From isn at c4i.org Mon May 1 01:41:00 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:00 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - April 28th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 28th, 2006 Volume 7, Number 18n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for zgv, xzgv, blender, gdm, abc2ps, SASL, abcmidi, Mozilla, OpenVPN, kernel, gnome-pilot, qt, tzdata, procps, procinfo, beagle, jwhois, cscope, ethereal, system-config-data, pygtk, crossfire, fbida, dia, xine-ui, php, mozilla-firefox, ruby, module-init-tools, thunderbird, and ipsec-tools. The distributors include Debian, Fedora, Gentoo, Fedora, Mandