only five months. ? Copyright of Telegraph Group Limited 2006. From isn at c4i.org Wed Apr 19 01:45:36 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:45:36 -0500 (CDT) Subject: [ISN] Groundwork for cybersecurity R&D agenda begins Message-ID: http://www.fcw.com/article94110-04-18-06-Web By Aliya Sternstein Apr. 18, 2006 The Bush administration has drafted a federal plan to improve cybersecurity research and development. Yesterday, the National Science and Technology Council, a Cabinet-level body that coordinates governmentwide science and technology policies, issued a preprint release of the "Federal Plan for Cyber Security and Information Assurance Research and Development." [1] In addressing gaps in the country's current cybersecurity activities, the 121-page report recommends setting R&D priorities and strengthening coordination between agencies and the private sector. The plan also calls for implementing emerging technologies, road maps and metrics. It does not address specific funding levels or budgets. Industry officials and lawmakers had been urging the administration to improve federal cybersecurity and information assurance R&D. Officials are billing this plan as the first step toward developing a federal agenda. Members of more than 20 government organizations prepared the document as part of the Interagency Working Group on Cyber Security and Information Assurance. The report responds to several recent cybersecurity documents, including a memorandum on fiscal 2007 administration R&D budget priorities, a 2005 report by the now-defunct President's Information Technology Advisory Committee (PITAC) and the 2002 Cyber Security Research and Development Act. The budget memo cites cybersecurity R&D as a priority for the $3 billion Federal Networking and Information Technology Research and Development program, along with supercomputing and advanced networking. In announcing yesterday's plan, Bush administration officials said the report sets a framework for multiagency coordination of investments in technologies that can secure the U.S. IT infrastructure more effectively. "This country's IT infrastructure - which includes not only the public Internet but also the networking and IT systems that control critical infrastructures ranging from power grids to emergency communications systems - is vital not only to our national and homeland security but to our economic security," said John Marburger III, science adviser to the president and director of the Office of Science and Technology Policy. "This report provides a blueprint for coordination of federal R&D across agencies that will maximize the impact of investments in this key area of the national interest." The 2005 PITAC report, "Cyber Security: A Crisis of Prioritization," characterizes the budget for civilian cybersecurity research as inadequate and recommends that the National Science Foundation's budget for cybersecurity research be increased $90 million annually. PITAC was a congressionally mandated committee made up of industry and academic experts appointed by the president. It expired last June. Yesterday's report states that PITAC's recommendation was one factor that led to the establishment of a federal plan. According to the plan, the top areas where funding is needed are authentication, authorization and trust management; access control and privilege management; attack protection, prevention and pre-emption; wireless security; and software testing and assessment tools. The report recommends that agencies designate representatives to collaborate in developing an interagency R&D road map. The private sector would also contribute to the road map. Other recommendations include assessing "the security implications and the potential impact of R&D results in new information technologies as they emerge in such fields as optical computing, quantum computing and pervasively embedded computing." Comments on the plan are due April 28. [1] http://www.nitrd.gov/pubs/csia/FederalPlan_CSIA_RnD.pdf From isn at c4i.org Wed Apr 19 01:45:47 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:45:47 -0500 (CDT) Subject: [ISN] Japan, U.S. to cooperate in fighting cyber terrorism Message-ID: http://mdn.mainichi-msn.co.jp/national/news/20060418p2a00m0na002000c.html April 18, 2006 The Japanese government on Tuesday decided to sign an agreement with the Untied States on cooperation against cyber terrorism, government officials said. Japanese Foreign Minister Taro Aso and U.S. Ambassador to Japan Thomas Schieffer will sign an official note on a cooperation framework for sharing information on computer viruses and security measures and equipment, they said. The Japanese Defense Agency and the U.S. Defense Department will then exchange a memorandum on specific cooperation measures, which are to be carried out by the Defense Agency's Joint Staff Office and the Defense Department's Pacific Command in Hawaii. The deal also prohibits the release of shared information to a third country without written agreement from the other party, the officials said. The United States has signed a similar agreement with five countries including Britain and Australia. From isn at c4i.org Wed Apr 19 01:45:57 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 19 Apr 2006 00:45:57 -0500 (CDT) Subject: [ISN] Army carries out country-wide cyber security audit Message-ID: http://www.newkerala.com/news2.php?action=fullnews&id=44472 19 Apr 2006 New Delhi, Apr 18: A day after Defence Minister Pranab Mukherjee's call for tightening security procedures, the Army today announced carrying out country-wide cyber security audit by setting up a specialist security establishment. The Army headquarters has also issued security advisory to all units and set up a specialist cyber security team from the Corp of Signals to carry out a countrywide audit, a top army officer said here . "The team besides looking into security shortcomings had also issued instructions on framing Pass phrases instead of passwords for the computers and would carry out hacking operations to check vigilance of the units", he said. He said for the first time the army was now going in for automation of record of all personnels and for this 47 centres had been set up." Almost 80 per cent of the records have now been transffered to computers carrying the entire data bank on all serving personnel including officers". "We hope to have fully automated records by September this year", he said. The official also said that the army had completed laying of optic fibre links to almost all forward posts particularly in Jammu and Kashmir and besides this V-Sat network was coming up to link nearly 139 military stations to provide secure data and voice connections. Besides, this "we have now provided the smallest infantry units with briefcase mobile satellite terminals, which can be carried by soldiers in their backpacks. From isn at c4i.org Fri Apr 21 05:48:58 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 21 Apr 2006 04:48:58 -0500 (CDT) Subject: [ISN] VM, VPS, and User Training Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Symantec http://list.windowsitpro.com/t?ctl=276E2:4FB69 Macrovision http://list.windowsitpro.com/t?ctl=276DE:4FB69 ==================== 1. In Focus: VM, VPS, and User Training 2. Security News and Features - Recent Security Vulnerabilities - Microsoft To Hold Five Security Summits - Oracle Slip-Up Results in Leaked Exploit Information - Geek Squad Gets Slapped with Restraining Order 3. Security Toolkit - Security Matters Blog - FAQ - Instant Poll - Share Your Security Tips 4. New and Improved - Remove Malware Remotely ==================== ==== Sponsor: Symantec ==== A multi-tier approach to email security prevents unauthorized access and can stop spam, viruses, and phishing attacks. Learn to implement one today, and protect your network security and business systems! http://list.windowsitpro.com/t?ctl=276E2:4FB69 ==================== ==== 1. In Focus: VM, VPS, and User Training ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I discussed how virtual machines (VMs) might become standard on computers. As a brief recap, virtualization technology could provide an effective way to ensure the integrity of desktop computers, particularly because it makes restoring a compromised system quick and easy: Simply shut down the VM and relaunch it. If you consider implementing this type of solution, you should also consider running different OSs on the under- and overlying systems. Doing so will probably improve overall security more than if you, say, run a Windows-based VM (typically called the guest OS) on top of another Windows-based OS (typically called the host OS). Exploiting the vulnerabilities of two OSs and their related applications is more difficult than compromising one. You could, for example, run some variety of Linux or BSD or possibly Mac OS X or Solaris as the host OS and run Windows as a VM. This way, if an intruder is able to compromise Windows, you can quickly clean up that problem; in order to compromise the entire system, the intruder would need to know which OS runs as the host underneath Windows and be able to exploit that OS too. Of course, the downside of this approach is that you'd have two OSs to maintain, plus the expense of licensing the host OS if you don't use an open source OS. Last week, I mentioned Microsoft Virtual Server 2005 R2, VMware, and Parallels Workstation as virtualization solutions. Serenity Virtual Station (SVISTA) from Serenity System International allows both Linux and FreeBSD as host OSs and can run Windows, Linux, and Serenity's eComStation as guest OSs. http://list.windowsitpro.com/t?ctl=276F6:4FB69 Finally, another virtualization solution that I didn't mention last week is called virtual private servers (VPSs). Don't mistake VPSs for VMs--there are important differences. In short, VPS technology doesn't let you mix different host and guest OSs. True VMs work at the hardware level, whereas VPS technology works at the software level to create an isolated environment that uses the OS. So for example, if you use VPS technology on a Windows XP system, each VPS you create on that system will be based on that single installed copy of XP. If you think you might be interested in VPS technology, have a look at Virtuozzo from SWsoft (first URL below), which runs on Windows and Linux. If you use Solaris, you might know that it has VPS support built in. Other VPS solutions are also available for Linux via the Linux- Vserver Web site (at the second URL below) and BSD via BSD jails (which you can learn about at the third URL below). http://list.windowsitpro.com/t?ctl=276F3:4FB69 http://list.windowsitpro.com/t?ctl=276F8:4FB69 http://list.windowsitpro.com/t?ctl=276F4:4FB69 Virtualization technology goes a long way towards building better security and can help protect users from themselves. Another way to help end users improve company security is to train them. Last week, CompTIA said that based on a recent survey of 574 companies, human error was responsible for 60 percent of information security breaches experienced over the last year. Yet only 36 percent of the surveyed companies offer end-user training! It is glaringly apparent that end users need training to help raise their security awareness. I seriously doubt that any combination of technologies could reasonably replace thorough education. Chances are great that if more end users received security-related training, security breaches could be significantly reduced. This of course saves time and money and helps protect your business at all levels, including its important public image. Although some aspects of end-user training need to be tailored to fit your particular business, many aspects can be generalized to fit nearly any business that uses Microsoft products. I'll see if I can dig up some useful training resources that might help you review or augment your existing training or develop new training if you don't have any in place. Look for this information in an upcoming edition of this newsletter. ==================== ==== Sponsor: Macrovision ==== Strategically manage your organization's software licenses with a 5- step program to help save time and cut costs by centralizing licensing operations. http://list.windowsitpro.com/t?ctl=276DE:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=276E5:4FB69 Microsoft To Hold Five Security Summits Microsoft announced that it's hosting a series of one-day security events in five US cities tailored for IT pros and developers. The series, Security Matters--Microsoft Security Summits 2006, are intended to teach people about key trends as well as how to prepare for those trends and to offer an opportunity to discuss security issues with experts from the company. http://list.windowsitpro.com/t?ctl=276EC:4FB69 Oracle Slip-Up Results in Leaked Exploit Information Vendors typically frown upon the premature publication of vulnerability and exploit information, and usually the discoverer is the source of the leak. But recently Oracle was the source of a leak about a vulnerability, including a working exploit, in its popular Oracle Database server product. http://list.windowsitpro.com/t?ctl=276EA:4FB69 Geek Squad Gets Slapped with Restraining Order You'd think that a megacorporation would know better than to use unlicensed software. But if employee reports are true, then Best Buy's Geek Squad committed a major faux pas that has landed the company in some very hot water. http://list.windowsitpro.com/t?ctl=276EB:4FB69 ==================== ==== Resources and Events ==== Gain control of your messaging data with step-by-step instructions for complying with the law, ensuring your systems are working properly, and ultimately making your job easier. http://list.windowsitpro.com/t?ctl=276E3:4FB69 Industry guru Randy Franklin Smith helps you identify what you should do to leverage your mobile and wireless infrastructure, how to pick devices that are right for you, and more! http://list.windowsitpro.com/t?ctl=276E0:4FB69 Learn about the advantages of each alternative to traditional file servers and tape storage solutions, and make the best choice for your enterprise needs. http://list.windowsitpro.com/t?ctl=276DF:4FB69 Learn to gather evidence of compliance across multiple systems and link the data to regulatory and framework control objectives. http://list.windowsitpro.com/t?ctl=276DD:4FB69 Learn how application packaging can cut your OS migration time while maintaining error-free deployment. http://list.windowsitpro.com/t?ctl=276E1:4FB69 ==================== ==== Featured White Paper ==== Secure Your Online Data Transfer with SSL Increase your customers' confidence and your business by securely collecting sensitive information online. In this free white paper you'll learn about the various applications of SSL certificates and how to deploy them appropriately, along with details of how to test SSL on your Web server. http://list.windowsitpro.com/t?ctl=276E4:4FB69 ==================== ==== Hot Spot ==== New Activeworx v3 - Affordable SIM from CrossTec Activeworx Security Center v3 is a high-quality, low-cost, security information and event management (SIM) software solution that collects, normalizes and analyzes data from virtually any security device from any vendor. ASC includes real-time correlation and analysis, immediate alerts, built-in compliance reports and deep forensics. Free Eval. http://list.windowsitpro.com/t?ctl=276DC:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: A Deeper Look at Microsoft's InfoCard Identity System by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=276F2:4FB69 Microsoft Passport is essentially a flop. However, Microsoft's new identity system, InfoCard, might actually take off. Find out more about it by following the links in this blog article. http://list.windowsitpro.com/t?ctl=276ED:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=276F1:4FB69 Q: Can you use the Microsoft File Server Migration Toolkit (FSMT) to migrate shares between servers in different forests? Find the answer at http://list.windowsitpro.com/t?ctl=276EF:4FB69 New Instant Poll How do your remote employees access your file servers? - VPN (IPsec, PPTP, L2TP, or SSL) - Web-based file-access application - Web Distributed Authoring and Versioning (WebDAV) server See the article "WebDAV for Remote Access" at http://list.windowsitpro.com/t?ctl=276EE:4FB69 Submit your vote at http://list.windowsitpro.com/t?ctl=276F0:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Exclusive Spring Savings Subscribe to SQL Server Magazine and SAVE 58%! Along with your 12 issues, you'll get FREE access to the entire SQL Server Magazine online article archive, which houses more than 2,300 helpful articles. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=276E7:4FB69 Save 44% off the Windows IT Security Newsletter For a limited time, order the Windows IT Security newsletter and SAVE up to $80! You'll get 12 helpful issues loaded with endless fundamentals on building and maintaining a secure enterprise, in-depth product coverage of the best security tools available, and expert advice on the best way to implement various security components. Subscribe now: http://list.windowsitpro.com/t?ctl=276E8:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Remove Malware Remotely IS Decisions has released SweepDeployer, free software which lets you remotely execute on an entire network (or a selection of systems) one of the following malware removal solutions: Microsoft Malicious Software Removal Tool, McAfee AVERT Stinger, or Trend Micro Damage Cleanup Engine. The targeted systems need no agents or manual intervention. You can also schedule SweepDeployer to automatically run the selected tool at regular intervals. SweepDeployer is based on IS Decisions RemoteExec technology. For more information, go to http://list.windowsitpro.com/t?ctl=276F7:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=276F5:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=276E9:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Apr 21 05:49:38 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 21 Apr 2006 04:49:38 -0500 (CDT) Subject: [ISN] Open source approach reshapes intelligence-gathering Message-ID: Forwarded from: William Knowles http://www.washingtontechnology.com/news/1_1/daily_news/28411-1.html By Alice Lipowicz Staff Writer 04/19/06 New forms of intelligence-gathering - including the availability of open-source information on the Internet - are becoming increasingly important for fighting terrorism and may even reduce the need for more traditional collection efforts, according to a new report [1] from the Congressional Research Service. The report, titled "Intelligence Issues for Congress," outlines the challenges in intelligence-gathering, analysis and dissemination facing the director of national intelligence and the 15 other federal intelligence agencies in the post-9/11 era, with a large part of the activity is focused on counterterrorism. While the intelligence community traditionally has relied on signals, imagery and human intelligence, there is now a growing interest in open-source intelligence (OSINT) as well as in measurement and signatures analysis intelligence (MASINT) the report said. Osint refers to an intelligence-gathering approach based on analyzing information collected from open sources?namely, from information available to the general public. The rising dependence on open sourcing is partly due to a requirement for a broad range of information about many regions and subjects throughout the world, instead of the former concentration on military and political issues in a small number of countries, the report said. The need for translation and analysis has increased as well. "Many observers believe that intelligence agencies should be more aggressive in using OSINT; some believe that the availability of OSINT may even reduce the need for certain collection efforts," the report stated. Another intelligence discipline receiving greater emphasis in recent years is MASINT, which is a highly technical discipline used by the Defense Intelligence Agency and others in which complex analytical refinements are applied to information collected by signal intelligence and geospatial imagery. "A key problem has been retaining personnel with expertise in MASINT systems who are offered more remunerative positions in private industry," the report said. [1] http://www.fas.org/sgp/crs/intel/IB10012.pdf *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Apr 21 05:49:54 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 21 Apr 2006 04:49:54 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-16 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-04-13 - 2006-04-20 This week: 80 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: 21 vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Apparently, a number of these vulnerabilities has been fixed in the Firefox 1.5 branch since October 2005 but has only just been fixed in the 1.0 branch with the release of version 1.0.8. Many of these vulnerabilities also affect the Mozilla Suite and have not yet been patched. Reference: http://secunia.com/SA19631 http://secunia.com/SA18703 -- Multiple vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to conduct SQL injection attacks or compromise a vulnerable system. This advisory currently has a status of partial fix due to lack of patches for all products to fix one of the vulnerabilities. Reference: http://secunia.com/SA19712 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19631] Firefox Multiple Vulnerabilities 2. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 3. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 4. [SA19698] Firefox "View Image" Local Resource Linking Weakness 5. [SA19649] Mozilla SeaMonkey Multiple Vulnerabilities 6. [SA19644] Ubuntu Updates for Multiple Packages 7. [SA19676] Avaya CMS / IR Sendmail Memory Corruption Vulnerability 8. [SA19642] Sphider "settings_dir" File Inclusion Vulnerability 9. [SA19653] PAJAX Arbitrary Code Execution Vulnerabilities 10. [SA19663] Novell GroupWise Messenger Accept-Language Buffer Overflow ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19662] Web+Shop "storeid" Full Path Disclosure Weakness UNIX/Linux: [SA19746] Ubuntu update for firefox [SA19729] Red Hat update for mozilla [SA19714] Fedora update for firefox [SA19696] Red Hat update for firefox [SA19692] Debian update for horde2 [SA19690] Sysinfoscript sysinfo.cgi Shell Command Injection and Path Disclosure [SA19676] Avaya CMS / IR Sendmail Memory Corruption Vulnerability [SA19671] Xine Playlist File Path Format String Vulnerability [SA19707] xFlow Multiple Vulnerabilities [SA19694] PHP Net Tools "host" Shell Command Injection Vulnerability [SA19691] Gentoo update for cacti [SA19674] Empire Server Unspecified Vulnerabilities [SA19718] BannerFarm banners.cgi Cross-Site Scripting Vulnerability [SA19667] CommuniMail Multiple Cross-Site Scripting Vulnerabilities [SA19658] Gentoo update for libapreq2 [SA19735] Fedora update for kernel [SA19683] avast! Insecure Temporary File Creation [SA19682] Symantec LiveUpdate for Machintosh Privilege Escalation [SA19675] Debian update for fcheck [SA19664] Linux Kernel Shared Memory Restrictions Bypass [SA19657] Linux Kernel Shared Memory Restrictions Bypass [SA19656] IBM AIX rm_mlcache_file Arbitrary File Overwrite [SA19724] Linux Kernel x87 Register Information Leak [SA19716] Avaya CMS / IR "/proc" Denial of Service [SA19715] FreeBSD FPU x87 Register Information Leak [SA19709] Linux Kernel "ip_route_input()" Denial of Service Vulnerability [SA19687] Debian update for bsdgames Other: [SA19740] Cisco IOS XR MPLS Denial of Service Vulnerabilities Cross Platform: [SA19743] ActualAnalyzer "rf" File Inclusion Vulnerability [SA19730] TotalCalendar "inc_dir" File Inclusion Vulnerability [SA19728] RechnungsZentrale V2 Multiple Vulnerabilities [SA19726] Internet Photoshow "page" File Inclusion Vulnerability [SA19712] Oracle Products Multiple Vulnerabilities [SA19688] Monster Top List File Inclusion and Cross-Site Scripting Vulnerabilities [SA19684] I-Rater Platinum "include_path" Parameter File Inclusion Vulnerability [SA19680] myEvent Multiple Vulnerabilities [SA19670] Amaya Attribute Value Buffer Overflow Vulnerabilities [SA19666] Censtore "page" Shell Command Injection Vulnerability [SA19653] PAJAX Arbitrary Code Execution Vulnerabilities [SA19649] Mozilla SeaMonkey Multiple Vulnerabilities [SA19719] LinPHA Cross-Site Scripting and SQL Injection Vulnerabilities [SA19706] phpWebFTP "language" Local File Inclusion [SA19705] phpGraphy "editwelcome" Authentication Bypass [SA19703] Neuron Blog Multiple Vulnerabilities [SA19700] betaboard "FormVal_profile" Profile Script Insertion [SA19699] LifeType ADOdb "server.php" Insecure Test Script Security Issue [SA19697] warforge.NEWS Multiple Vulnerabilities [SA19689] PowerClan "memberid" SQL Injection Vulnerability [SA19678] Black Orpheus ClanMemberSkript "userID" SQL Injection [SA19677] Fuju News Authentication Bypass and SQL Injection [SA19672] Musicbox Script Insertion and SQL Injection Vulnerabilities [SA19669] Dubelu PhpGuestbook Comment Script Insertion Vulnerability [SA19668] MyBB Cross-Site Scripting and Variable Manipulation Vulnerabilities [SA19665] Coppermine Photo Gallery "file" Local File Inclusion Vulnerability [SA19661] PHP Album "data_dir" File Inclusion Vulnerability [SA19650] Article Publisher Pro SQL Injection Vulnerabilities [SA19647] phpWebSite "hub_dir" Local File Inclusion Vulnerability [SA19645] MODx Cross-Site Scripting and Directory Traversal [SA19663] Novell GroupWise Messenger Accept-Language Buffer Overflow [SA19725] AWStats "config" Cross-Site Scripting and Full Path Disclosure [SA19720] Plexum X5 "plexum.php" SQL Injection Vulnerability [SA19711] bMachine Search Feature Cross-Site Scripting [SA19710] Calendarix "ycyear" Cross-Site Scripting Vulnerability [SA19704] ShoutBOOK Multiple Script Insertion Vulnerabilities [SA19701] IntelliLink Pro Multiple Cross-Site Scripting Vulnerabilities [SA19695] KCScripts Portal Pack Multiple Cross-Site Scripting Vulnerabilities [SA19685] PMTool "order" SQL Injection Vulnerabilities [SA19681] planetSearch+ "search_exp" Cross-Site Scripting Vulnerability [SA19679] LinPHA Cross-Site Scripting Vulnerabilities [SA19673] Bitweaver "error" Cross-Site Scripting Vulnerability [SA19660] TinyWebGallery "twg_album" Cross-Site Scripting Vulnerability [SA19659] phpMyAdmin "sql_query" Cross-Site Scripting and SQL Code Execution [SA19655] Visale Cross-Site Scripting Vulnerabilities [SA19654] Boardsolution "keyword" Cross-Site Scripting Vulnerability [SA19652] phpFaber TopSites "page" Cross-Site Scripting Vulnerability [SA19651] Net Clubs Pro Multiple Cross-Site Scripting Vulnerabilities [SA19648] FarsiNews "selected_search_arch" Cross-Site Scripting [SA19646] LifeType Template "show" Cross-Site Scripting Vulnerability [SA19698] Firefox "View Image" Local Resource Linking Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19662] Web+Shop "storeid" Full Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-04-14 Revnic Vasile has reported a weakness in Web+Shop, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/19662/ UNIX/Linux:-- [SA19746] Ubuntu update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-20 Ubuntu has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19746/ -- [SA19729] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-19 Red Hat has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19729/ -- [SA19714] Fedora update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-19 Fedora has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19714/ -- [SA19696] Red Hat update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-17 Red Hat has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19696/ -- [SA19692] Debian update for horde2 Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-04-17 Debian has issued an update for horde2. This fixes two vulnerabilities, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19692/ -- [SA19690] Sysinfoscript sysinfo.cgi Shell Command Injection and Path Disclosure Critical: Highly critical Where: From remote Impact: Exposure of system information, System access Released: 2006-04-17 rgod has reported a vulnerability and a weakness in Sysinfoscript, which can be exploited by malicious people to disclose system information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19690/ -- [SA19676] Avaya CMS / IR Sendmail Memory Corruption Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-14 Avaya has acknowledged a vulnerability in Avaya CMS and Avaya IR, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19676/ -- [SA19671] Xine Playlist File Path Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-19 c0ntex has reported a vulnerability in xine-ui, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19671/ -- [SA19707] xFlow Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-19 r0t has reported multiple vulnerabilities in xFlow, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19707/ -- [SA19694] PHP Net Tools "host" Shell Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-19 FOX_MULDER has discovered a vulnerability in PHP Net Tools, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19694/ -- [SA19691] Gentoo update for cacti Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, System access Released: 2006-04-17 Gentoo has issued an update for cacti. This fixes two security issues and some vulnerabilities, which can be exploited by malicious people to disclose system information, conduct cross-site scripting attacks, execute arbitrary SQL code, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19691/ -- [SA19674] Empire Server Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-04-18 Some vulnerabilities with unknown impacts have been reported in Empire Server. Full Advisory: http://secunia.com/advisories/19674/ -- [SA19718] BannerFarm banners.cgi Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-19 r0t has reported a vulnerability in BannerFarm, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19718/ -- [SA19667] CommuniMail Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-19 r0t has reported some vulnerabilities in CommuniMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19667/ -- [SA19658] Gentoo update for libapreq2 Critical: Less critical Where: From remote Impact: DoS Released: 2006-04-18 Gentoo has issued an update for libapreq2. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19658/ -- [SA19735] Fedora update for kernel Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-04-20 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), gain knowledge of potentially sensitive information, or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19735/ -- [SA19683] avast! Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-04-18 Julian L. has reported a vulnerability in avast! Linux Home Edition, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19683/ -- [SA19682] Symantec LiveUpdate for Machintosh Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-04-18 A vulnerability has been reported in Symantec LiveUpdate for Machintosh, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19682/ -- [SA19675] Debian update for fcheck Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-04-17 Debian has issued an update for fcheck. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19675/ -- [SA19664] Linux Kernel Shared Memory Restrictions Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-04-19 A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19664/ -- [SA19657] Linux Kernel Shared Memory Restrictions Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-04-19 A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19657/ -- [SA19656] IBM AIX rm_mlcache_file Arbitrary File Overwrite Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2006-04-18 A vulnerability has been reported in AIX, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/19656/ -- [SA19724] Linux Kernel x87 Register Information Leak Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2006-04-19 A security issue has been reported in Linux Kernel, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19724/ -- [SA19716] Avaya CMS / IR "/proc" Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-04-18 Avaya has acknowledged a vulnerability in Avaya CMS and Avaya IR, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19716/ -- [SA19715] FreeBSD FPU x87 Register Information Leak Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2006-04-19 A security issue has been reported in FreeBSD, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19715/ -- [SA19709] Linux Kernel "ip_route_input()" Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-04-19 A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19709/ -- [SA19687] Debian update for bsdgames Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-04-17 Debian has issued an update for bsdgames. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19687/ Other:-- [SA19740] Cisco IOS XR MPLS Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2006-04-20 Three vulnerabilities have been reported in Cisco IOS XR, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19740/ Cross Platform:-- [SA19743] ActualAnalyzer "rf" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-20 Aesthetico has reported a vulnerability in ActualAnalyzer, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19743/ -- [SA19730] TotalCalendar "inc_dir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-19 VietMafia has reported a vulnerability in TotalCalendar, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19730/ -- [SA19728] RechnungsZentrale V2 Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2006-04-19 GroundZero Security Research has discovered some vulnerabilities in RechnungsZentrale V2, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19728/ -- [SA19726] Internet Photoshow "page" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-19 Hessam-x has discovered a vulnerability in Internet Photoshow, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19726/ -- [SA19712] Oracle Products Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown, Manipulation of data, System access Released: 2006-04-19 Multiple vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to conduct SQL injection attacks or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19712/ -- [SA19688] Monster Top List File Inclusion and Cross-Site Scripting Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-04-17 Two vulnerabilities have been reported in Monster Top List, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19688/ -- [SA19684] I-Rater Platinum "include_path" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-20 VietMafia has reported a vulnerability in I-Rater Platinum, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19684/ -- [SA19680] myEvent Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2006-04-18 Some vulnerabilities have been discovered in myEvent, which can be exploited by malicious users to conduct script insertion and SQL injection attacks, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19680/ -- [SA19670] Amaya Attribute Value Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-14 Thomas Waldegger has discovered two vulnerabilities in Amaya, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19670/ -- [SA19666] Censtore "page" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-17 FOX_MULDER has reported a vulnerability in Censtore, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19666/ -- [SA19653] PAJAX Arbitrary Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-14 RedTeam has reported two vulnerabilities in PAJAX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19653/ -- [SA19649] Mozilla SeaMonkey Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2006-04-14 Multiple vulnerabilities have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/19649/ -- [SA19719] LinPHA Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-19 Some vulnerabilities have been reported in LinPHA, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19719/ -- [SA19706] phpWebFTP "language" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-04-18 arko.dhar has discovered a vulnerability in phpWebFTP, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19706/ -- [SA19705] phpGraphy "editwelcome" Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-04-18 rgod has discovered a vulnerability in phpGraphy, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19705/ -- [SA19703] Neuron Blog Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-19 Some vulnerabilities have been discovered in Neuron Blog, which can be exploited by malicious people to conduct script insertion attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19703/ -- [SA19700] betaboard "FormVal_profile" Profile Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-18 Simon MOREL has reported a vulnerability in betaboard, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19700/ -- [SA19699] LifeType ADOdb "server.php" Insecure Test Script Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2006-04-19 A security issue has been discovered in LifeType, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19699/ -- [SA19697] warforge.NEWS Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-19 Some vulnerabilities have been discovered in warforge.NEWS, which can be exploited by malicious users to conduct script insertion attacks, and by malicious people to conduct script insertion attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19697/ -- [SA19689] PowerClan "memberid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-17 d4igoro has reported a vulnerability in PowerClan, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19689/ -- [SA19678] Black Orpheus ClanMemberSkript "userID" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-19 snatcher has discovered a vulnerability in Black Orpheus ClanMemberSkript, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19678/ -- [SA19677] Fuju News Authentication Bypass and SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-04-17 snatcher has reported two vulnerabilities in Fuju News, which can be exploited by malicious people to bypass certain security restrictions and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19677/ -- [SA19672] Musicbox Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-17 r0t has reported some vulnerabilities in Musicbox, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19672/ -- [SA19669] Dubelu PhpGuestbook Comment Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-19 r0t has discovered a vulnerability in Dubelu PhpGuestbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19669/ -- [SA19668] MyBB Cross-Site Scripting and Variable Manipulation Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-04-18 Two vulnerabilities have been reported in MyBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and manipulate certain information. Full Advisory: http://secunia.com/advisories/19668/ -- [SA19665] Coppermine Photo Gallery "file" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-04-19 imei addmimistrator has discovered a vulnerability in Coppermine Photo Gallery, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19665/ -- [SA19661] PHP Album "data_dir" File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-18 rgod has discovered a vulnerability in PHP Album, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19661/ -- [SA19650] Article Publisher Pro SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-19 Two vulnerabilities have been reported in Article Publisher Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19650/ -- [SA19647] phpWebSite "hub_dir" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-04-17 rgod has reported a vulnerability in phpWebSite, which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19647/ -- [SA19645] MODx Cross-Site Scripting and Directory Traversal Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2006-04-18 Rusydi Hasan M has reported two vulnerabilities in MODx, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/19645/ -- [SA19663] Novell GroupWise Messenger Accept-Language Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2006-04-14 A vulnerability has been reported in Novell GroupWise Messenger, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19663/ -- [SA19725] AWStats "config" Cross-Site Scripting and Full Path Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-04-19 r0t has discovered a vulnerability in AWStats, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19725/ -- [SA19720] Plexum X5 "plexum.php" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-04-19 r0t has reported a vulnerability in Plexum X5, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19720/ -- [SA19711] bMachine Search Feature Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-18 almokanna has reported a vulnerability in bMachine, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19711/ -- [SA19710] Calendarix "ycyear" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-18 botan has reported a vulnerability in Calendarix, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19710/ -- [SA19704] ShoutBOOK Multiple Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-18 Some vulnerabilities have been discovered in ShoutBOOK, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19704/ -- [SA19701] IntelliLink Pro Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-19 r0t has reported some vulnerabilities in IntelliLink Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19701/ -- [SA19695] KCScripts Portal Pack Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-20 r0t has reported some vulnerabilities in KCScripts Portal Pack, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19695/ -- [SA19685] PMTool "order" SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-04-19 Pratiksha Doshi has discovered some vulnerabilities in PMTool, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19685/ -- [SA19681] planetSearch+ "search_exp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-17 d4igoro has reported a vulnerability in planetSearch+, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19681/ -- [SA19679] LinPHA Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-19 d4igoro has discovered some vulnerabilities in LinPHA, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19679/ -- [SA19673] Bitweaver "error" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-17 KaDaL-X has reported a vulnerability in Bitweaver, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19673/ -- [SA19660] TinyWebGallery "twg_album" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-17 Qex has reported a vulnerability in TinyWebGallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19660/ -- [SA19659] phpMyAdmin "sql_query" Cross-Site Scripting and SQL Code Execution Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-04-17 p0w3r has discovered a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks and execute arbitrary SQL code. Full Advisory: http://secunia.com/advisories/19659/ -- [SA19655] Visale Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-19 r0t has reported some vulnerabilities in Visale, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19655/ -- [SA19654] Boardsolution "keyword" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-04-19 Qex has reported a vulnerability in Boardsolution, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19654/ -- [SA19652] phpFaber TopSites "page" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-19 botan has discovered a vulnerability in phpFaber TopSites, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19652/ -- [SA19651] Net Clubs Pro Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-20 r0t has reported some vulnerabilities in Net Clubs Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19651/ -- [SA19648] FarsiNews "selected_search_arch" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-04-19 R at 1D3N has discovered a vulnerability in FarsiNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19648/ -- [SA19646] LifeType Template "show" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-17 cR45H3R has reported a vulnerability in LifeType, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19646/ -- [SA19698] Firefox "View Image" Local Resource Linking Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-04-18 Eric Foley has discovered a weakness in Firefox, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19698/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Apr 21 05:48:21 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 21 Apr 2006 04:48:21 -0500 (CDT) Subject: [ISN] 18-year-old 'tech genius' accused of changing grades in school computers Message-ID: http://www.palmbeachpost.com/pbcsouth/content/local_news/epaper/2006/04/21/m1a_HACKER_0421.html By Rani Gupta Palm Beach Post Staff Writer April 21, 2006 An 18-year-old student known as a "technological genius" has been charged with felony computer fraud after police say he used employee passwords to change his friends' grades, erase suspensions from their records and give himself credit for classes he didn't take. Jeff Yorston, until recently a student at the Dreyfoos School of the Arts, allegedly changed eight students' grades over the past two years, using computer IDs and passwords from four school district employees, according to an arrest report. The eight students, including Yorston and his brother, attended Dreyfoos, Spanish River, Olympic Heights and Forest Hill high schools. Yorston, now a senior at West Boca Raton, allegedly accessed the school district's computer system to delete records of suspensions of two students, along with related school absences. School police say Yorston gave himself an A in a French class he never took and gave himself credits usually reserved for varsity athletes to miss gym class. While under suspicion, he tried to monitor the investigation by obtaining the passwords of employees looking into the grade changes and asked a friend to read their e-mails, the report states. Yorston, who lives in Boca Raton, was booked into the Palm Beach County Jail Wednesday on a charge of offense against intellectual property, a second-degree felony. He was released later that day on $5,000 bond. Yorston wanted to attend the Massachusetts Institute of Technology and, according to one teacher, was to interview with philanthropist Alex Dreyfoos Jr. to get his help. Yorston's involvement surprised Dreyfoos junior Sam Natale, who described Yorston as "very hard-working, smart, very nice, with a good sense of humor." "The interesting thing is that he got such good grades on his own," he said. "I don't know why he'd change his own grades." Natale said he doesn't believe Yorston should be tried as an adult because he was a minor at the time of his alleged crimes, and said classmates are pulling for Yorston. "We all care a whole lot about Jeff," he said. Yorston isn't the first student accused of gaining access to supposedly secure records on the school district's computer network. The police report is unclear on how Yorston got the passwords of the workers, including an information technology employee with high-level computer privileges, two data processors and a Dreyfoos assistant principal. Information Technology Security Director Bob LaRocca declined comment. Last year, a student complained to a teacher that she had not been accepted to the University of Florida while her ex-boyfriend, a Spanish River student, had been accepted, the report states. She said she knew his grades were worse and suggested they had been changed. The teacher checked the computer grades against the printed grades and found they didn't match, the report states. When questioned, the student told a school police officer that Yorston had changed his grades and those of other students. Shortly before police came to interview Yorston, Dreyfoos teacher Laurie Cohen said she saw Yorston crying at school, the report states. Cohen told police Yorston told her that he and other students got into the computer system. Yorston told her "he did not mean to harm anybody but could not stop" and that "when he was able to crack one thing, he went on to another," the report states. Cohen told Yorston to go home and talk to his parents. Assistant Principal George Miller told police Cohen waited several days to tell him about Yorston. Cohen told police she informed administrators the next day. Miller also said that last school year, Cohen gave her password to a student to work on the yearbook, according to the police report. The student, who obtained the passwords of two other teachers, accessed final exams through the school district's network. Cohen also told investigators that Yorston was a "technological genius" and that Principal Ellen VanArsdale had arranged an interview with Dreyfoos, the school's namesake, to see whether he could help Yorston gain admission to MIT, according to the report. In March, information technology specialist Shawn Brinkman told police that a user was accessing the e-mail accounts of school district officials investigating the grade changes, using Brinkman's ID and password. They traced the breaches to another Spanish River student, who told detectives that Yorston had given him the employee passwords and told him to read the e-mails. The report states that changes were made under the ID and passwords of Spanish River data processor Joanne Tarantino, Dreyfoos data processor Suzanne Urso, Dreyfoos Assistant Principal Tanya Daniel and information technology security programmer Anne Matson. Matson noticed in June that her access had been changed so that she had the ability to update grades. She told LaRocca but did not change her password, the report said. Matson's daughter had recently graduated from Dreyfoos. Matson said she had logged on from home to check on her daughter's attendance, but said she did not give her daughter her password, though she told police she and her daughter used the same password to access their bank account. Police also interviewed four students whose grades had been changed, and three admitted they asked Yorston to raise their grades. One student told police Yorston had told him he had the ability to change grades, and proved it by e-mailing the student a copy of a test he obtained from the district computer system. Last year, another student was arrested and accused of accessing the school district's system nine times. The student, Inlet Grove High senior Ryan Duncan, did not appear to have changed any records. School board member Debra Robinson said Yorston's apparent access to confidential records was "frightening" and said school officials should make necessary improvements to the computer security system and retrain employees about securing their passwords. "I want to find out how this student got the passwords," she said, "or was it just a masterful hacking job?" From isn at c4i.org Fri Apr 21 05:50:10 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 21 Apr 2006 04:50:10 -0500 (CDT) Subject: [ISN] Microsoft Patches: When Silence Isn't Golden Message-ID: http://www.eweek.com/article2/0,1895,1951186,00.asp By Ryan Naraine April 19, 2006 Microsoft has 'fessed up to hiding details on software vulnerabilities that are discovered internally, insisting that full disclosure of every security-related product change only serves to aid attackers. The company's admission follows criticisms from a security researcher that its policy of silently fixing software flaws is "misleading" and not in the spirit of Microsoft's push for transparency. In an interview with eWEEK, Mike Reavey, operations manager of the MSRC (Microsoft Security Response Center), said the company's policy is to document the existence of internally discovered flaws as well as the area of functionality where the change occurred, but that full details on the fixes are withheld for a very good reason. "We want to make sure we don't give attackers any [additional] information that could be used against our customers. There is a balance between providing information to assess risk and giving out information that aids attackers," Reavey said. When Microsoft receives a report of a security flaw from external researchers, Reavey said, the MSRC conducts an extensive investigation to look at all the surrounding code to make sure a comprehensive fix is pushed out the door. If a related bug is found internally, it will be fixed in the eventual patch, he said, but the details will be kept under wraps. However, critics argue that silent fixes have a way of backfiring and hurting businesses that depend on information from the vendor to determine deployment time frames and the actual severity of the patched vulnerability. According to eEye Digital Security, which sells host-based IPS (intrusion prevention system) technology, silent fixes from Microsoft are commonplace. "It is the skeleton in Microsoft's closet. We routinely find them," said Steve Manzuik, product manager of eEye's security research team, in Aliso Viejo, Calif. In an interview with eWEEK, Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fact a total of seven flaws were quietly fixed. Manzuik's team presented a research paper on its findings at the Black Hat Briefings in Europe earlier in 2006 to highlight the problems with withholding details on fixes from customers. "Microsoft's customers depend on that information to figure out how to respond to Patch Tuesday. The reality is, system administrators will delay deploying a patch based on the details of the bulletin. When details aren't included, he won't install that patch. That is a big problem," Manzuik said. He said IT departments do not have the skill or resources to reverse-engineer every patch. "They are simply left in the dark and may ignore a patch that is super-critical to their environment. Meanwhile, the bad guy has spent the time to find out what was silently fixed," Manzuik said, arguing that Microsoft has a responsibility to make sure businesses are fully informed about software changes. "I don't buy the argument that they are aiding attackers. The attackers are already reverse-engineering the patches. They have the time and resources to find out where the flaw lies. The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering," Manzuik said. Matthew Murphy, the independent researcher who flagged the issue after finding silent fixes in the April batch of patches, said third-party vendors that incorporate code from Microsoft are also hurt by the lack of full disclosure. Murphy outlined a recent case where anti-virus vendor Trend Micro got burned by a silent fix pushed out by Microsoft. That issue revolved around a bug in Visual Studio that was reported to Microsoft in 2002 but remained unfixed for several years. Microsoft eventually fixed the bug but information was withheld, causing Trend Micro to unwittingly use the vulnerable code in its products, putting its customers at risk of a heap overflow vulnerability that could be used in code execution attacks. Manzuik also pointed out that businesses rely heavily on host-based IPS technology to secure valuable assets while patches are being tested for deployment. "Some of these IPS products need information from the software vendor to create signatures. How can you create a signature for a flaw if you don't know the location of the flaw? We have proven that signature-based technology can be bypassed to exploit these silently fixed flaws," he said. Reavey said businesses should use Microsoft's severity rating system to help with patch deployment timetables. "It's important to remember that the best way to be safe and secure is to apply all the updates. We are providing patches for everything. We still recommend a defense-in-depth strategy that includes IPS and IDS [intrusion detection system] technology, but customers should use our severity ratings system and apply the patches," he said. From isn at c4i.org Fri Apr 21 05:51:02 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 21 Apr 2006 04:51:02 -0500 (CDT) Subject: [ISN] San Diego man charged with accessing university applicants' information Message-ID: http://www.nctimes.com/articles/2006/04/21/news/sandiego/17_01_084_20_06.txt By: North County Times News Service April 20, 2006 SAN DIEGO - A 25-year-old San Diego man is charged with hacking into the University of Southern California's application system and accessing confidential information on would-be students, federal prosecutors said Thursday. Eric McCarty, who earns money testing computers' network security, is accused of using his home computer to hack last June into the Web site that allows USC applicants to submit their information online. Prosecutors said the data stored in the application system includes Social Security numbers and birth dates of more than 275,000 people who have applied to USC from 1997 through the present. The site normally requires applicants to enter a username and password in order to view the information they entered, and to change it if necessary. McCarty, who also works as a computer network administrator, allegedly exploited a vulnerability in the database that allowed him to bypass the password protection. Assistant U.S. Attorney Michael Zweiback alleged McCarty accessed "information on a number of students," over several visits to the site. But he declined to give an exact figure on how many students' records were allegedly accessed. McCarty copied several applicants' records, prosecutors allege in a criminal complaint unsealed yesterday. On June 21, 2005, the site and the database were shut down as a result of the vulnerability, and the Web site remained off-line for nearly two weeks, according to the U.S. Attorney's Office. USC officials could not be reached for immediate comment. Zweiback would not comment on McCarty's motivations for the alleged hacking. He did say, however, that hackers can be attracted to large targets. "I think individuals who are computer trained like he is ... they're always looking for vulnerabilities in large institutions," the prosecutor said. "Beyond that, I'm not going to comment." FBI investigators tracked down McCarty through the Internet protocol address on his home computer, authorities said. McCarty is expected to make his initial court appearance in Los Angeles April 28. If convicted, he could face up to 10 years in prison. From isn at c4i.org Fri Apr 21 05:51:15 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 21 Apr 2006 04:51:15 -0500 (CDT) Subject: [ISN] We're winning the war against hackers Message-ID: http://www.theregister.co.uk/2006/04/20/cisco_security_survey/ By John Leyden 20th April 2006 Despite the apparent growth in security incidents and hacker attacks over recent years, a clear majority (72 per cent) of UK security professionals feel their organisation is more secure than it was 12 months ago. Organisations are no longer on the back foot in the fight against security threats, with only 11 per cent of respondents in a survey of 100 chief security officers (CSOs) and IT directors saying they take a 'reactive only' approach to security. More firms are putting in place contingency plans to ensure they can continue to operate in spite of evolving digital and physical threats, the Cisco-sponsored poll found. Survey respondents have contingency plans in place for power failure (96 per cent), fire (95 per cent), loss of data (93 per cent), physical access to buildings (86 per cent), and flooding (80 per cent). IT pros have long complained that management frequently fails to understand the importance of their work. This may be changing, as the survey, which was conducted by market research outfit Vanson Borne on behalf of Cisco, found that only 23 per cent of respondents felt that security is still not recognised as a boardroom level issue. Firms are also making progress in educating staff on security issues. The majority of respondents have extensive IT security training in place, such as acceptable usage policies (92 per cent), email usage policies (85 per cent), password policies (81 per cent), and training in the need for backups (59 per cent). "It is very encouraging to see that, despite ongoing reports of new threats and breaches, businesses across all sectors are feeling better protected," Cisco Systems senior security advisor Paul King said. "Businesses have recognised the importance of implementing comprehensive security strategies and are beginning to anticipate what might be around the corner." ? From isn at c4i.org Tue Apr 25 03:27:23 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:27:23 -0500 (CDT) Subject: [ISN] OSVDB Selected for Google's Summer of Code 2006 Message-ID: OSVDB Selected for Google's Summer of Code 2006 We are very pleased to report that OSVDB was selected for Google's Summer of Code! This is great news as we hope to get some of the services and projects that have been on the back burner due to lack of development resources finally launched! You can read about Google's SoC here: http://code.google.com/soc/ With our Summer of Code project work, we hope to make several exciting enhancements to OSVDB?s public services. We have provided a list of important projects we are currently planning for?however we are open to proposals for other projects and ideas. You can read about OSVDB's Project Ideas here: http://www.osvdb.org/summerofcode.php OSVDB has been working very hard to provide many additional types of a services to the community. Unfortunately, as mentioned due to lack of development resources we have been unable to make much of this happen. We now have an opportunity to possibly deliver on the OVSDB Portal and OSVDB Ethical Disclosure Framework commitments that we made when the project first opened. You can read the public announcements with our intentions to provide OSVDB portal and disclosure services: OSVDB Objectives: http://www.osvdb.org/OSVDB-Objectives.php Vendor Dictionary Announcement: http://www.osvdb.org/news.php#vendorDictSiteUpgrade Personally, I am absolutely thrilled that we may have the resources to develop the OSVDB Ethical Disclosure Framework. This has been one of the projects that I have been wanting for years and is validated as we see more and more issues with the disclosure process! I have believed all along that OSVDB can be the service that helps to improve, streamline and more importantly removes the mystery of the breakdowns in the process. OSVDB has been handling one-off disclosures for researchers over the past 3-4 years and it is not an easy task. The amount of time it takes to handle a disclosure process is huge. We realized early on that a lot of the process needed to be automated in order to be successful and repeatable. Hopefully, there are some students out there that want to be apart of creating this service and we can get it launched by the end of the year! From isn at c4i.org Tue Apr 25 03:27:39 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:27:39 -0500 (CDT) Subject: [ISN] RFP checklist: Security information management Message-ID: http://www.gcn.com/print/25_8/40435-1.html By David Essex Special to GCN 04/17/06 issue Looking to deploy a security information management solution? Before sending out an RFP or RFI, experts say you should consider the following: * Begin with the end in mind. Ask yourself what you want to achieve with a SIM system, regardless of how you get there. Pay special attention to the workflow between your security and operations teams, and the reporting requirements of federal regulators such as the Homeland Security Department's US-CERT. Business process, not network architecture, is what really drives a SIM system. * Outline the additional, survivable storage infrastructure that may be needed to keep SIM data not only available to security analysts but archived for compliance. You might need to design a storage hierarchy and buy new RAID devices, storage area networks and appliances to ensure SIM data is available for a multitude of security and compliance purposes, but at a cost that doesn't break the budget. * Ask vendors how their products employ caching, failover and redundancy in order to respond to a database crash. Don't overbuy if your needs are modest enough to be served by an affordable appliance that doesn't have failover features. * Choose your database wisely. Most vendors offer so-called open-standards databases such as Oracle, but may keep their programming hooks private. Some claim their proprietary databases have performance and analytical advantages over more generic relational databases. * Make sure the SIM product can collect all your relevant data, not just from intrusion detection systems, firewalls and other security devices, but also from operating systems and both custom and commercial applications. If there's no prebuilt connector for a data source, take a look at the vendor's integration wizards and support services. * Ask the vendor how easy it is to customize the tool's correlation rules to suit your unique environment. * Scrutinize scalability. Besides handling your current load of security events (probably a bytes- or events-per-second number that you already know), SIM solutions should scale up and out to meet your anticipated growth. * Ask vendors to explain the assumptions behind their performance metrics, which can vary. Rule of thumb: The more devices to monitor, the heavier the data load. But be aware that once chosen, the vendor will work closely with your agency to get a handle on your environment. * Look for a healthy complement of canned report formats for key compliance regulations, especially FISMA, GLBA and HIPAA. * Watch out for version dissonance between your security devices and the SIM product. If you?ve recently upgraded an IDS, for example, make sure the vendor supports it or has plans for doing so. ? 1996-2006 Post-Newsweek Media, Inc. All Rights Reserved. From isn at c4i.org Tue Apr 25 03:28:00 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:28:00 -0500 (CDT) Subject: [ISN] US military struggles with data loss Message-ID: Forwarded from: William Knowles http://www.techworld.com/security/features/index.cfm?featureID=2436 By John E. Dunn Techworld April 17, 06 There is a famous and sometimes embroidered story from the Cold War of how the US managed to get its hands on a state-of-the-art Soviet fighter, the 2,000 mph-capable Mig-25 Foxbat, after a pilot defected to the West in 1976. Supposedly the most advanced and fearsome craft of its type in the world, when the men from NATO got their hands on the machine, they made an astonishing discovery. Far from being ahead of the West, the plane's avionic systems were built around old-fashioned valves and vacuum tubes, a technology from a generation before the 1970s. Why had the Soviet designers stepped back in time when smaller, faster, and more reliable transistor-based electronics were available to them? Then the penny dropped with a loud clang. In the event of a nuclear war, valves would probably continue working while the much more sensitive transistors used on US aircraft would fry in the face of the gamma radio pollution that accompanies nuclear fission. The Soviets had turned their backs on the latest and best out of pragmatism. If the aircraft was ever to be used as intended, it would need to survive the first few days of combat. There is a fair chance the superficially more advanced US equivalents would have been left sitting on the tarmac, unable to navigate, communicate or arm their weapons. It's a completely different context, but the potentially serious problems the US military has been having with data security in its Afghan theatre immediately put me in mind of this tale. According to a number of well-sourced articles (see the LA Times and New York Times), the army has lately been losing all sorts of items to theft from its bases in the country. As well as the usual knives and watches, the list now stretches to cheap, disposable USB drives. So disposable in fact that they have been turning up for sale in the country's flea markets, loaded with unencrypted classified documents covering topics such as "which militants the US wants killed or captured". It's a fair bet that those guys aren't hanging around in Kabul these days. It sounds like the old story of data incompetence in combat fatigues, but perhaps there's more to it than that. Companies religiously share information by putting it into a movable state, accessible to off-the-shelf applications. The sales team will put its best leads into a database, for instance, and then somebody else might use that same information as the basis for a set of Powerpoint slides. There is a fundamental principle at work here - the tendency people have of writing everything down in a digital form, including stuff that is supposed to be highly confidential. A generation or more ago, this sort of information would have been in paper files, which are still vulnerable to theft, but in a way that makes their disappearance immediately obvious (one assumes that when these USB drives went missing, the fact was probably not acknowledged by anyone other than the person who looked after the device). Back then, how many copies would have been made of low-level, localised information such as "which guys to kill"? Probably one or two, and perhaps even none if the information stayed in a soldier's head. Files never die Modern software encourages us to make multiple copies of data files, and allows further copies to be made without that fact being obvious. Files are never really "stolen" at all, despite the accepted parlance we have all adopted from the security mindset. Files are simply copied, or copies are stored on portable devices which are then dropped, stolen, forgotten, flushed away. The US military is following the same corporate logic as the business world when it encourages its soldiers to compose thoughts and plans in digital form that might, frankly, sometimes be better left in their heads. The military men will counter that a soldier's memory banks are highly corruptible, and they'd rather guarantee data integrity for a few dollars and a USB or hard disk interface. Naturally, its civilian wing uses the same applications as everyone else. It's an odd symmetry, not often remarked on, that in the war the US is waging with Al Qaeda around the globe, both sides have upgraded to the same version of Word and Excel. About the only point of difference appears to be that Al Qaeda's agents realise the danger in such standardisation and have mandated (or at least that's what the authorities are forever telling us with great foreboding) the competent use of encryption. This hints at something at something deep in the nature of organisations that needs looking at. Perhaps the biggest single risk to information security isn't malware, hackers, or insider criminals looking to strip every morsel of useful data from the corporate bone - it's just the tendency people have of writing important things down, which then get into the wrong hands. It also hints at something deep in the nature of the US military and, you'd wager, the armies of many other countries too. Armies have come to reflect the same mainstream corporate ethos as businesses, and so they use broadly the same applications as do businesses. From a data security standpoint they have precisely the same problems and probably talk about them in the same way. It's a place Sarbannes-Oxley and all the other corporate anti-scandal legislation doesn't go because nobody invests money in armies. They are still seen as somehow different even though this latest frontline anecdote tells us they are nowadays more and more the same. Killing isn't a profitable business but it is one that should be done cost-effectively, and with a degree of technological sophistication. When the military investigators have finished their enquiries into how top secret files could possibly have ended up being exchanged for second-hand refrigerators in a Kabul market, they should ponder that the distance between a clean-room supercomputer and the dust and heat of a mountain in Asia is now non-existent. Data can easily be several places at once because it is no longer discrete. There are three solutions, one high-tech and the other two fairly primitive (but let's not rule anything out here). First solution - encrypt everything. Complicated and expensive but it would probably work up to the point soldiers started sticking the passphrases on to the drives. Second solution - don't put important information in digital files or just keep it in a printed form. This is the Soviet lateral thinking Mig-25 approach. It worked in the old days so why not now? The other great advantage of old-world filing would be that your enemies would have the same problems finding important files in a hurry as your own soldiers. Third solution - task a special company of soldiers to spend time in Afghan markets buying up every USB drive they can find. Of course, this might just create demand for the drives, but think of it as a layered security approach and it will sound good to the men behind desks. Thinking about it more, perhaps they need to do all of the above, but I have a feeling that, as usual, the preference will be for more technology. When it comes to security, creative thinking is still a rarity. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Apr 25 03:26:32 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:26:32 -0500 (CDT) Subject: [ISN] Navy team safeguards information from hackers Message-ID: http://www.dcmilitary.com/navy/trident/11_11/local_news/40893-1.html by Martha Thorn Trident Managing Editor April 21, 2006 The Naval Academy fielded a team that used all defensive plays. Game rules wouldn't let the Naval Academy team attack invaders, only deter them from creating havoc. During the game, the Naval Academy teamed up with the Air Force Academy, the Military Academy, the Coast Guard Academy, the Air Force Institute of Technology, and the Merchant Marine Academy to form a computer network. This network allowed the academies and institute to share a chat room, teleconferencing and video teleconferencing, sending and receiving e-mails, file sharing, Websites and name resolution. Of course, game may be a slight misnomer. The academies and institute were really engaged in the sixth annual Cyber Defense Exercise. Sponsored by the National Security Agency, the exercise required sharing information through a computer network in much the same way that an alliance of nations or perhaps a corporation might share information. This information sharing makes computer networks vulnerable to outside attacks by hacking. In this case, the hackers consisted of Maryland-based National Security Agency specialists and servicemembers from the Army, Army Reserve, Navy, Marine Corps and Air Force. These hackers were testing the security of the computer network, observing how long it would take the students to become aware of the attacks and then how the students would respond to the attacks. What would they do to protect the integrity of their networks? What safeguards had they installed and how well did the safeguards work? What would they do to regain control of their network and get their information services operational again? Of course, just to keep the exercise challenging, a few natural disasters were thrown in that brought everyone's computer servers down and tested the team's ability to get the servers up and running again. During one afternoon, it was one disaster after another as the hackers threw "everything they had" into breaking into and destroying the network. The exercise is intended to prepare the midshipmen for the "real world." "In the real world, we're always forming and breaking up coalitions and alliances," said Tom Hendricks, National Security Agency visiting professor in the computer science department. "We're always sharing information and protecting against break-ins to the system." Hendricks said that during the exercise, the midshipmen see how easy it is for someone to get into a system and how much damage they can cause. Hendricks contends that every system will get broken into at one time or another. "What counts is how quickly you can detect the infiltration and how well you respond to it," he says. "You want to test your system for weaknesses and minimize them as much as possible." Midn. 2/C Sean Sullivan is interested in troubleshooting computers. The technical leader in charge of the network, he grew up breaking and fixing computers. This summer he will be one of five Naval Academy midshipmen to intern at the National Security Agency. He was concerned about hackers trying to overload the system with information. To prevent this, he helped create an alternate computer system that would mimic the real one, hoping that the hackers would break into this "honey pot" instead of the real system. "We're trying to distract them from the real thing," said Midn. 2/C Micah Akin. "We've made the real computer look like the honey pot and the honey pot look like the real computer." While other midshipmen were working to safeguard the servers, Midn. 2/C Alison Teoh was handling the administrative aspect of the exercise. During the exercise, the teams had to keep track of e-mails and send reports at regular intervals, noting any abnormalities in the system and actions being taken to correct these abnormalities. "I give the SITREPs ... situational reports," Teoh said. "I tell how everything went wrong and how we responded to it, resolved it and fixed it." "I've never done anything like this before," admitted Midn. 1/C Jonathan Kindel, who was glad to get the experience. "The same skills that we learn here can be transcribed to keep our computers secure in the fleet," he said. Kindel says that gathering small packets of information is like putting pieces of a jigsaw puzzle together. "You can get an amazingly accurate picture of defense capabilities by gathering small bits of information here and there," he said. "That's why it's so important that we learn to safeguard them." That was another eye opening part of the exercise, learning that threats from within can be just as debilitating to computer operations as outside threats. Luckily, the team had people like Midn. 1/C Kendra Deptula to help with system recovery. Even so, the sight of systems going down, if only for a short time, is one that the midshipmen will not soon forget. Copyright ? 1996-2006 Comprint Military Publications From isn at c4i.org Tue Apr 25 03:28:15 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:28:15 -0500 (CDT) Subject: [ISN] Government-Funded Startup Blasts Rootkits Message-ID: http://www.eweek.com/article2/0,1895,1951941,00.asp By Ryan Naraine April 24, 2006 A startup funded by the U.S. government's Defense Advanced Research Projects Agency is ready to emerge from stealth mode with hardware- and software-based technologies to fight the rapid spread of malicious rootkits. Komoku, of College Park, Md., plans to ship a beta of Gamma, a new rootkit detection tool that builds on a prototype used by several sensitive U.S. government departments to find operating system abnormalities that may be linked to malicious rootkit activity. A rootkit modifies the flow of the kernel to hide the presence of an attack or compromise on a machine. It gives a hacker remote user access to a compromised system while avoiding detection from anti-virus scanners. The company's prototype, called CoPilot, is a high-assurance PCI card capable of monitoring the host's memory and file system at the hardware level. It is specifically geared towards high-security servers and computers. Gamma, meanwhile, is a separate, software-only clone of CoPilot that will target businesses interested in a low-assurance tool for protecting laptops and personal computers. Komoku launched quietly in 2004 with about $2.5 million in funding and rootkit detection contracts from DARPA, the Department of Homeland Security and the U.S. Navy. The company has its roots at the University of Maryland, where computer scientist William Arbaugh worked on what he calls a "unique approach" to finding rootkits. "Security technologies depend on the correctness of the system they're actually checking," said Arbaugh, who now serves as president of the five-employee outfit. "If something changes the system at the operating system level, it can't be reliably detected via the OS itself or through applications running on the system," he said in an interview with eWEEK. "We have this notion of what the operating system is supposed to look like and we look for deviations [from] that. We aren't initially looking for the rootkit; we look at the side effects of the infection." Komoku has partnered with security vendor Symantec to handle disinfection and restoration after rootkits and other sophisticated forms of malware are detected. Symantec's LiveState product combines with CoPilot and Gamma to restore the system to its original state. Jamie Butler, a renowned rootkit researcher who works as Komoku's chief technical officer, said Gamma will have limited clean-up capabilities because it is software-based and susceptible to direct attack, much like any application running on the operating system. "Clean-up is a very difficult goal while maintaining a running system. When you find a rootkit, you essentially have several choices. The easiest choice is to halt the system. But, that means that you'll lose any evidence that might be in memory. It also means that the services provided by that system are made unavailable," Butler explained. Another choice might be to eliminate the effects of the rootkit, but this could be very difficult because of the complicated nature of an operating system. A third choice would be to allow the rootkit to remain active while you attempt to discern its motives, Butler added, noting that both Gamma and CoPilot will allow all three of these choices. The plan is to have both the hardware and software versions collect forensic data when a compromise is detected. Butler said products are able to capture hidden malware in memory and send it back to a central management station where the products are running in enterprise mode. The company is also exploring potential partnerships with other security companies that have offline malware analysis tools, he said. Pricing details have not yet been worked out, but Arbaugh expects to ship CoPilot to high-end enterprises with super-sensitive data. Gamma, on the other hand, is a lower-assurance product and is aimed at protecting business assets that don't require high-end security protection or are unable to install hardware. Arbaugh said Gamma has been built with two modes of operation: an enterprise mode where it communicates with a central server to receive updates and incident reports, and a stand-alone mode where incidents are reported locally. Updates will be available via a subscription service similar to those in the anti-virus space, he said. Citing confidentiality issues, Arbaugh declined to discuss the severity of the rootkit threat on government networks. However, he said that during actual CoPilot tests, it was "very clear that the government shares the same problems like everyone else." The product was in the midst of testing on the U.S. Navy networks when news of the Sony rootkit issue made headlines in November 2005. "That was a zero-day rootkit to us, so we decided to throw it at CoPilot as part of the operational tests. We detected the Sony rootkit in all its vectors, in real-time," Butler said. According to statistics from Microsoft, rootkits account for more than 20 percent of all malicious programs removed from Windows machines. The stealthy technology has been found in a variety of threats, including spyware, Trojans and DRM (digital rights management). From isn at c4i.org Tue Apr 25 03:29:26 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:29:26 -0500 (CDT) Subject: [ISN] Book Review: Security Log Management - Identifying Patterns in the Chaos Message-ID: [ http://www.amazon.com/exec/obidos/ASIN/1597490423/c4iorg - WK] Security Log Management - Identifying Patterns in the Chaos By Jacob Babbin, Dave Kleiman, Everett F. Carter Jr., Jeremy Faircloth, Mark Burnett, Esteban Gutierrez ISBN: 1597490423 Paperback: 350 pages Syngress Publishing, Inc. Copyright 2006 Reviewer: lyger I have to admit, this book wasn't entirely what I expected. For several chapters, I was introduced to more shell scripting, PHP scripting, and poorly printed screen shots than what I would generally expect from a book that at first appeared to have been directed towards security analysts instead of system administrators and web developers. However, despite its flaws, "Security Log Management" does have its merits during its middle chapters which aren't based on excessive code snippets and blatant endorsements for Microsoft's Log Parser. To be honest, the book started off on a bad foot by mentioning "a recent report by the group mi2g" (page 12) regarding the worldwide cost of malware. The statistics involved, as well as the dubious source of the report, may or may not have been checked by an editor (more on that later), but there are several examples later in the book that show that it was not thoroughly proofread before final publication. Other pages in chapter 1 describe "self-poisoning" of DNS servers, pages upon pages of cut-and-paste code, and poorly published graphics. As previously mentioned, not a good start, but the end-of-chapter summaries and fast track sections are clear and concise throughout the entire book. The book often suggests using free tools to build into analysis and reporting for system logs. Excellent point, since using open source tools can either provide an adequate amount of data or provide justification for the purchase and/or use of larger-scale solutions. Chapters 2, 3, and 4 focus on IDS, firewall, and system/network device reporting. Page 120 made me cringe a bit with phrases such as "this is best done" and "we want to use"; later in the book, it is pointed out that each particular environment should choose what type of log management is best, so I don't understand why blanket endorsements or solutions are given in early chapters. Again, however, the end-of-chapter summaries are direct and get to the points that the texts of the chapters sometimes elude. Chapter 5 discusses creating a reporting infrastructure and is generally heavy on code and graphs, which may or may not be useful for any one particular environment. Chapter 6, "Scalable Enterprise Solutions", is probably the most informative section of the book. While the general focus of the book to this point has been on code, graphs, charts, and "solutions", the point that policies should be deployed *before* solutions is important and should have been stressed much earlier in the book. The sections on ESM implementation, usability, and vendor support are well written, and the mention of the "human touch" in log analysis was unexpected but appreciated. Too often, focus on log analysis is based on systems and not people.. but since people are the ones who read the logs, it's nice that the human species gets a prop now and then. The last three chapters mainly deal with Microsoft Log Parser. I have to be honest.. I read the chapters, but really didn't see much value in them. Calling Microsoft Log Parser "the obvious choice of tool" seems somewhat promotional, especially considering the book's foreward was written by Gabriele Giuseppini, a developer for Microsoft Log Parser. Good information, but not really useful unless you're either using (or planning to use) MLP in a particular situation. Overall, I have mixed feelings about this book. For a person who reads logs as a *hobby* (and yes, that's a sad admission, but the truth), I found the book to have good tips in some sections, but somewhat lacking in many areas. Too much code and too many graphs may not be appealing to some readers, and a few sections that say "this is the best tool" or "this is best done by..." (as well as the numerous typographical and grammatical errors) apparently weren't scrutinized by editors. Worth a read for anyone interested in log analysis, but feel free to skip over sections and chapters that don't interest you or specifically apply to your professional (or personal) environment. Lyger (attrition.org) -=- Snippets (was re: proof, please): A recent report by the group mi2g calculates the cost of malware "[sic] at around 600 million Windows-based computers worldwide, which works out to $281 to $340 worth of damage per machine." (page 12-13) For an outbound policy violation, this address will be from a system on you LAN;... (page 119) Q: My Web server has virtually hosts. How should I handle... (page 164) From isn at c4i.org Tue Apr 25 03:29:43 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:29:43 -0500 (CDT) Subject: [ISN] University of Texas Computer Breach Exposes 200,000 Records Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=186700537 By Gregg Keizer TechWeb.com Apr 24, 2006 Nearly 200,000 records of alumni, faculty, staff, and current and prospective students of the business school at the University of Texas at Austin have been exposed in a data breach, school officials said Sunday. It was the second at the university in three years. The breach was discovered Friday, and involved 197,000 records, some of which included Social Security numbers and "possibly other biographical data," UT said in a statement issued Sunday. "It is our highest priority to notify those who may be affected by this security breach," said William Powers Jr., the university's president. "We have notified the attorney general and his Internet enforcement unit and are doing everything we can to protect those whose information has been accessed unlawfully." A similar incident in 2003 was eventually traced a former student, Christopher Phillips, who was found guilty in 2005 of accessing protected computers without authorization, as well as possessing stolen Social Security numbers. For multiple hacks over a two-year period that netted him 45,000 names, Phillips was sentenced in September 2005 to five years probation, and was ordered to pay $170,000 in restitution. He was also banned from using the Internet except for school or work activities. The McCombs School of Business has posted a Web page with advice on dealing with data theft, and has published phone numbers, including a toll-free line, to take calls from current and former students, staff, and faculty. The UT breach was far from the largest so far this year. According to the Privacy Rights Clearinghouse, which maintains a list of all data losses since February 2005, there have been nine breaches of 200,000 or more identities since January 1. From isn at c4i.org Tue Apr 25 03:29:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:29:59 -0500 (CDT) Subject: [ISN] Cybercops and zero day vulns Message-ID: http://www.theregister.co.uk/2006/04/24/infosec_blog_three/ By John Leyden 24th April 2006 Infosec blog - The start of the Infosec conference tomorrow will witness one of the first public appearances of the new Serious and Organised Crime Agency (SOCA). Dubbed the UK's FBI by Britain's tabloids, SOCA will tackle drug trafficking, immigration crime, money laundering and identity fraud by developing intelligence on organised crime and pursuing key suspects while disrupting criminal activity. The agency will bring together more than 4,000 police, customs and immigration experts to create Britain's first non-police law-enforcement authority. Officers from the National High Tech Crime Unit (NHTCU) joined these ranks when the agency launched earlier this month. The Home Office has said that drug and people trafficking, fraud, and identity theft will be among SOCA's top priorities. Despite its assigned role as a leading agency in fighting identity theft, critics are questioning how much of SOCA's resources will put into the fight against cybercrime. Spyblog, for example, said the launch of the agency signals a very low priority for computer crime. Like any police agency in the UK, SOCA is ultimately accountable to the public, whose needs and concerns help shape its priorities. Divisional bosses from Greater Manchester Police or the Metropolitan Police, for example, regularly meet the general public. The frequent result of these meetings is that increased resources are put into combating burglaries or antisocial behavior, for example, in particular areas. Because resources are finite, this has the undesirable effect of reducing the number of officers assigned to combat other problems. In the case of SOCA, it's easy to see how similar pressures might affect its mandate. Combating organised child abuse, a role it will share with other agencies, will always be a priority, but how much resource will be placed towards fighting computer hacking and virus writing? Perhaps a question to this answer will come when Tony Neate, a former officer of the NHTCU and current e-crime liaison officer at SOCA, chairs a debate E-Crime: Who Got Caught Out Last Year?. The Mirapoint cracked It won't come as a surprise for you to hear that Register staffers receive huge volumes of junk mail. I myself get about 300 to 400 spam messages per day against up to 100 pieces of legitimate mail, many of them press releases. Over the last three years I've tried several approaches to anti-spam filtering. The best results have come with SpamBayes, largely because it allows users to train the product on what they see as spam and, crucially, what they see as legitimate emails (ham). The only disadvantage with the product is that you have to download every message before filtering takes place. Using SpamBayes in conjunction with an email filtering service from Avecho, set to remove only transparently bad emails, proved to be an effective approach. Since the demise of Avecho I've been obliged to rely on the native email filtering service provided by El Reg's ISP Telstra. The service, which is underpinned by technology from security appliance vendor Mirapoint, is the bane of my working life. The filter is perhaps 80 per cent to 90 per cent effective in identifying and junking spam messages. That's worse than other products I've tried, but still not terrible. What really let's the service down is the quantity and importance of messages it flags as spam. Most ecommerce transactions - for example travel confirmations from Opodo and thetrainline.com and kit purchases from Dabs.com - get flagged as spam. Direct person to person queries also often get junked, as do press releases, unless the sender is white listed. Because of this, I have to manually go through my inbox. Using the service is, for me, like driving a car that never starts in the morning. Other Reg staffers have also experienced frustrations with the service. I first complained about the service's shortcomings to Mirapoint a year ago, since when the false positive issue has become more noticeable. In conversation with Mirapoint on Monday, representatives of the firm said it products were "demonstrably capable". If so, why is Telstra's service binning ecommerce receipts, we asked? Mirapoint responded by saying all it could do was recommend how its technology was set up and that ultimately it relies on its service providers. Telstra is one of a dozen ISPs that provide hosted email security services based on Mirapoint's technology. Mirapoint said it hadn't received feedback about excessive false positives from Telstra, or any of its other service providers. Nonetheless, it conceded that its reputation might be tarnished via its association with Telstra's indifferent service. It said it would make inquiries, but warned there might be "no quick fix". Security disclosure Let me make a small bet that VoIP security, along with how to respond to so-called zero day vulnerabilities, will be a hot topic at this year's Infosec. The latter was heavily discussed last month when two security vendors, including eEye, released security patches to defend against an unpatched vulnerability in Microsoft's Internet Explorer web browser. Last week, security tools firm ISS warned that using third-party patches could violate the license agreements for software installed on their systems. Organisations can feel pushed into believing that, on balance, applying an unofficial patch is safer than remaining exposed to attack. But ISS warns that such fixes have not gone through rigorous testing. "The reason why a vendor like Microsoft takes some time to release a hotfix is because they have to ensure quality and system integrity across multiple combinations of Windows service packs, international editions, and supported hardware platforms. The unofficial patches being developed by these third-party organisations are opportunistic PR efforts rather than serious security fixes," ISS X-Force director Gunter Ollmann said. That's fighting talk. eEye chief hacking officer Marc Maiffret argued that ISS's warning is little more than a pitch for its virtual patch technology. "This is funny considering their press release attempts to say that third party security companies are only creating these free patches for marketing purposes. The only difference between them and the third party companies in that case is that ISS has not done anything to provide the community a free work around for the problem, you have to buy their product," Maiffret told El Reg. "ISS's products, like most of the third party patches, go about modifying/patching code in order to divert attacks. So, if ISS really believes its statements, then it should probably do a follow up press release which tells people they could/might/who really knows be violating their EULA by using ISS security products," he added. Ouch. ? From isn at c4i.org Tue Apr 25 03:30:46 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 25 Apr 2006 02:30:46 -0500 (CDT) Subject: [ISN] Four Months Later, In-Q-Tel Again Needs New CEO Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/04/23/AR2006042300701.html By Terence O'Hara April 24, 2006 Amit Yoran resigned over the weekend as chief executive of In-Q-Tel, the venture capital arm of the U.S. spy community, after less than four months on the job. Yoran, a seasoned technology entrepreneur and investor as well as a former head of cybersecurity for the Department of Homeland Security, had led In-Q-Tel since January. He said yesterday that his reasons for leaving were entirely personal, including a desire to spend less time on the road and more with his family. He and his wife have three young children. In-Q-Tel has investments all over the country, and Yoran has traveled extensively. Considered a success inside the Central Intelligence Agency, which created it, In-Q-Tel's mandate has been expanding to find more technology for more spy agencies. "It's a very amicable parting," said Yoran, 35. "I will say I'm sorry and disappointed as well. But these are personal issues. . . . My continued performance as CEO was not going to be possible." Yoran said he will continue to work with In-Q-Tel as a part-time consultant. Before taking the chief executive job four months ago, Yoran had invested money in several private technology companies. He continues to serve on several company boards. Lee A. Ault III , chairman of In-Q-Tel's board of trustees, said he accepted Yoran's resignation "with regret." "In-Q-Tel has benefited from Amit's vision and leadership during his tenure as CEO," Ault said in a statement. "We appreciate his service to In-Q-Tel, and we look forward to continuing In-Q-Tel's unique and important mission of delivering important and cutting edge technologies to the CIA and the intelligence community." In-Q-Tel calls itself a venture capital firm, but venture investing is a small part of what it does. The CIA created the organization as a nonprofit, and its job was to identify technologies being funded and developed by the private sector that could have value in intelligence-gathering or national security applications. In-Q-Tel makes small investments in start-up companies, almost always as a junior partner to traditional venture capital funds. Most of In-Q-Tel's money goes toward evaluating and funding the technology to make sure the CIA or other intelligence agencies can use it. Yoran had begun to ramp up In-Q-Tel's investment activity to meet its growing budget and responsibilities. He said the organization has an annual budget of more than $50 million -- up from $30 million to $35 million several years ago -- and includes as "investors" several other intelligence and homeland security agencies in addition to the CIA. In its early years, In-Q-Tel was funded almost entirely by the CIA. All of In-Q-Tel's contacts with the intelligence community, no matter the agency, still run through a special office inside the CIA. Last month, Yoran hired his old friend, Mark Frantz , a well-known local venture capitalist who spent the past five years with the Carlyle Venture Partners , as In-Q-Tel's managing general partner. Frantz in an interview last week said the organization would be hiring more people for its investing team. "We're not exactly taking out help-wanted ads, but we want to add to our venture team," Frantz said. "We've got some very talented folks here, but we're here to turn it up a notch. " Yoran took over from founding chief executive Gilman Louie , who ran In-Q-Tel since its 1999 inception. The board is expected to appoint an interim chief executive this week and begin a national search for Yoran's replacement. Yoran said 120 technologies partly funded by In-Q-Tel have been deployed by the CIA or other agencies. "Unfortunately, we can't talk about the specific uses," he said. From isn at c4i.org Wed Apr 26 03:18:14 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 26 Apr 2006 02:18:14 -0500 (CDT) Subject: [ISN] Proposed AZ data-theft bill has critics Message-ID: http://www.azstarnet.com/dailystar/business/126149 By Scott Simonson arizona daily star Tucson, Arizona 04.25.2006 If a hacker steals your bank card number in Arizona, there's no state requirement that your bank or a merchant involved notify you. That could change if Gov. Janet Napolitano signs a bill passed by the Legislature last week. Consumers Union, the non-profit group that publishes Consumer Reports magazine, has criticized the proposed law as ineffective. Arizona's law would allow companies to decide whether a computer-security breach is serious enough to deserve a consumer warning, said Gail Hillebrand, who heads Consumers Union's financial privacy campaign. "Who's going to decide?" she said. "It's going to be the company who failed to protect your data." Currently, Arizona receives much of its information about thefts of computer data from California, said Andrea Esquer, spokeswoman for Arizona Attorney General Terry Goddard. California requires all companies to report stolen information. In 2003, California passed the first U.S. law requiring customer notification of breaches in companies' computerized data. At least 10 other states have followed suit, said Hillebrand. Arizona's bill differs from California's in two important ways, she said. California requires companies to report any security breach, Hillebrand said. Under the Arizona legislation, only breaches that "materially compromise" people's information must be reported. Depending upon how that language is interpreted, companies may be allowed to choose whether to tell consumers, Hillebrand said. Arizona's law also exempts banks, hospitals and some government agencies. California's law requires all companies to report problems. As of Monday, Napolitano had not acted on Senate Bill 1338, said Shilo Mitchell, spokeswoman for the governor. The sponsor of the Arizona bill, Sen. John Huppenthal, R-Chandler, could not be reached for comment on Monday. Rep. Marian McClure, R-Tucson, helped sponsor the bill in the House but said that consumers should be told about all computer security breaches. Senate Bill 1338 represents a step in the right direction, she said, although she introduced a stronger bill that failed earlier in the session. "A consumer should have a right to know that the information has been stolen," she said, "to make sure who stole that information cannot steal my identity." Consumer notification might help, but better enforcement and better information sharing are crucial, according to a Tucson couple who have been victims of identity theft. Elisabeth and Stephen Kling- ler have discovered that three other people have been using his Social Security number. The Klinglers traced some of the thefts to other states, but law enforcement has not investigated, Elisabeth Klingler said. The identity thefts have caused incorrect information about their credit to be reported to data brokers - businesses that collect people's information and sell it to other companies. The Klinglers said consumers need better laws to help clear false information from the files that companies keep. The bad information has hindered them in buying a cell phone and taking out a store credit card, Elisabeth Klingler said, and it could one day affect their ability to buy another home. "We're kind of giving up hope," she said. "It would take a lifetime to get the information corrected." What the bill says * Senate Bill 1338 would require businesses operating in Arizona to notify customers if a computer-security breach compromises their personal information. * Companies that do not notify customers could face fines from the state attorney general. * Government agencies would face the same requirements. The proposed law would not apply to banks, hospitals, health insurance companies, law enforcement agencies or courts. Data thefts * Some of the largest reported thefts of customer data since March 2005, according to ChoicePoint Asset Co.: Disclosed by Date Customers affected Bank of America February 2005 1.2 million* DSW shoes March 2005 1.4 million Ameritrade April 2005 200,000 Bank of America, Wachovia, other banks April 2005 680,000 CitiFinancial June 2005 3.9 million MasterCard June 2005** 40 million OfficeMax February 2006 200,000 * data of federal employees only ** related to security breach at CardSystems Solutions Inc. service center in Tucson From isn at c4i.org Wed Apr 26 03:18:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 26 Apr 2006 02:18:29 -0500 (CDT) Subject: [ISN] LexisNexis finds disclosure meant less pain in data theft Message-ID: http://www.infoworld.com/article/06/04/25/77752_HNinfosecdatatheft_1.html By Jeremy Kirk IDG News Service April 25, 2006 After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright was the best approach, according to a company executive. By being forthcoming with the public and victims the company survived with minimal impact, said Leo Cronin, LexisNexis senior director for information security, Tuesday at the Infosec Europe 2006 conference in London. The security breach hit LexisNexis, which is owned by Reed Elsevier PLC, early last year. "I think that's why we were so successful in dealing with this," Cronin said of the decision to be open and direct about the breach. LexisNexis is breaking its silence over the incident to help educate and get feedback about approaches to breaches, he said. LexisNexis faced a worst-case scenario after it acquired Seisint Inc. of Boca Raton, Florida, in September 2004. Seisint is a data broker, collecting personal information and providing it to law enforcement and private companies for services such as debt recovery and fraud detection. Attackers went after the service's "less sophisticated customers" with a social engineering ploy that left the identities of up to 300,000 people at risk, Cronin said. The company's customers received an e-mail with a pornographic lure, Cronin said. The mail also contained a worm and a keystroke logger, which stole LexisNexis credentials, specifically for its risk management services, he said. "It was very coveted data," he said. "I think we didn't really realize how much of a risk it was." But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach, he said. "We tried to do the best job we could," he said. The company contacted all those who were affected by the attack using the framework of a California data security disclosure law passed in 2003 as a guide, Cronin said. The law is catching up after the high-profile cases of last year, including ChoicePoint Inc., a data broker that acknowledged divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented notification laws, and a federal law is under consideration. After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he said. LexisNexis encouraged certain customers to sign up for antivirus software. It revamped online security access, looking at password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of its products to identity potential security problems, Cronin said. LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door perimeter attacks are less likely than the persistent weak link: people. "Attackers are effective at going after low hanging fruit," Cronin said. -=- REFERENCES: Hackers grab LexisNexis info on 32,000 people, Mar. 9, 2005 ChoicePoint to give up some personal data sales, Mar. 4, 2005 ChoicePoint's error sparks talk of ID theft law, Feb. 23, 2005 From isn at c4i.org Wed Apr 26 03:18:44 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 26 Apr 2006 02:18:44 -0500 (CDT) Subject: [ISN] 100 Years After San Francisco Quake, IT Units Are Prepared Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,110767,00.html By Sharon Fisher APRIL 24, 2006 COMPUTERWORLD The earthquake that destroyed much of San Francisco 100 years ago last week wasn't a one-shot disaster. The U.S. Geological Survey estimates that there's a 62% chance an earthquake similar in scope to the one on April 18, 1906, will hit the San Francisco Bay area during the next 30 years. And lest Southern Californians get too sanguine, the probability is the same for a similarly strong quake there in the same time span. With that in mind, IT managers at HOB Entertainment Inc. in Hollywood are discussing whether to replicate the company's data to a remote facility in Quincy, Wash., where it operates an amphitheater complex. "It's a great location for collocation," said Adrian Black, manager of network operations in the department of information systems and technology at HOB. "That is such a remote location, and we own the buildings." The Quincy facility already houses a T1 line, and a 100Mbit/sec. Internet connection is about to be installed there, Black said. HOB, which operates the House of Blues clubs plus other performance venues, is concerned that an earthquake could cause significant damage to its headquarters in an 18-story building, Black said. He noted that the facility houses HOB's central IT operations and that the company's key financial, accounting, legal and marketing applications are all run on systems at the site. Earthquake fears, along with a move by IT manager Sean Anderson to work remotely in Washington state, triggered Irvine, Calif.-based Comarco Inc. to build a disaster recovery center in Spokane late last year. The decision came about two years after Anderson moved there when his Southern California home was destroyed by wildfires. "Since I'm up here and electricity is cheap in Spokane and rental space is cheap, it made sense," Anderson said. Once it's completed, the Comarco disaster recovery system will replicate its mission-critical software, which includes MK Enterprise ERP software from SSA Global Technologies Inc., data stored on its SQL Server database, engineering source code and Exchange e-mail data. Comarco, a provider of wireless products and services, in November installed a disaster recovery system from DoubleTake Software and is gradually replicating more and more data. San Rafael, Calif.-based Costello & Sons Insurance Brokers Inc., which provides liability insurance for technology firms, has a four-part disaster recovery method that should provide adequate security to the company's data in the event of a minor disaster, but not necessarily a major one, said IT director Steven Perry. First, the company has redundant servers in its headquarters offices, and second, all the data is backed up to tape at an off-site location in a bank vault across San Francisco Bay, Perry said. The third part of the security plan requires all workers to use removable external hard drives, while the final disaster recovery system is what Perry called a "doomsday book" -- a laptop with a 100GB drive and enough batteries to run the business for about a day. The laptop is taken off-site each day. Perry acknowledged that the strategy may not keep the company running through major disasters. "Most of the stuff I worry about in terms of real-time recovery are small kinds of disasters," he said, adding that during "big-time disasters, I tend to think we would be off-line for more than the amount of time that having instantaneous recovery requires." From isn at c4i.org Wed Apr 26 03:20:06 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 26 Apr 2006 02:20:06 -0500 (CDT) Subject: [ISN] Stolen laptops hand hackers keys to the kingdom Message-ID: http://www.theregister.co.uk/2006/04/25/stolen_laptop_peril/ By John Leyden 25th April 2006 Infosec - As web apps are becoming more secure stolen laptops have become among the easiest ways to break into corporate networks. High profile firms such as Fidelity and Ernst and Young along with celebrities such as Kevin Costner have lost laptops over recent months. Concern over these thefts has focused on the exposure of data left on these devices. But the potential to use stolen kit to lift user credentials also poses a grave risk. During a presentation at Infosec on Tuesday, penetration testing firm SecureTest explained how DIY hardware devices or software available for purchase from eBay might be used to reset or circumvent passwords set in a laptop's BIOS. "If that fails you can always take the drive out and fit it with a USB connector," explained SecureTest's Rob Pope. A Linux tool called Backtrack, which can run from a CD loaded onto a Windows PC, might then be used to get system keys and password hashes. Windows stores the hashes of passwords derived from the LM algorithm instead of directly storing passwords. But LM encryption is weak and susceptible to brute force attack using Rainbow Crack or other tools. SecureTest pre-computed a rainbow table of password hashes totaling 19GB. Thereafter obtaining the plain text of a password becomes a simple job of matching password hashes. Most of the hacker tools in this area are American so the inclusion of a pound sign in passwords is capable of frustrating attacks. Next up SecureTest showed how a program called Disk Investigator might be used to extract the encrypted form of WEP key passwords or remote desktop login credential from a Windows Registry file. It showed how a program called Cain was able to decode Cisco VPN client passwords given access to a purloined corporate PC. "What we find during penetration testing is that most passwords are based either around the Lord of The Rings, the names of planets or Star Wars," said Pope. SecureTest md Ken Munro outlined a number of defences firms might employ against the attacks the firm highlighted. Although not foolproof, use of BIOS passwords is a significant barrier against attack. Firm should avoid setting up machines that can be booted from USBs, floppy discs, CD ROMs or from a network. Strong passwords contained a mix of alphanumeric characters should be used. Finally firms should implement either disc encryption or, at minimum, the encryption of sensitive files, Munro advised. ? From isn at c4i.org Wed Apr 26 03:20:27 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 26 Apr 2006 02:20:27 -0500 (CDT) Subject: [ISN] Microsoft Rocked by New IE Zero-Day Flaw Warning Message-ID: http://www.eweek.com/article2/0,1895,1953833,00.asp By Ryan Naraine April 25, 2006 Barely two weeks after shipping an Internet Explorer security makeover to cover a wave of drive-by malware downloads, Microsoft is scrambling to address the public disclosure of a new zero-day vulnerability that could be used in code execution attacks. The Redmond, Wash. software maker confirmed it was investigating a warning posted on the Full-disclosure mailing list that the latest versions of IE causes various types of crashes when visiting Web pages with nested OBJECT tags. A spokesman for Microsoft said the initial investigation has revealed that the bug would most likely result in the browser closing unexpectedly or failing to respond. "Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary." Michal Zalewski, the researcher who discovered the flaw and published the advisory without notifying Microsoft, said the issue was confirmed on fully patched versions of IE 6.0 and Microsoft Windows XP SP2 (Service Pack 2). "At first sight, this vulnerability may offer a remote compromise vector, although not necessarily a reliable one," Zalewski said. He described the error as "convoluted and difficult to debug" but warned that the risk of a code execution attack scenario can't be ruled out. "As such, panic, but only slightly," Zalewski said. Security alerts aggregator Secunia flagged the issue as "highly critical" and stressed that it can be exploited to corrupt memory by tricking a user into visiting a malicious Web site. "Successful exploitation allows execution of arbitrary code," Secunia warned. FrSIRT (French Security Incident Response Team) also slapped a "critical" rating on the flaw because of the risk it presents to IE users. In an alert, FrSIRT said the bug could be exploited by remote attackers to execute arbitrary commands. "This flaw is due to a memory corruption error when processing a specially crafted HTML script that contains malformed "object" tags, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to visit a specially crafted Web page," the research firm said. Researchers at Websense Security Labs said there are no published proof-of-concepts demonstrating a remote code execution attack vector but made it clear that browser crash vulnerabilities often lead to remote code execution exploits. "We are currently scanning for sites which attempt to leverage this vulnerability," the company said. Microsoft chided Zalewski for jumping the gun and posting his findings before a comprehensive patch could be created, but the researcher is unapologetic. "I didn't give an advance notification to Microsoft, because I strongly oppose their handling of the vulnerability patching process. Although I can't make a difference, it's the tiny bit of civil disobedience I can afford whenever I can reasonably believe that no immediate harm would be done to third parties," Zalewski wrote in an e-mail exchange with eWEEK. "I believe that, among other things, Microsoft resorts to borderline extortion practices when dealing with vulnerability researchers who work for companies that in any way depend on Microsoft; they delay disclosure of problems by sometimes taking in excess of 100 days to fix trivial flaws [which cannot be justified in any way]," he added. "[They] often attempt to downplay threats; they don't participate in the vulnerability research community in a meaningful way; and they routinely use false pretenses when communicating their expectations to the media (for example, expressing concern for the customer and blaming the researcher where the chief risk for the customer arises from the fact that an extremely wealthy and profitable software giant severely underfunds the task of fixing critical defects in their software)," Zalewski wrote. From isn at c4i.org Thu Apr 27 01:43:10 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 27 Apr 2006 00:43:10 -0500 (CDT) Subject: [ISN] IT security checklist focuses on consequences of breaches Message-ID: Forwarded from: William Knowles http://www.gcn.com/online/vol1_no1/40564-1.html By William Jackson GCN Staff 04/26/06 A small office of the Homeland Security Department has released a draft cybersecurity checklist intended to help enterprises focus on the real-world consequences of security breaches. The U.S. Cyber Consequences Unit was created by DHS to provide analysis of economic and strategic consequences of cyberattacks on critical infrastructure and to evaluate the cost-effectiveness of countermeasures. As part of this work, director and chief economist Scott Borg and research director John Baumgarner began on-site visits to evaluate systems in critical industry sectors. "We started seeing huge vulnerabilities," Borg said Wednesday at the GovSec conference in Washington, where the draft document was released. Most of the systems were compliant with current security checklists and best practices. "And portions of those systems were extraordinarily secure. But they were Maginot Lines," susceptible to being outflanked. The problem is that existing best practices are static lists based on outdated data. The new USCCU list shifts the focus from perimeter security to monitoring and maintaining internal systems. The problem with perimeter security is that there is always some way to circumvent it, Borg said. "We are way into diminishing returns on our investments in perimeter defense," he said. "To deal with it now, you have to think of the problem of cybersecurity not from a technical standpoint, but by focusing on what the systems do, what you could do with them and what... the consequences [would] be." The list is based on real-world experience and on economic analysis of breaches. Surprisingly, the researchers found that simply shutting a system down is not the biggest threat in most areas of critical infrastructure. "Shutting things down for two or three days is not that costly," Borg said. The larger threat is disruption of systems in ways that are not immediately evident. The checklist contains 478 questions grouped into six categories: hardware, software, networks, automation, humans and suppliers. "All of the things we are talking about are already under way," Borg said, but some of the items in the checklist have no cost-effective commercial solutions. Borg said he hopes industry will step up to the plate to create solutions, and that government will adapt its acquisition policies to create incentives for these developments. Borg said there is no schedule for final DHS approval of the draft. Additional information about the checklist is available from Borg at mailto: scott.borg (at) usccu.us. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Apr 27 01:40:57 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 27 Apr 2006 00:40:57 -0500 (CDT) Subject: [ISN] Opinion: What's the point of security? Message-ID: http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158393,00.htm By Simon Moores 26 April 2006 Security trade shows are booming - but does that mean companies are any safer? Simon Moores reports from Infosecurity 2006. It's Infosec time again. Walking the aisles of Europe's most successful information security trade show, I found myself plagued with a nagging sense of doubt. Why? Scantily clad girls dressed as angels and the sash-climbing acrobats in yellow lycra bodysuits on the Symantec stand were entertaining and colourful enough. Even the message on the EP Secure stand warning visitors of the dangers from viruses and "wormes" should have brought a smile to my face. But all I could see in London's packed Olympia conference centre was an industry united in a profitable celebration of the failure of our society to properly protect itself from the dangers of living an increasingly online existence. Infosec was once again the venue for the release of the latest government-sponsored survey of information security breaches in the UK, conducted by a consortium led by PricewaterhouseCoopers LLP. While you can find encouragement in the news that large businesses have become more security-conscious, with the total security incidents having fallen by 50 per cent over the last two years, the opposite is true of small business. Here, the average number of incidents has risen by 50 per cent to approximately eight per year. Worse still is the estimate of the total cost of security breaches to UK plc, which is up by 50 per cent from two years ago to approximately ?10bn per annum - figures that support last month's smaller e-Crime Congress survey. Microsoft, which is at last joining the dubious Windows Client Protection business with its own antivirus solution, has been working hard to improve its own security credentials with a number of initiatives over the last year. Its Hotmail web email service is blocking 3.4 billion spam messages each day and has had two billion downloads of its malicious software removal tool in the last year, which tells us something about the overall size of the malicious software problem. The computing environment that surrounds us today reminds me of a large termite mound. It's intricate, solid, highly efficient and constantly improved. It does however have lots of different openings to the world outside and every now and then, a hungry chimpanzee with a twig comes along and plays havoc with the poor industrious termites' defensive structure. Taking this metaphor a step further - and looking at the sheer number of companies displaying solutions at Infosec - I have to wonder how long business will be forced to continue spending sizeable sums on information security products that continue to have relatively modest success in mitigating the expanding risks from internet crime. It was Winston Churchill who said: "Although personally I am quite content with existing explosives, I feel we must not stand in the path of improvement." At an earlier Infosec Show, I released a Microsoft-sponsored report called A matter of trust which examined some of the many challenges facing Microsoft's Trustworthy Computing strategy and the steadily growing threat from online crime. In the intervening period, Infosec and the security industry have become larger and more successful, as have the organised crime groups which are busy milking people's bank accounts, defrauding businesses and stealing the identities of as many as 100,000 people in the UK each year. So I'm confused. Infosec is a great show and a wonderful platform for an arsenal of information security and identity products. But all the evidence of this year and previous years suggests that we're on the wrong side of the arms race to secure the computing environment. Even for the most paranoid of organisations, an unlimited security budget doesn't offer a safe and bullet-proof existence. It all makes me think of a quote from Arthur Dent in The Hitchhiker's Guide to the Galaxy: "Ah, this is obviously some strange use of the word 'safe' that I wasn't previously aware of." From isn at c4i.org Thu Apr 27 01:41:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 27 Apr 2006 00:41:24 -0500 (CDT) Subject: [ISN] PGP unfazed by MS disk encryption Message-ID: http://www.theregister.co.uk/2006/04/26/pgp_infosec/ By Chris Williams 26th April 2006 Infosec - PGP says the whole disk encryption kit Microsoft will bundle with Vista is no threat to its position as the first port of call for forgetful laptop luggers. At its InfoSec press briefing, Microsoft was pushing its BitLocker software as peace of mind for firms wanting to sling old HDDs. In contrast, PGP marketing manager Jamie Cowper reckons its encryption toolset should be an integral part of an ongoing security strategy. PGP announced a deal with Sony Computer Entertainment to protect the laptops of 1,100 worldwide employees. That'll be their GTA cheat codes safe, then. Drive lock-down, and encryption in general, still represent a small slice of the security market. However, it is rising up both the strategic and budgetary agenda. Increasing use of BlackBerries, PDAs, laptops, and smartphones was identified as a risk in the DTI's 2006 security report. BitLocker has landed Redmond in some hot water over its insistence that there are no back doors for law enforcement. As its encryption code is open source, PGP says it can guarantee no back doors, but that cyber sleuths can use its master keys if neccessary. PGP encryption inventor Phil Zimmerman was dragged through the US courts in the 90s by feds worried it would roadblock investigations. Zimmerman is now a technical advisor at PGP and is working on VoIP encryption, another worry on the horizon for the DTI Information Security report. PGP will start finding out if its bullishness in disk encryption is justified when Vista hits the corporate streets early next year. ? From isn at c4i.org Thu Apr 27 01:42:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 27 Apr 2006 00:42:24 -0500 (CDT) Subject: [ISN] Microsoft Catches Flak for Lack of Vulnerability Disclosure Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Esker Software http://list.windowsitpro.com/t?ctl=282BF:4FB69 Availl http://list.windowsitpro.com/t?ctl=282D0:4FB69 ==================== 1. In Focus: Microsoft Catches Flak for Lack of Vulnerability Disclosure 2. Security News and Features - Recent Security Vulnerabilities - Novell Acquires e-Security - GRISOFT Boosts Its Security Offerings with Acquisition of Ewido - New Antiphishing Toolbar Takes an Obvious Approach 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Bring Systems Back in Line ==================== ==== Sponsor: Esker Software ==== Align compliance with business efficiency, and learn how fax-document management plays a role in your strategy. http://list.windowsitpro.com/t?ctl=282BE:4FB69 ==================== ==== 1. In Focus: Microsoft Catches Flak for Lack of Vulnerability Disclosure ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net News stories last week discussed a blog entry (at the URL below) by Matthew Murphy of SecuriTeam that hammered Microsoft for what Murphy thinks is a lack of adequate vulnerability disclosure. Murphy's beef with Microsoft relates to Microsoft Security Bulletin MS06-015-- Vulnerability in Windows Explorer Could Allow Remote Code Execution. In a nutshell, Murphy wants Microsoft to offer more details about vulnerabilities. (MS06-015 also happens to be the security bulletin that proved to be buggy--an update was due to be released yesterday.) http://list.windowsitpro.com/t?ctl=282CD:4FB69 Many think that Microsoft's disclosure practices border on the silent fixing of security issues. It's no secret that in the past Microsoft has silently fixed security problems and sometimes has misinformed the public about the ramifications of security problems. Microsoft and many other companies don't like the publicity related to security problems, so they try to keep matters as quiet and calm as possible. Granted, each company is free to establish its own policies about disclosure and few are forthcoming with complete details in any given instance of vulnerability discovery. For example, Apple silently fixes security problems and rarely if ever releases any substantial details about them. But then people interested in security don't place Apple under the same microscope as Microsoft. When Microsoft releases a security-related patch, numerous independent researchers go to work to analyze the patch to find everything that's changed in the related files. If they detect anything that isn't documented, the researchers either call Microsoft on the carpet or they keep their mouths shut for any of several reasons, including the ability to exploit the undocumented bugs in systems that don't have the patch installed. Thus the patch could actually aid in the proliferation of malware and increase the overall risk of security breaches. Of course, Microsoft's disclosure practices have improved over the years, but there's still room for improvement, particularly if the company expects the masses to more fully buy into the Trustworthy Computing ideology. Again, we're back to the same old issue of disclosure being a double- edged sword. While many businesses and researchers have seen fit to adopt some form of responsible disclosure in terms of timing the release of vulnerability details, another important point of contention remains. Microsoft and other companies argue that too much disclosure creates a more dangerous network environment. But many security researchers contend that not enough disclosure creates a more dangerous network environment. Obviously, the situation calls for balance, and I think there is balance. However, when the balance tips too far toward either perspective, then risk levels increase. Here's an interesting thought, even if it's only tangentially related: What if software as a service or applications on demand become commonplace? Think of a scenario in which you no longer have an OS and sundry applications installed on your desktops and servers, but instead everything is driven by some hardware-based technology that loads everything from a remote location that you don't control. That would just about put an end to many aspects of security research, security administration, and the disclosure debate, wouldn't it? ==================== ==== Sponsor: Availl ==== Ensure instant access to files at remote servers/offices. Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or Replication technologies? Do you have remote sites with common data or file needs? Get a free software trial, and register for the free seminar: http://list.windowsitpro.com/t?ctl=282D0:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=282C2:4FB69 Novell Acquires e-Security With e-Security's Sentinel solution under its wing, Novell says its customers will enjoy a more comprehensive view of user, network, and application events that will help streamline processes, augment compliance monitoring, and cut costs. http://list.windowsitpro.com/t?ctl=282CC:4FB69 GRISOFT Boosts Its Security Offerings with Acquisition of Ewido GRISOFT aims to bolsters its cross-platform antivirus and firewall solutions by adding Ewido Networks' award-winning anti-malware protection to its suite of offerings. http://list.windowsitpro.com/t?ctl=282CA:4FB69 New Antiphishing Toolbar Takes an Obvious Approach TraceSecurity developed a different and rather obvious approach to an antiphishing toolbar. Instead of looking for known phishing sites, the free TraceAssure Toolbar searches for legitimate Web sites by matching domain names to IP addresses. http://list.windowsitpro.com/t?ctl=282CB:4FB69 ==================== ==== Resources and Events ==== How do you ensure that your email system isn't vulnerable to a messaging meltdown? In this Web seminar, Exchange guru Paul Robichaux tells you what you should do before you have an outage to increase your chances of coming out of it smelling like roses. http://list.windowsitpro.com/t?ctl=282C1:4FB69 Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=282BD:4FB69 Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient. Download this exclusive podcast today! http://list.windowsitpro.com/t?ctl=282C0:4FB69 Make sure that your DR systems are up to the challenge of a real natural disaster by learning from messaging survivors of Hurricanes Katrina and Rita. Live Event: Tuesday, May 2 http://list.windowsitpro.com/t?ctl=282BC:4FB69 Ensure that you're being effective with your internal network security. Are your DIY options protecting you against worms, BotNets, Trojans, and hackers? Make sure! Live Event: Tuesday, May 23 http://list.windowsitpro.com/t?ctl=282BB:4FB69 ==================== ==== Featured White Paper ==== Examine the risks of allowing unwanted or offensive content into your network and learn about the technologies and methodologies to defend against inappropriate content, spyware, IM, and P2P. http://list.windowsitpro.com/t?ctl=282BA:4FB69 ==================== ==== Hot Spot ==== Try it Free: Access & Control PCs from your USB NetOp Remote Control provides the most complete, scalable, and secure remote control software available. Access PCs from your desktop, PocketPC or USB! NEW On Demand option provides tiny, temporary, download with no user installation or firewall configuration and NO per session charges. Free evaluation & support. http://list.windowsitpro.com/t?ctl=282B8:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Rubberhose: A Useful Form of Data Encryption? by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=282CF:4FB69 Instead of making it glaringly obvious that data is encrypted, Rubberhose makes encryption deniable--i.e., supposedly it can't be proven that the data is encrypted. This technique might be useful for people who, for whatever reasons, can't use other forms of data encryption. Learn a bit more about it in this blog article. http://list.windowsitpro.com/t?ctl=282C9:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=282CE:4FB69 Q: Does Microsoft provide a different level of support for applications and services running under a VMware virtualization host rather than under a Microsoft Virtual Server 2005 virtualization host? Find the answer at http://list.windowsitpro.com/t?ctl=282C8:4FB69 Security Forum Featured Thread: Is Someone Trying To Hack Our System? A forum participant has Windows 2000 Advanced Server with Terminal Services running. In the Security event log, he noticed many instances of an event in which someone tries to log on to a system named GARY- HOME. He has no system with that name, so he wonders whether someone is trying to hack into his network. Look at the event log entry he posted and join the discussion at http://list.windowsitpro.com/t?ctl=282B9:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Exclusive Spring Savings Subscribe to Windows IT Pro and SAVE 58%! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful articles. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=282C5:4FB69 Save 44% off Windows Scripting Solutions For a limited time, order the Windows Scripting Solutions newsletter and SAVE up to $80. You'll get 12 helpful issues loaded with expert- reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article library (more than 500 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=282C4:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Bring Systems Back in Line NetPro Computing describes SecurityManager 2.0 as "a significant upgrade." SecurityManager 2.0 centralizes policy management and enforcement for Active Directory (AD) and file servers. It includes new policies for object locking, group membership, separation of duties, and external trusts. SecurityManager 2.0 constantly monitors the network, so when systems become uncompliant with company standards, the software immediately sends an alert and helps remediate the problem. For more information about SecurityManager 2.0, go to http://list.windowsitpro.com/t?ctl=282C7:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=282D1:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=282C6:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Apr 27 01:42:49 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 27 Apr 2006 00:42:49 -0500 (CDT) Subject: [ISN] Hacking: Sparks anger among Boca teens Message-ID: http://www.bocaratonnews.com/index.php?src=news&prid=15078 By Nicol Jenkins and John Johnston April 26, 2006 Boca teens feel cheated by fellow teen hackers, the Boca Raton News has learned. The most recent example of teen hacking came with the arrest of Jeff Yorston, an 18-year-old student at West Boca Raton Community High School. He was charged with felony computer fraud after police say he used employee passwords to change his friends' grades, give himself credit for classes he didn't take and erase suspensions from records. Police allege Yorston changed eight students' grades over the past two years, using computer IDs and passwords from four school district employees. Some local teens expressed anger that someone would try to take the easy way out while others have "worked hard" to get good grades. Others candidly admit admiration and envy of hackers. "He must be a pretty smart kid. If I was failing and had the skills, I'd do the same thing," said 18-year-old Teddy Rutledge. But Michael Langdon thinks hacking is unfair. "I've been working all semester for my grades and he just changes his," the 15-year-old said. Then, he joked, "I hoped he was my friend so he could change my grades." Opinions Vary The majority of the Boca teens interviewed by the Boca Raton News said gossip of changing grades hasn't circulated much around school. "I've never heard of it. And I would never be able to figure it out and none of my friends would be able to do it either," said Boca teen Lydia Rosenfeldt. "I think it's more the computer geeks and kids that have nothing better to do." Rosenfeldt, however, thought the hacking job was "pretty impressive." "If an 18-year-old can hack into the School Board system maybe the system isn't that up to par," she said. Fernando Rodriguez, 17, also believes the hacking incident was "random." "I don't think that 99 percent of the kids are capable of doing it at all. Most of the students are not smart enough," he said. Dan Verton, author of The Hacker Diaries: Confessions of Teenage Hackers [1], says that most younger computer intruders defy stereotypes. "The common denominator," says Verton, "is that hackers are both very smart and extremely bored. They're often smarter about computers than the teachers they're supposed to be learning from. For those teens, hacking provides a challenge and encourages creative thinking." Parental Pressure Some teens that spoke to the Boca Raton News think pressure from parents to have perfect grades may have been a motivator. "Going through the college process is stressful and sometimes parents put a lot of stress on children," said 18-year-old Danyelle Shapiro. "One of the motives could have been that he had a definite in to one of the colleges, so he didn't have to stress or worry about where he was going." On the other hand, Shapiro thinks hacking is wrong. "I don't think it's right and students don't think it's fair," she said. "Because when they change their grades, they could be taking my spot." Boca teens Edison Alexis and Makyra Nunes agree. "He's just messing up the whole system," Nunes said. Alexis added, "It could make our grades lower or higher." Most hackers are motivated by a need for constant stimulation and a sense of respect from their peers. For many, a "good" hack is one that gives a thrill of accomplishment and teaches something about the targeted system. Teens say, however, a bad hack isn't measured by the damage it does - it's measured by whether the hacker gets caught - and a further measure authorities say reflects a situational ethics, rather than moral view of the world. Some Signs Experts offer the following signs for parents: * A child who asks you to change ISPs might be into more than cybertalk. * Do you find programs on your computer that you don?t remember installing? * New hardware requests sometimes tip off a hacking interest. * How much time does your child spend using the computer each day? Hacking takes a lot of time. * Does your child use Quake or Linux?? And a child struggling academically might be tempted. John Johnston can be reached at 561-549-0833, or at jjohnston (at) bocanews.com; Nicol Jenkins can be reached at njenkins (at) bocanews.com or 561-549-0844. [1] http://www.amazon.com/exec/obidos/ASIN/0072223642/c4iorg From isn at c4i.org Thu Apr 27 01:43:37 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 27 Apr 2006 00:43:37 -0500 (CDT) Subject: [ISN] ITL Bulletin for April 2006 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR APRIL 2006 PROTECTING SENSITIVE INFORMATION TRANSMITTED IN PUBLIC NETWORKS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The protection of sensitive information that is transmitted across interconnected networks is critical to the overall security of an organization's information and information systems. The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) recently issued guidance to assist organizations in strengthening their network security and in lessening the risks associated with the transmission of sensitive information across networks. The publication offers practical guidance on implementing security services based on Internet Protocol Security (IPsec). IPsec is a framework of open standards for ensuring private communications over public networks. IPsec is frequently used to achieve security controls in the layered protocols of network communications, and to create a virtual private network (VPN). An organization can build a VPN on top of existing physical networks to create a secure communications mechanism for the data and control information that is transmitted between networks. VPNs are used most often to protect communications carried over public networks, such as the Internet, which utilize Transmission Control Protocol/Internet Protocol (TCP/IP) network communications. When properly implemented, VPNs can protect the confidentiality and integrity of data, authenticate the origin of data, and provide data replay protection and access control. However, VPNs cannot eliminate all risks since flaws in algorithms or software, or insecure configuration settings and values may still be exploited by hackers. NIST Special Publication (SP) 800-77, Guide to IPsec VPNs Written by Sheila Frankel of NIST, and Karen Kent, Ryan Lewkowski, Angela D. Orebaugh, Ronald W. Ritchey, and Steven R. Sharma of Booz Allen Hamilton, NIST SP 800-77 helps network architects, network administrators, security staff, technical support staff, and computer security program managers who are responsible for the technical aspects of preparing, operating, and securing their organization's networks. The information discussed is general in nature and can be applied to many different hardware platforms, operating systems, and applications. Topics covered include the need for network layer security services, the services that are available at the network layer, and how IPsec can be implemented to provide these services. A case-based approach illustrates how IPsec can be used to solve common network security concerns. The guide explains IPsec planning and implementation issues; it also discusses alternatives to IPsec and the appropriate circumstances in which to deploy each alternative. The appendices discuss the need for organizations to develop their IPsec-related policies and present examples of common IPsec policy issues that should be considered. Also included in the appendices are configuration files that are referenced by the case studies, a glossary, an acronym list, and a compilation of print and online resources that may be useful for IPsec planning and implementation. The publication is available on NIST's web pages at: http://csrc.nist.gov/publications/nistpubs/index.html. The Need for Network Security Widely used throughout the world, Transmission Control Protocol/Internet Protocol (TCP/IP) network communications are composed of four layers of protocols that work together: application, transport, network, and data link. Security controls are available for network communications at each of the four layers: The application layer sends and receives data for an application. Separate controls must be established for each application. While this arrangement provides a high degree of control and flexibility for the security of the application, it may cause the organization to devote considerable resources to implement. The development of new application layer security controls can also create new vulnerabilities, and it may not be possible to develop the controls for some applications. The transport layer provides connection-oriented or connectionless services to transport application layer services across networks. Controls at this layer can protect data in a single communications session between two hosts, and must be supported by both clients and servers. The network layer routes packets across networks. Controls at this layer apply to all applications, rather than to specific applications. Applications do not have to be modified to use the controls, but this arrangement provides less control and flexibility for protecting specific applications than the transport and application layer controls. The data link layer handles communications on the physical network components. Controls at this level protect a specific physical link. Since each physical link must be secured separately, controls at this level are not feasible for protecting connections that involve several links, including most connections across the Internet. As data is prepared for transport through the network, it is passed from the highest to the lowest layer, with each layer adding more information. Security controls at a higher layer cannot provide full protection for the lower layers, because the lower layers add information to the communications after the higher-layer security controls have been applied. The lower-layer security controls are less flexible and granular than higher-layer controls. As a result, controls at the network layer are widely used to secure communications and to provide a more balanced solution than can be achieved through the application of the higher-layer and lower-layer security controls. Internet Protocol Security (IPsec) IPsec is the most commonly used network layer security control for protecting communications. It was developed by the IPsec Working Group of the Internet Engineering Task Force (IETF) as a framework of open standards. Depending upon the implementation and configuration, IPsec can provide the following types of protection: * Ensuring the confidentiality of data through the application of a cryptographic algorithm and a secret key, known only to the two parties exchanging data. The data that is transmitted can be decrypted only by someone who has the secret key. * Assuring the integrity of data through the application of a message authentication code (MAC), which is a cryptographic hash of the data. The checksum is sent with the data. The recipient can detect when the data has been changed, either intentionally or unintentionally during transit, if a new MAC is calculated on the received data and it does not match the original MAC. * Providing peer authentication to ensure that network traffic and data are sent from the expected host. The receiving IPsec endpoint can confirm the identity of the sending IPsec endpoint. * Providing replay protection to assure that the same data is not delivered multiple times and that the data is delivered in an acceptable order. IPsec cannot, however, ensure that the data has been received in the exact order that it was sent. * Providing traffic analysis protection by obscuring the identities of the endpoints and the size of the data. Those who are monitoring network traffic may not know which parties are communicating, how often communications occur, or how much data is being exchanged. * Providing access control by assuring that only authorized users can access particular network resources. IPsec endpoints can also allow or block certain types of network traffic, such as allowing web server access but denying file sharing. Components of IPsec The IPsec network layer security protocol provides protection through the following components, which are used in various combinations: Authentication Header (AH) and Encapsulating Security Payload (ESP) security protocols. ESP provides encryption and integrity protection for packets, but it cannot directly protect the outermost IP header. (It can protect it indirectly, if Internet Key Exchange (IKE) is used to negotiate the IPsec protections.) AH provides integrity protection for packet headers and data but without encryption. AH can also protect some header information that ESP cannot protect. ESP is used more frequently than AH because of its encryption capabilities and other operational advantages. Internet Key Exchange (IKE) protocol. IKE negotiates the cryptographic algorithms and related security parameters and controls that comprise the security associations (SAs) that are applied to IPsec-protected connections. Other protections provided by this protocol include mutual authentication of endpoints; negotiation of secret keys; and management, update, and deletion of IPsec-protected communication channels. An updated, streamlined IKE (version 2) has been standardized, but most current implementations adhere to the original IKE, version 1. IP Payload Compression Protocol (IPComp). IPsec uses this protocol to compress packet payloads before encrypting them. For the IPsec-applied encryption and integrity-protection processes, federal agencies are required to use cryptographic algorithms that are specified in Federal Information Processing Standards (FIPS) or in NIST Recommendations that are issued in NIST Special Publication 800 series. The FIPS-approved algorithms must be contained in cryptographic modules that have been validated for conformance to FIPS 140-2, Security Requirements for Cryptographic Modules, through the Cryptographic Module Validation Program (CMVP). Algorithms that are FIPS-approved include FIPS 197, Advanced Encryption Algorithm (AES), the strongest approved algorithm and the preferred algorithm for federal agency use. Also approved is the Triple Data Encryption Algorithm (TDEA), which is specified in American National Standard (ANSI) X9.52-1998 and validated using the tests that are contained in NIST SP 800-20, Modes of Operation Validation System for the Triple Data Encryption Algorithm. In addition, the FIPS-approved algorithm for message authentication is FIPS 198, Keyed-Hash Message Authentication Code. This algorithm is used to construct a Keyed-Hash Message Authentication Code (HMAC) using secure hash algorithms that are specified in FIPS 180-2, Secure Hash Standard. Virtual Private Networks (VPNs) The VPN is a virtual network, which is built on top of existing physical networks, and which provides a secure communications mechanism for data and IP information exchanged between public networks. This method of networking can be less expensive for an organization than utilizing dedicated private telecommunications lines to provide communications between the organization's home and branch offices, and between remote telecommuters and the main servers. There are three models for VPNs: The gateway-to-gateway model protects communications between two specific networks, such as an organization's main office network and a branch office network, or between two business partners' networks. The host-to-gateway model protects communications between one or more individual hosts and an organization's specific network, allowing hosts on unsecured networks, such as traveling employees and telecommuters, to have access to the organization's internal services. The host-to-host model protects communications between two specific computers and is most often used when a small number of users need access to a remote system. IPsec implementations can be used to support VPN services. SP 800-77 establishes the following requirements for the configuration of IPsec VPNs: * The VPN must provide confidentiality protection through encryption for any information that will traverse a VPN and that should not be seen by non-VPN users. * A VPN must use a FIPS-approved encryption algorithm. The Advanced Encryption Algorithm in Cipher Block Chaining mode (AES-CBC) is highly recommended. Triple DES in Cipher Block Chaining mode (3DES-CBC) is acceptable as well. * A VPN must always provide integrity protection. * A VPN must use a FIPS-approved algorithm to provide for integrity protection. HMAC-SHA-1 is highly recommended and is based on FIPS 198, Keyed-Hash Message Authentication Code (HMAC), and FIPS 180-2, Secure Hash Signature Standard. * A VPN should provide replay protection. * IKE security associations (SAs) for applications of IKE version 1 should have a lifetime no greater than 24 hours, and IPsec SAs should have a lifetime no greater than 8 hours. For IKE version 2, IKE SAs for the original packets should be re-keyed at least every 24 hours, and SAs for encapsulated packets associated with the original packets should be re-keyed after 8 hours at most. * The Diffie-Hellman (DH) group of values is used to specify the encryption generator type and key length to be used for generating shared secrets. The value used to establish the secret keying material for IKE and IPsec should be consistent with current security requirements. Specific DH groups are defined for use with IKE. DH group 2 should be used for Triple DES and for AES with a 128-bit key. For greater security, DH group 5 or DH group 14 may be used for AES. IPsec implementations include DH group 2; most include DH group 5; very few include DH group 14. Use of the larger DH groups results in increased processing time. IPsec Planning and Implementation NIST advises that agencies apply the principles of the System Development Life Cycle and carry out a risk-based and phased approach in planning for and implementing IPsec in their networked systems. This approach enables agencies to determine appropriate priorities for protecting their systems, to apply appropriate technologies, including the use of IPsec and VPNs, and to incorporate new technology when needed to meet changing requirements. Organizations should identify their needs to protect their networked communications and determine which computers, networks, and data are part of the networked communications. They should determine how their needs can best be met, and where and how security technology should be implemented. The next phase of the risk-based approach is to design the solution that meets the needs, taking into account four major issues: The architectural design includes consideration of host and gateway placement, IPsec client software selection, and host address space management. An authentication method, such as pre-shared key or digital signature, should be selected. The algorithms for encryption and integrity protection, and the key strength for algorithms that support multiple key lengths, should be selected. The packet filter should be determined to control the types of traffic to be permitted and denied, and to apply appropriate protection and compression measures to each type of permitted traffic, and packet filters. The decisions made regarding authentication, cryptography, and packet filters should be documented in the organization's IPsec policy. Organizations should then implement and test a prototype of the designed solution in a laboratory or test environment. The primary goals of the testing are to evaluate the functionality, performance, scalability, and security of the solution, and to identify any issues, such as compatibility and interoperability of the IPsec components. The security of the implementation is a special concern, since no protocol can be totally secure. Special attention should be paid to the security of stored keys, the traffic that passes through the packet filters, and the use of patches that are developed as new vulnerabilities are found. When the testing has been completed and all issues have been resolved, organizations should deploy the solution by migrating gradually to the use of IPsec throughout the enterprise. The gradual approach enables managers to replace the existing network infrastructure and applications, to train users, to evaluate the impact of the IPsec solution, and to resolve issues. Most of the issues that can occur during IPsec deployment are the same types of issues that occur during any large IT deployment. Service to users, the performance of the network, and client software may be affected. The last phase of the planning and implementation cycle is to manage the solution throughout its life cycle. In this phase, the IPsec architecture, policies, software, and other components of the deployed solution are maintained. Patches to IPsec software should be tested and applied as appropriate. The management phase also involves providing support for new sites and users, monitoring performance, testing the system periodically, and adapting new policies as requirements change. The life cycle process is repeated when enhancements or significant changes need to be incorporated into the solution. More Information The IPsec protocols were developed within the IPsec Working Group of the Internet Engineering Task Force (IETF). They are defined in two types of documents: Request for Comment (RFC), which are accepted standards, and Internet-Drafts, which are working documents that may become RFCs. A list of IPsec documents can be found at http://www.ietf.org/html.charters/OLD/ipsec-charter.html Federal agencies must use FIPS-approved encryption algorithms contained in validated cryptographic modules. The Cryptographic Module Validation Program (CMVP) is a joint effort of NIST and the Communications Security Establishment (CSE) of the Government of Canada. The CMVP coordinates FIPS 140-2 testing and has issued validation certificates for more than 600 cryptographic modules. The CMVP website is located at http://csrc.nist.gov/cryptval/. FIPS 140-2, Security Requirements for Cryptographic Modules, is available at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. See http://csrc.nist.gov/cryptval/des.htm for information on FIPS-approved symmetric key algorithms. FIPS-approved algorithms must also be used for digital signatures. See http://csrc.nist.gov/cryptval/dss.htm. The National Vulnerability Database (NVD) is a comprehensive database of cyber security vulnerabilities in information technology (IT) products. It was developed by NIST with the support of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. The NVD integrates all publicly available U.S. government vulnerability resources and includes references to industry resources. See http://nvd.nist.gov. NIST publications can help you in planning and implementing a comprehensive approach to IT security. For information about NIST publications and standards that are referenced in the IPsec guide, as well as other security-related publications, see http://csrc.nist.gov/publications/index.html. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Thu Apr 27 01:43:50 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 27 Apr 2006 00:43:50 -0500 (CDT) Subject: [ISN] Bugs put widely used DNS software at risk Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,110897,00.html By Robert McMillan APRIL 26, 2006 IDG NEWS SERVICE A number of flaws in the software that is used to administer the Internet's Domain Name System have been discovered by researchers at Finland's University of Oulu. The vulnerabilities could be exploited to "cause a variety of outcomes," including crashing the DNS server or possibly providing attackers with a way to run unauthorized software, according to an advisory, posted today by the U.K.'s National Infrastructure Security Co-ordination Centre. Oulu researchers have created a DNS test suite that can be used to test for these vulnerabilities, and a number of DNS software providers, including Juniper Networks Inc. and the Internet Software Consortium, have confirmed that some of their products are vulnerable. The bug found in the Internet Software Consortium's BIND (Berkeley Internet Name Domain) software is "not considered high-risk," the researchers said. Hitachi Ltd. and Wind River Systems Inc. have said that their products are not affected. Microsoft Corp., Cisco Systems Inc. and Sun Microsystems Inc. are testing their products and could not immediately say whether customers would be affected. Collectively the world's DNS servers manage the Internet's system for converting easy-to-remember Web addresses, like Google.com, into the unique IP addresses that are used by machines. These servers have come under increasing scrutiny because recent attacks have shown how the DNS system could potentially be compromised to bring down a large number of Web sites. Last month, VeriSign Inc. revealed that unknown attackers had used compromised computers and DNS servers to launch a denial-of-service attack against about 1,500 organizations. Shortly after that attack was publicized, hackers attacked DNS servers at Network Solutions Inc., and Joker.com, a domain-name registrar based in Germany. Both of these events ended up disrupting service to customers. More information, including a list of vendor comments on these latest vulnerabilities can be found on the U.K. National Infrastructure Security Co-ordination Centre site [1]. [1] http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf From isn at c4i.org Fri Apr 28 06:37:08 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 28 Apr 2006 05:37:08 -0500 (CDT) Subject: [ISN] Breach case could curtail web flaw finders Message-ID: http://www.theregister.co.uk/2006/04/28/breach_suspect_prosecuted/ By Robert Lemos SecurityFocus 28th April 2006 Security researchers and legal experts have voiced concern this week over the prosecution of an information technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission. Last Thursday, the US Attorney's Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information technology professional Eric McCarty, alleging that he used a web exploit to illegally access an online application system for prospective students of the University of Southern California last June. The security issue, which could have allowed an attacker to manipulate a database of some 275,000 USC student and applicant records, was reported to SecurityFocus that same month. An article was published after the university was notified of the issue and fixed the vulnerable web application. The prosecution of the IT professional that found the flaw shows that security researchers have to be increasingly careful of the legal minefield they are entering when reporting vulnerabilities, said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a digital-rights advocacy group. "I think the bottom line is that anybody that does disclosures of security vulnerabilities has to be very careful (so as to) not be accused of being a hacker," Tien said. "The computer trespass laws are very, very tricky." The case comes as reports of data breaches against corporations and universities are on the rise and could make security researchers less likely to bring flaws to the attention of websites, experts told SecurityFocus. This week, the University of Texas at Austin stated that a data thief attacking from an internet address in the Far East likely copied 197,000 personal records, many containing social security numbers. In September, a Massachusetts teenager was sentenced to 11 months in a juvenile detention facility for hacking into telecommunications provider T-mobile and data collection firm Lexis-Nexis. And, in March, an unidentified hacker posted on the Business Week Online website instructions on how to hack into the admissions site of top business schools using a flaw in the ApplyYourself admissions program. Eric McCarty, reached on Friday at the cell phone number published in the affidavit provided by the FBI in the case, said security researchers should take note that websites would rather be insecure than have flaws pointed out. "Keep them to yourself - being a good guy gets you prosecuted," McCarty said during the interview. "I can say honestly that I am no longer interested in assisting anyone with their vulnerabilities." McCarty confirmed that he had contacted SecurityFocus in June, offered information about the means of contact as proof, and waived the initial agreement between himself and this reporter to not be named in subsequent articles. When the FBI came knocking in August, McCarty had told them everything, believing he had nothing to hide, he said. "The case is cut and dried," McCarty said. "The logs are all there and I never attempted to hide or not disclose anything. I found the vulnerability, and I reported it to them (USC) to try to prevent identity theft." McCarty admitted he had accessed the database at the University of Southern California, but stressed that he had only copied a small number of records to prove the vulnerability existed. The FBI's affidavit, which states that a file with seven records from the database was found on McCarty's computer, does not claim that the IT professional attempted to use the personal records for any other purpose. To other security researchers, the case underscores the asymmetric legal power of websites in confronting flaw finders: Because finding any vulnerability in a server online necessarily means that the researcher had exceeded authorisation, the flaw finder has to rely on the mercy of the site when reporting, said HD Moore, a noted researcher and co-founder of the Metasploit Project. "It is just a crappy situation in general right now," Moore said. "You have to count on the goodwill of the people running the site. There are cases when there are vulnerable websites out there, but unless you have an anonymous web browser and a way to hide your logs, there is no way to report a vulnerability safely." Moore points to McCarty's case and the case of Daniel Cuthbert - who fell afoul of British law when he checked out the security of a charity website by attempting to access top-level directories on the web server - as warnings to researchers to leave websites alone. In October, Cuthbert was convicted of breaking the Computer Misuse Act, fined ?400, and ordered to pay ?600 in restitution. Other researchers should be ready to pay as well, Moore said. Anyone who affects the performance of a server on the internet could find themselves in court, he said. "Even if you look at the port scanning stuff - which is not technically illegal - if you knock down the server in the process of port scanning it, then you are liable for all the damages of it being down," Moore said. Such legal issues are one reason for not testing websites at all, said security researcher David Aitel, chief technology officer of security services firm Immunity. "We don't do research on websites," Aitel said, adding that the increasing reliance of programs on communicating with other programs has made avoiding web applications more difficult. "The more your applications are interconnected the more difficult it is to get permission to do vulnerability research." Moreover, such a legal landscape does not benefit the internet companies, Aitel stressed. While companies may prefer to not know about a vulnerability rather than have it publicly reported, just because a vulnerability is not disclosed does not mean that the website is not threatened. "If this is an SQL injection flaw that Eric McCarty can find by typing something into his web browser then it is retarded to think that no one else could do that," Aitel said. The US Attorney's Office alleges that McCarty's actions caused the university to shutter its system for 10 days, resulting in $140,000 in damages. The university had provided investigators with an internet address which had suspiciously accessed the application system multiple times in a single hour, according to the affidavit provided by the FBI in the case. The information allowed the FBI to execute a search warrant against McCarty, discover the names of his accounts on Google's Gmail and subpoena those records from the internet giant, the court document stated. Among the emails were messages sent from an account - "ihackedusc at gmail.com" - -to SecurityFocus detailing the vulnerability, according to the affidavit. The US Attorney's Office declined to comment for this article. A representative of the University of Southern California also declined to comment except to say that the school is cooperating with the investigation. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant US Attorney for the US Department of Justice's cybercrime and intellectual property crimes section, said last week after his office announced the charge. "He went beyond that and gained additional information regarding the personal records of the applicant. If you do that, you are going to face - like he does - prosecution." The case has aspects similar to the prosecution of Adrian Lamo, dubbed the Homeless Hacker, for breaching systems at the New York Times. Lamo would frequently seek out vulnerabilities in online systems, exploit the vulnerabilities to gain proof of the flaws, and then contact the company - and a reporter - to help close the security hole. In 2004, Lamo pleaded guilty to compromising the New York Times network, served six months under house arrest and had to pay $65,000 in restitution. In the University of Southern California case, McCarty identified the vulnerability in the USC system when he decided to apply to the school and, before registering, used a common class of flaws known as structured query language (SQL) injection to test the site, he said during last week's interview. Such attacks exploit a flaw in the code that processes user input on a website. In the USC case, special code could be entered into the username and password text boxes to retrieve applicants' records, according to the FBI's affidavit. USC administrators initially claimed to SecurityFocus that an analysis of the system and log files indicated that only two database records could be retrieved using the SQL injection flaw. After additional records were provided to the administrators, the university acknowledged that the entire database was threatened by the flaw. The FBI's affidavit contains the email that McCarty allegedly sent to SecurityFocus with two additional records from the database. The events outlined in the affidavit indicated that McCarty tried to act responsibly, said Jennifer Granick, a cybercrime attorney and executive director of the Stanford Law School's Center for Internet and Society. "Here is a guy who didn't use the information, he notified the school - albeit through a third party - what was he supposed to do differently?" Granick said. "It's a Catch-22 for the security researcher, because they have arguably broken a law in finding the flaw." The case does underscore that researchers will have to become more savvy about dealing with the legal aspects of their craft, said David Endler, director of security research for 3Com subsidiary TippingPoint. "Finding a vulnerability in a website is a bit different than finding a vulnerability in a product. You can do a lot of things to a product that won't affect users. You shouldn't poke around a website unless you have permission or have been hired to do it...it's just not worth it." As the creator of two vulnerability-buying programs, Endler is familiar with the contorted legal issues that can sometimes face vulnerability researchers. He believes that cases, such as McCarty's prosecution, will likely lead to researchers either allying themselves with one of the flaw-bounty programs or declining to disclose any discoveries. Already, the influence of corporate legal teams had reduced the significance of the vulnerability disclosure movement, Immunity's Aitel said. "The peak of disclosure has long past us," he said. "Who out there is really giving away bugs these days? The disclosure movement passed us by more than two years ago and people have gone underground with their bugs." And having fewer security researchers looking over the shoulders of website administrators and internet software makers will only mean less pressure to fix vulnerabilities and weaker security for sites on the internet, the EFF's Tien said. "There is an under-disclosure of vulnerabilities and weaknesses, and that is bad thing for security, because the less people know about security problems, the less pressure is put on companies to improve security," Tien said. -=- Author's note: As described in the article, the FBI's affidavit supporting the charge against Eric McCarty of computer intrusion alleges that he was the source for an article published on SecurityFocus by the author. The author did not cooperate with the FBI's investigation nor was he asked to do so. In an interview conducted on Friday and in an email exchange, McCarty provided proof that he was the author's source and waived the condition of anonymity that he requested for the original article. This article originally appeared in Security Focus. Copyright ? 2006, SecurityFocus From isn at c4i.org Fri Apr 28 06:37:23 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 28 Apr 2006 05:37:23 -0500 (CDT) Subject: [ISN] Next step in pirating: Faking a company Message-ID: http://www.iht.com/articles/2006/04/27/business/nec.php By David Lague International Herald Tribune APRIL 28, 2006 BEIJING - At first it seemed to be nothing more than a routine, if damaging, case of counterfeiting in a country where faking it has become an industry. Reports filtering back to the Tokyo headquarters of the Japanese electronics giant NEC in mid-2004 alerted managers that pirated keyboards and recordable CD and DVD discs bearing the company's brand were on sale in retail outlets in Beijing and Hong Kong. Like hundreds, if not thousands, of manufacturers now locked in a war of attrition with intellectual property thieves in China, the company hired an investigator to track down the pirates. After two years and thousands of hours of investigation in conjunction with law enforcement agencies in China, Taiwan and Japan, the company said it had uncovered something far more ambitious than clandestine workshops turning out inferior copies of NEC products. The pirates were faking the entire company. Evidence seized in raids on 18 factories and warehouses in China and Taiwan over the past year showed that the counterfeiters had set up what amounted to a parallel NEC brand with links to a network of more than 50 electronics factories in China, Hong Kong and Taiwan. In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products - everything from home entertainment centers to MP3 players. They also coordinated manufacturing and distribution, collecting all the proceeds. The Japanese company even received complaints about products - which were of generally good quality - that they did not make or provide with warranties. NEC said it was unable to estimate the total value of the pirated goods from these factories, but the company believed the organizers had "profited substantially" from the operation. "These entities are part of a sophisticated ring, coordinated by two key entities based in Taiwan and Japan, which has attempted to completely assume the NEC brand," said Fujio Okada, the NEC senior vice president and legal division general manager, in written answers to questions. "Many of these entities are familiar with each other and cooperate with each other to develop, manufacture and sell products utilizing the NEC brand." NEC declined to identify the companies for legal reasons. Officials from branch offices of the Chinese State Administration of Industry and Commerce in southern China confirmed that counterfeit goods carrying the NEC brand had been seized in raids on a number of factories and that investigations were continuing. Some technology companies have been criticized for piecemeal and half- hearted attempts to protect their intellectual property, but Okada said NEC was prepared to take proactive measures to defend its brand. NEC had not previously made public the piracy in order not to compromise its investigation. NEC said it would continue collecting evidence to support further criminal complaints. It was also planning to start civil lawsuits against some factories while negotiating with others. Steve Vickers, president of International Risk, a Hong Kong-based company that NEC hired to investigate the piracy, said documents and computer records seized by the police during the factory and warehouse raids had revealed the scope of the piracy. These records showed that the counterfeiters carried NEC business cards, commissioned product research and development in the company's name and signed production and supply orders. He said they also required factories to pay royalties for "licensed" products and issued official-looking warranty and service documents. Some of the factories that were raided had erected bogus NEC signs and shipped their products packaged in authentic looking boxes and display cases. NEC said about 50 products were counterfeited, including home entertainment systems, MP3 players, batteries, microphones and DVD players. Many of these pirated items were not part of the genuine NEC product range. The investigation also revealed that fake goods from these factories were on sale in Taiwan, mainland China, Hong Kong, Southeast Asia, North Africa, the Middle East and Europe. In some cases, they were being sold alongside legitimate NEC products in retail outlets. Vickers, a former senior Hong Kong police officer, said he believed that the NEC case demonstrated how piracy is evolving from opportunistic and often shoddy copying of branded goods to highly coordinated operations. "On the surface, it looked like a series of intellectual property infringements, but in reality a highly organized group has attempted to hijack the entire brand," he said. "It is not a simple case of a factory knocking off a branded product. Many of them have been given bogus paperwork that they say gives them the right to do it." An official for a Chinese economic inspection team in Zhuhai in the southern Chinese province of Guangdong, who would give his name only as Zeng, said the managers of one factory that had been raided insisted they had a license to manufacture NEC goods. He said that Chinese officials were seeking clarification from NEC and that the investigation was continuing. The counterfeiting attack on the NEC brand comes as the Chinese government is coming under intense international pressure to crack down on rampant intellectual property theft. The U.S. government and American businesses complain that the Chinese efforts to combat piracy have so far been ineffective. Gregory Shea, president of the U.S. Information Technology Office in Beijing, which represents more than 6,000 technology companies, said it was clear that the top Chinese leaders understood that intellectual property rights contributed to economic growth. "We commend that, but we do recognize nonetheless that the situation is not improving on the ground," he said. "It has not turned the corner." In response to the losses suffered by Japanese companies, Tokyo has called on China to crack down on piracy. Japan last year joined the United States in filing a formal request under World Trade Organization rules calling on Beijing to detail efforts it was making to enforce intellectual property rights. But piracy experts say privately that strained Chinese-Japanese ties complicate Tokyo's efforts to support Japanese companies operating in China. While intellectual property violations continue, there are clear signs that China is responding to international pressure. In the lead-up to the visit of the Chinese president, Hu Jintao, to the United States this month, Beijing began a publicity campaign to draw attention to what it said was an intensified crackdown on intellectual property theft. And, while Hu toured technology companies in the United States, the Chinese leader reinforced this message. After a visit to the Microsoft headquarters in Seattle on April 18, Hu said the protection of intellectual property was crucial for China's future. "It is necessary to create a favorable investment environment, good and fast development, and for China's own innovative capability," he said. "We take very seriously our promises to enforce our laws on this issue." Senior Chinese officials acknowledge that trademark violations occur, but they argue that local manufacturers were sometimes duped into producing pirated goods. At a media briefing in March, the Chinese deputy minister for customs, Gong Zheng, said many factories produced goods under license to be exported and sold under a company's brand. "Its easy for them to be deceived or lured by foreign traders to manufacture and export infringing goods," he said. Vickers agreed that Chinese factories were often just part of the problem. "The factory in China sometimes appears to be the bad guy, but often the bad guy is someone behind the scenes and they are often not in China," he said. The first phase in NEC's effort to disrupt the counterfeiters began early last year when evidence that the piracy was coordinated from Taiwan was handed over to authorities on the island. Prosecutors in the southern city of Kaohsiung issued warrants for the local police to raid a warehouse and offices in the area where investigators seized 60 pallets of counterfeit goods, mostly audio products, carrying the NEC brand. Evidence collected in these raids also implicated factories in mainland China, according to people familiar with the investigation in Taiwan. Officials at the Kaohsiung District Court said the case was still under investigation. Beginning in November, the Chinese economic authorities coordinated further raids on nine factories in the cities of Guangzhou, Zhongshan, Zhuhai and Shenzhen in Guangdong Province. Vickers said many multinational companies were now facing similar challenges to NEC as piracy expanded and became better organized. "The reality is that factories in China will produce what they are asked to produce," he said. "The challenge is finding out who placed the orders and who funded it." Copyright ? 2006 The International Herald Tribune From isn at c4i.org Fri Apr 28 06:37:36 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 28 Apr 2006 05:37:36 -0500 (CDT) Subject: [ISN] Better organization, focus needed for cybersecurity Message-ID: http://www.gcn.com/online/vol1_no1/40570-1.html By William Jackson GCN Staff 04/27/06 The government needs to establish clear lines of authority and clarify responsibility for an effective national information assurance policy, former presidential adviser Paul Kurtz said Thursday. "We have a growing body of law and regulation bearing on information security," Kurtz said at the GovSec conference in Washington. But, "we are not ready for a major disruption of the information infrastructure today, and we have a long way to go to get there." Kurtz, executive director of the Cyber Security Industry Alliance, proposed a two-tiered framework for cybersecurity, in which critical functionality could be identified for government attention, while less pressing issues are passed to the private sector. "The government doesn't have to solve everyone's problem here," Kurtz said. Market forces and self-interest could be leveraged to handle problems of public awareness, education and coordinating information. Kurtz and Tom Leighton, chief scientist for the content delivery network operator Akamai Technologies, described cyberspace as a tough neighborhood that is getting tougher. "We have to anticipate that terrorist groups will get involved in disrupting cyberinfrastructure," along with nation states, Kurtz said. We also must anticipate that attacks will succeed, and build infrastructure to survive and respond to them, they said. "We are under constant attack," Leighton said of Akamai's network. "At any given time, we have a lot of servers taken down. And it doesn't matter, because we direct traffic elsewhere." Establishing an effective policy requires leadership. Kurtz called the still-vacant position of assistant secretary for cybersecurity in the Homeland Security Department critical to establishing a viable policy. "Unfortunately, we're almost at a one-year anniversary, and we still don't have an assistant secretary in place," he said. Kurtz referred to the government's response to Hurricane Katrina, in which primary responsibility for the efforts eventually devolved to the Defense Department. Knowing who will be needed to respond to a cyberdisaster is a critical part of establishing a policy. "If we come under attack, it's going to be the geeks who restore the networks," he said. Identifying and organizing the personnel and resources needed for such a response should be done in advance. From isn at c4i.org Fri Apr 28 06:36:27 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 28 Apr 2006 05:36:27 -0500 (CDT) Subject: [ISN] Viruses strike at Infosec networks Message-ID: http://www.vnunet.com/vnunet/news/2154837/viruses-hit-infosec Iain Thomson at Infosec vnunet.com 27 Apr 2006 IT security companies exhibiting at this year's Infosec show in London have been slammed for not practising what they preach, following the discovery that exhibition stands are hosting unsecured wireless networks and viruses aplenty. Security scanners set up by McAfee detected wireless networks that are either lacking any encryption or are using default password settings. Many of the networks running at the show are also infected with viruses which are being broadcasted to delegates. "It's bizarre and very worrying," said Greg Day, security consultant at McAfee. "Some of these viruses are ancient; one stand is pumping out Slammer which has been fixable for ages. There's really no excuse." Day added that a "huge variety" of viruses had been found at the show and advised visitors to make sure that their antivirus software is up to date and to turn off the wireless on laptops and PDAs unless needed. "Don't be too hard on these people," said Bruce Schneier, security guru and founder of Counterpane Internet Security. "The moral of the tale is that this stuff is really hard. I'll bet it's not a technology problem but human error; someone's just pushed the wrong buttons." From isn at c4i.org Fri Apr 28 06:36:43 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 28 Apr 2006 05:36:43 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-17 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-04-20 - 2006-04-27 This week: 100 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Two new vulnerabilities have been discovered in Internet Explorer, which can be exploited to compromise a vulnerable system or by malicious people to disclose potentially sensitive information. Secunia has constructed a test, which can be used to see if your browser is vulnerable to the Arbitrary Content Disclosure Vulnerability: http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/ Additional details may be found in the referenced Secunia advisories below. Reference: http://secunia.com/SA19521 http://secunia.com/SA19762 -- Tom Ferris has reported some potential vulnerabilities in Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Currently, no solution is available from the vendor. Additional details may be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA19686 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19686] Mac OS X Multiple Potential Vulnerabilities 2. [SA19631] Firefox Multiple Vulnerabilities 3. [SA19762] Internet Explorer "object" Tag Memory Corruption Code Execution 4. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 5. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 6. [SA19802] Firefox "contentWindow.focus()" Memory Corruption Weakness 7. [SA19737] Linux Kernel perfmon Local Denial of Service Vulnerability 8. [SA19761] PHPSurveyor "surveyid" SQL Injection Vulnerability 9. [SA19752] HP StorageWorks Secure Path Denial of Service Vulnerability 10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19842] Juniper Networks IVE ActiveX Control Buffer Overflow [SA19795] Winny Command Parsing Buffer Overflow Vulnerability [SA19767] Skulltag Version String Handling Format String Vulnerability [SA19762] Internet Explorer "object" Tag Memory Corruption Code Execution [SA19812] Cartweaver Multiple SQL Injection Vulnerabilities [SA19806] ampleShop Multiple SQL Injection Vulnerabilities [SA19784] Pylon Anywhere Access Restriction Bypass Vulnerability [SA19783] RI Blog Login SQL Injection Vulnerability [SA19751] Bloggage "check_login.asp" SQL Injection Vulnerabilities [SA19791] IZArc Multiple Archive Directory Traversal Vulnerability [SA19771] iOpus Secure Email Attachments Password Usage Security Issue [SA19848] SolarWinds TFTP Server Directory Traversal Vulnerability [SA19844] WinAgents TFTP Server Directory Traversal Vulnerability [SA19752] HP StorageWorks Secure Path Denial of Service Vulnerability [SA19840] Groupmax Mail Client Attachment Filename Handling Weakness [SA19824] Phex Chat Request Handling Weakness [SA19819] Microsoft Office 2003 "mailto:" Automatic Attachment of Arbitrary Files UNIX/Linux: [SA19863] Debian update for mozilla [SA19862] Debian update for mozilla-firefox [SA19854] Gentoo update for xine-ui [SA19839] Gentoo update for ethereal [SA19828] Fedora update for ethereal [SA19823] SUSE update for MozillaThunderbird [SA19811] SGI Advanced Linux Environment 3 Multiple Updates [SA19805] Mandriva update for ethereal [SA19794] Mandriva update for firefox [SA19782] Slackware update for mozilla [SA19780] Red Hat update for thunderbird [SA19774] Sun Cobalt Sendmail Memory Corruption Vulnerability [SA19770] Fenice HTTP Request Handling Two Vulnerabilities [SA19759] Gentoo update for mozilla-firefox / mozilla-firefox-bin [SA19748] phpMyAgenda "rootagenda" File Inclusion Vulnerability [SA19856] Gentoo update for xine-lib [SA19853] xine-lib MPEG Stream Handling Buffer Overflow Vulnerability [SA19835] pdnsd DNS Query Handling Memory Leak Vulnerability [SA19833] Red Hat update for ipsec-tools [SA19832] Red Hat update for php [SA19829] Debian update for abcmidi [SA19826] abcmidi ABC Music File Handling Buffer Overflow Vulnerabilities [SA19825] Debian update for cyrus-sasl2 [SA19821] Mandriva update for mozilla-thunderbird [SA19809] Ubuntu update for cyrus-sasl2 [SA19807] Debian update for abc2ps [SA19804] Ubuntu update for ruby [SA19798] SCO OpenServer update for CUPS [SA19797] UnixWare update for CUPS [SA19790] Debian update for xzgv [SA19787] abc2ps ABC Music File Buffer Overflow Vulnerabilities [SA19785] Gentoo update for crossfire-server [SA19781] Fedora update for beagle [SA19779] Debian update for zgv [SA19778] Beagle Commandline Argument Injection Vulnerability [SA19772] Mandriva update for ruby [SA19765] Gentoo update for dia [SA19757] Gentoo update for zgv/xzgv [SA19754] Debian update for blender [SA19753] Gentoo update for cyrus-sasl [SA19800] Asterisk JPEG Image Handling Buffer Overflow Vulnerability [SA19837] Debian update for openvpn [SA19808] BIND Zone Transfer TSIG Handling Denial of Service [SA19760] Dnsmasq DHCP Broadcast Reply Denial of Service [SA19799] SCO OpenServer update for Ghostscript [SA19796] UnixWare update for xserver [SA19789] Sun Solaris "libpkcs11" Privilege Escalation Vulnerability [SA19766] Gentoo update for fbida [SA19775] Mandriva update for php [SA19763] Safari "rowspan" Attribute Denial of Service Vulnerability Other: [SA19822] Juniper Networks JUNOSe DNS Response Handling Vulnerability [SA19820] FITELnet Products DNS Handling Vulnerability [SA19847] Oc? 3121/3122 Printer Long URL Denial of Service [SA19818] IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses [SA19756] 3Com Baseline Switch 2848-SFP DHCP Potential Denial of Service Cross Platform: [SA19830] Invision Power Board Multiple Vulnerabilities [SA19788] dForum "DFORUM_PATH" File Inclusion Vulnerability [SA19773] My Gaming Ladder Combo System "stats.php" File Inclusion Vulnerability [SA19769] Ethereal Multiple Protocol Dissector Vulnerabilities [SA19761] PHPSurveyor "surveyid" SQL Injection Vulnerability [SA19749] built2go Movie Review "full_path" File Inclusion Vulnerability [SA19841] Hitachi Multiple JP1 Products Denial of Service [SA19836] photokorn SQL Injection Vulnerabilities [SA19831] PowerDNS Recursor Denial of Service Vulnerability [SA19817] QuickEStore Multiple SQL Injection Vulnerabilities [SA19813] Instant Photo Gallery "id" SQL Injection Vulnerability [SA19792] SL_site Multiple Vulnerabilities and Weakness [SA19777] Scry Directory Traversal Vulnerability and Path Disclosure Weakness [SA19776] Help Center Live osTicket SQL Injection Vulnerabilities [SA19768] OpenTTD Error Number Handling Denial of Service [SA19764] Simplog SQL Injection and Cross-Site Scripting Vulnerabilities [SA19758] Bookmark4U "config.php" Security Bypass [SA19750] DeleGate DNS Query Handling Denial of Service [SA19855] DevBB "member" Parameter Cross-Site Scripting Vulnerability [SA19843] Jax Guestbook "page" Cross-Site Scripting Vulnerability [SA19827] phpWebFTP Cross-Site Scripting Vulnerability [SA19815] DCForumLite "az" Cross-Site Scripting Vulnerability [SA19803] PHP "wordwrap()" Buffer Overflow Vulnerability [SA19801] PhpWebGallery "picture.php" Disclosure of Arbitrary Pictures [SA19793] logMethods "kwd" Cross-Site Scripting Vulnerability [SA19786] MKPortal "pmpopup.php" Cross-Site Scripting Vulnerabilities [SA19860] Oracle Database "DBMS_EXPORT_EXTENSION" Package SQL Injection [SA19802] Firefox "contentWindow.focus()" Memory Corruption Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19842] Juniper Networks IVE ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-27 eEye Digital Security has reported a vulnerability in Juniper IVE OS, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19842/ -- [SA19795] Winny Command Parsing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-24 eEye Digital Security has reported a vulnerability in Winny, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19795/ -- [SA19767] Skulltag Version String Handling Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-24 Luigi Auriemma has reported a vulnerability in Skulltag, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19767/ -- [SA19762] Internet Explorer "object" Tag Memory Corruption Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-25 Michal Zalewski has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19762/ -- [SA19812] Cartweaver Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-26 r0t has reported some vulnerabilities in Cartweaver, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19812/ -- [SA19806] ampleShop Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-25 r0t has reported some vulnerabilities in ampleShop, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19806/ -- [SA19784] Pylon Anywhere Access Restriction Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2006-04-24 A vulnerability has been reported in Pylon Anywhere, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19784/ -- [SA19783] RI Blog Login SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-04-24 omnipresent has discovered a vulnerability in RI Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19783/ -- [SA19751] Bloggage "check_login.asp" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-04-21 omnipresent has discovered two vulnerabilities in Bloggage, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19751/ -- [SA19791] IZArc Multiple Archive Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-04-24 Claus Berghamer has discovered a vulnerability in IZArc, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19791/ -- [SA19771] iOpus Secure Email Attachments Password Usage Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-04-25 NtWaK0 and NoPh0BiA have reported a security issue in iOpus Secure Email Attachments, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19771/ -- [SA19848] SolarWinds TFTP Server Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-04-27 Rapid7 has reported a vulnerability in SolarWinds TFTP Server, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19848/ -- [SA19844] WinAgents TFTP Server Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-04-27 Rapid7 has reported a vulnerability in WinAgents TFTP Server, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19844/ -- [SA19752] HP StorageWorks Secure Path Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-04-21 A vulnerability has been reported in HP StorageWorks Secure Path, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19752/ -- [SA19840] Groupmax Mail Client Attachment Filename Handling Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2006-04-26 A weakness has been reported in Groupmax Mail Client, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19840/ -- [SA19824] Phex Chat Request Handling Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2006-04-27 A weakness has been reported in Phex, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19824/ -- [SA19819] Microsoft Office 2003 "mailto:" Automatic Attachment of Arbitrary Files Critical: Not critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-04-26 Inge Henriksen has discovered a weakness in Microsoft Office 2003, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19819/ UNIX/Linux:-- [SA19863] Debian update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-27 Debian has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19863/ -- [SA19862] Debian update for mozilla-firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-27 Debian has issued an update for mozilla-firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of Service), and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19862/ -- [SA19854] Gentoo update for xine-ui Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-27 Gentoo has issued an update for xine-ui. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19854/ -- [SA19839] Gentoo update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-27 Gentoo has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19839/ -- [SA19828] Fedora update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-26 Fedora has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19828/ -- [SA19823] SUSE update for MozillaThunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2006-04-26 SUSE has issued an update for MozillaThunderbird. This fixes some vulnerabilities, where the most critical ones can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and spoofing attacks, potentially disclose sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/19823/ -- [SA19811] SGI Advanced Linux Environment 3 Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-26 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, to disclose certain sensitive information, bypass certain security restrictions, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19811/ -- [SA19805] Mandriva update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-26 Mandriva has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19805/ -- [SA19794] Mandriva update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-25 Mandriva has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19794/ -- [SA19782] Slackware update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-25 Slackware has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19782/ -- [SA19780] Red Hat update for thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2006-04-24 Red Hat has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19780/ -- [SA19774] Sun Cobalt Sendmail Memory Corruption Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-26 Sun has acknowledged a vulnerability in Sun Cobalt, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19774/ -- [SA19770] Fenice HTTP Request Handling Two Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-24 Luigi Auriemma has reported two vulnerabilities in Fenice, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19770/ -- [SA19759] Gentoo update for mozilla-firefox / mozilla-firefox-bin Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-04-24 Gentoo has issued an update for mozilla-firefox / mozilla-firefox-bin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of Service), and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19759/ -- [SA19748] phpMyAgenda "rootagenda" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-25 Aesthetico has discovered a vulnerability in phpMyAgenda, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19748/ -- [SA19856] Gentoo update for xine-lib Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-27 Gentoo has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19856/ -- [SA19853] xine-lib MPEG Stream Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-27 Federico L. Bossi Bonin has reported a vulnerability in xine-lib, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19853/ -- [SA19835] pdnsd DNS Query Handling Memory Leak Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 A vulnerability has been reported in pdnsd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19835/ -- [SA19833] Red Hat update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 Red Hat has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19833/ -- [SA19832] Red Hat update for php Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2006-04-26 Red Hat has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, by malicious users to cause a DoS (Denial of Service) or to compromise a vulnerable system, and by malicious people to use PHP as an open mail relay, gain knowledge of potentially sensitive information, to conduct cross-site scripting attacks, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19832/ -- [SA19829] Debian update for abcmidi Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-26 Debian has issued an update for abcmidi. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19829/ -- [SA19826] abcmidi ABC Music File Handling Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-26 Erik Sj?lund has reported some vulnerabilities in abc2midi, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19826/ -- [SA19825] Debian update for cyrus-sasl2 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 Debian has issued an update for cyrus-sasl2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19825/ -- [SA19821] Mandriva update for mozilla-thunderbird Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2006-04-26 Mandriva has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19821/ -- [SA19809] Ubuntu update for cyrus-sasl2 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 Ubuntu has issued an update for cyrus-sasl2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19809/ -- [SA19807] Debian update for abc2ps Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-25 Debian has issued an update for abc2ps. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19807/ -- [SA19804] Ubuntu update for ruby Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 Ubuntu has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19804/ -- [SA19798] SCO OpenServer update for CUPS Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-04-24 SCO has issued an update for CUPS. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19798/ -- [SA19797] UnixWare update for CUPS Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-04-24 SCO has issued an update for CUPS. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19797/ -- [SA19790] Debian update for xzgv Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-24 Debian has issued an update for xzgv. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19790/ -- [SA19787] abc2ps ABC Music File Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-25 Erik Sj?lund has reported some vulnerabilities in abc2ps, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19787/ -- [SA19785] Gentoo update for crossfire-server Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-24 Gentoo has issued an update for crossfire-server. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19785/ -- [SA19781] Fedora update for beagle Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-25 Fedora has issued an update for beagle. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19781/ -- [SA19779] Debian update for zgv Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-24 Debian has issued an update for zgv. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19779/ -- [SA19778] Beagle Commandline Argument Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-25 Chris Evans has reported a vulnerability in Beagle, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19778/ -- [SA19772] Mandriva update for ruby Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 Mandriva has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19772/ -- [SA19765] Gentoo update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-24 Gentoo has issued an update for dia. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19765/ -- [SA19757] Gentoo update for zgv/xzgv Critical: Moderately critical Where: From remote Impact: System access Released: 2006-04-21 Gentoo has issued updates for zgv and xzgv. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19757/ -- [SA19754] Debian update for blender Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-04-24 Debian has issued an update for blender. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19754/ -- [SA19753] Gentoo update for cyrus-sasl Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-21 Gentoo has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19753/ -- [SA19800] Asterisk JPEG Image Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-04-24 Emmanouel Kellinis has reported a vulnerability in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19800/ -- [SA19837] Debian update for openvpn Critical: Less critical Where: From remote Impact: System access Released: 2006-04-27 Debian has issued an update for openvpn. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19837/ -- [SA19808] BIND Zone Transfer TSIG Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-04-26 A vulnerability been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19808/ -- [SA19760] Dnsmasq DHCP Broadcast Reply Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-04-24 A vulnerability has been reported in Dnsmasq, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19760/ -- [SA19799] SCO OpenServer update for Ghostscript Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-04-24 SCO has issued an update for Ghostscript. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19799/ -- [SA19796] UnixWare update for xserver Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-04-24 SCO has issued an update for xserver. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19796/ -- [SA19789] Sun Solaris "libpkcs11" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-04-25 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19789/ -- [SA19766] Gentoo update for fbida Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-04-24 Gentoo has issued an update for fbida. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19766/ -- [SA19775] Mandriva update for php Critical: Not critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-04-25 Mandriva has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19775/ -- [SA19763] Safari "rowspan" Attribute Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-04-25 Yannick von Arx has discovered a vulnerability in Safari, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19763/ Other:-- [SA19822] Juniper Networks JUNOSe DNS Response Handling Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-04-26 A vulnerability with unknown impact has been reported in JUNOSe. Full Advisory: http://secunia.com/advisories/19822/ -- [SA19820] FITELnet Products DNS Handling Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-04-26 A vulnerability with unknown impact has been reported in various FITELnet products. Full Advisory: http://secunia.com/advisories/19820/ -- [SA19847] Oc? 3121/3122 Printer Long URL Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-04-27 Herman Groeneveld has reported a vulnerability in Oc? 3121/3122 Printer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19847/ -- [SA19818] IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses Critical: Less critical Where: From local network Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2006-04-26 Ralph Moonen has reported a vulnerability and some weaknesses in IP3 Networks NA75, which can be exploited by malicious, local users to potentially gain escalated privileges and disclose or manipulate sensitive information, or by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19818/ -- [SA19756] 3Com Baseline Switch 2848-SFP DHCP Potential Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-04-25 A vulnerability has been reported in 3Com Baseline Switch 2848-SFP, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19756/ Cross Platform:-- [SA19830] Invision Power Board Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, System access Released: 2006-04-26 Some vulnerabilities have been reported in Invision Power Board, which can be exploited by malicious people to conduct script insertion and SQL injection attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19830/ -- [SA19788] dForum "DFORUM_PATH" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-24 Mustafa Can Bjorn has reported a vulnerability in dForum, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19788/ -- [SA19773] My Gaming Ladder Combo System "stats.php" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-24 Mustafa Can Bjorn has reported a vulnerability in My Gaming Ladder Combo System, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19773/ -- [SA19769] Ethereal Multiple Protocol Dissector Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-04-25 Multiple vulnerabilities have been reported in Ethereal, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19769/ -- [SA19761] PHPSurveyor "surveyid" SQL Injection Vulnerability Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2006-04-21 rgod has reported a vulnerability in PHPSurveyor, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19761/ -- [SA19749] built2go Movie Review "full_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-04-24 Camille Myers has reported a vulnerability in built2go Movie Review, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19749/ -- [SA19841] Hitachi Multiple JP1 Products Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 A vulnerability has been reported in multiple JP1 products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19841/ -- [SA19836] photokorn SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-26 Dr.Jr7 has reported some vulnerabilities in photokorn, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19836/ -- [SA19831] PowerDNS Recursor Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 A vulnerability has been reported in PowerDNS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19831/ -- [SA19817] QuickEStore Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-26 r0t has reported some vulnerabilities in QuickEStore, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19817/ -- [SA19813] Instant Photo Gallery "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-26 Qex has reported a vulnerability in Instant Photo Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19813/ -- [SA19792] SL_site Multiple Vulnerabilities and Weakness Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2006-04-24 benozor77 has discovered two vulnerabilities and a weakness in SL_site, which can be exploited by malicious people to disclose system information, and conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19792/ -- [SA19777] Scry Directory Traversal Vulnerability and Path Disclosure Weakness Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-04-24 Moroccan Security Team has discovered a vulnerability and a weakness in Scry, which can be exploited by malicious people to disclose system and potentially sensitive information. Full Advisory: http://secunia.com/advisories/19777/ -- [SA19776] Help Center Live osTicket SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-04-24 Some vulnerabilities have been reported in Help Center Live, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19776/ -- [SA19768] OpenTTD Error Number Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-24 Luigi Auriemma has reported a vulnerability in OpenTTD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19768/ -- [SA19764] Simplog SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-24 Mustafa Can Bjorn has reported some vulnerabilities in Simplog, which can be exploited by malicious users and by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19764/ -- [SA19758] Bookmark4U "config.php" Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-04-21 MoHaJaLi has discovered a security issue in Bookmark4U, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19758/ -- [SA19750] DeleGate DNS Query Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-04-26 A vulnerability has been reported in DeleGate, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19750/ -- [SA19855] DevBB "member" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-27 Qex has reported a vulnerability in DevBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19855/ -- [SA19843] Jax Guestbook "page" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-27 ALMOKANN3 has discovered a vulnerability in Jax Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19843/ -- [SA19827] phpWebFTP Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-26 A vulnerability has been discovered in phpWebFTP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19827/ -- [SA19815] DCForumLite "az" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-26 Breeeeh has reported a vulnerability in DCForumLite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19815/ -- [SA19803] PHP "wordwrap()" Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-04-25 Leon Juranic has discovered a vulnerability in PHP, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19803/ -- [SA19801] PhpWebGallery "picture.php" Disclosure of Arbitrary Pictures Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2006-04-25 A vulnerability has been reported in PhpWebGallery, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19801/ -- [SA19793] logMethods "kwd" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-24 r0t has discovered a vulnerability in logMethods, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19793/ -- [SA19786] MKPortal "pmpopup.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-24 Mustafa Can Bjorn has discovered some vulnerabilities in MKPortal, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19786/ -- [SA19860] Oracle Database "DBMS_EXPORT_EXTENSION" Package SQL Injection Critical: Less critical Where: From local network Impact: Manipulation of data Released: 2006-04-27 David Litchfield has reported a vulnerability in Oracle Database, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19860/ -- [SA19802] Firefox "contentWindow.focus()" Memory Corruption Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2006-04-25 A weakness has been discovered in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19802/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Apr 28 06:37:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 28 Apr 2006 05:37:57 -0500 (CDT) Subject: [ISN] Study Shows Downside of IT Certification Message-ID: http://www.eweek.com/article2/0,1759,1954198,00.asp By Deborah Rothberg April 26, 2006 Long seen as a method to maximize employment opportunities and salaries in the post-dot-com-bust era, a study released today finds that pay for certified IT skills falls short of the pay for non-certified skills. The Q1 2006 Hot Technical Skills and Certifications Pay Index, released April 25 by Foote Partners, a New Canaan, Conn., IT compensation and workforce management firm, found that pay premiums for non-certified IT skills grew three times faster than for certified ones in a six-month period spanning 2005-2006. The study suggests that there has been a change in employers' acceptance of the value of non-certified tech skills versus certifications in maintaining competitive pay for their workers. "This is the first time skills have trumped certifications since our firm began surveying tech skills pay in 2000," said David Foote, president and chief research office for the workforce research and consulting firm, in a statement. "Eighteen months ago, it was all about certifications for IT workers as employers stumbled out of the wreckage of an economic recession, looking to start hiring again. "This is a clear indication that employers are not placing the same emphasis on certification that they once did. Perhaps more to the point, they are finding other qualities of IT professionals more critical to their businesses going forward, and they are willing to pay more for those." Tracking the market value of 212 IT skills and certifications, premium pay for 103 non-certified skills averaged 7.1 percent of the base salary for a single skill. This number was up from 6.8 percent in Q1 2005, and 6.6 percent in Q1 2004. Pay for non-certified skills grew nearly 70 percent more than certifications, or 4.4 percent versus 2.6 percent respectively. Among "cooling" certified tech skills, those that have lost their value in the last year, the study lists nine, including MCDST (Microsoft Certified Desktop Support Technician), CISA (Certified Information Systems Auditor), and three Novell certifications (NCDE, MCNE, and CNA). Fourteen certifications have grown in value, showing an 11 percent or higher growth over the last year, including SCNP (Security Certified Network Professional), CISM (Certified Information Security Manager) and MCT (Microsoft Certified Trainer). Highest-paid certifications include CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), and five different Cisco certifications (CCDP, CCEA, CCIE, CCIP and CCSP). Skills categories showing the most growth in the survey included Applications Development/Programming Languages, Project Management, Training, Webmaster and Security. From isn at c4i.org Fri Apr 28 06:38:11 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 28 Apr 2006 05:38:11 -0500 (CDT) Subject: [ISN] Davis: FISMA could prevent 'cyber Pearl Harbor' Message-ID: http://www.fcw.com/article94211-04-27-06-Web By Matthew Weigelt Apr. 27, 2006 Rep. Tom Davis (R-Va.) predicted a "cyber Pearl Harbor," an attack in the future that would penetrate the federal government in some way. He said such an attack could cause deaths or a financial breakdown. That is why the Federal Information Security Management Act's standards are necessary as preventive measures, despite needing tweaks and improvements, he said at an Industry Advisory Council and American Council for Technology luncheon in Washington, D.C. "It's difficult, I think, for managers out there when you get so much thrown at you," Davis said. "You've got a lot of boxes to check." However, the standards will be forced through appropriations as lawmakers start to cooperate, he said. Davis said he is open to feedback on FISMA requirements. The House Government Reform Committee, which Davis heads, releases a FISMA report card annually, grading each agency on its compliance with FISMA standards. It released its 2005 report card March 16. This year, the federal government as a whole had a D-plus for computer security. Karen Evans, administrator of e-government and information technology at the Office of Management and Budget, said after the luncheon that officials are discussing the controversy over whether the security certification and accreditation standards meet the legislation?s intended goals or whether FISMA is seen simply as a requirement. She said she believes that meeting standards is beneficial, "if you do it in the spirit in which it was intended." Evans directed questions about possible upcoming changes to FISMA to Davis' committee. According to the latest assessment of federal agencies' FISMA compliance, weaknesses and inconsistencies in agencies' security management practices left dangerous holes in critical infrastructures. Notably, agencies whose missions include homeland security received failing grades in 2005. Grades for the Defense, Homeland Security, Justice and State departments remained below average or dropped. Of those four departments, DHS remained level with its 2004 grade of an F, according to the committee's rating. The other departments' grades fell from the previous year. DOD went from a D to an F, Justice dropped from a B-minus to a D and State fell from a D-plus to an F. "FISMA is still viewed by some federal agencies as a paperwork exercise," Davis said at a congressional hearing in March, when the committee released the grades. "But these are shortsighted observations."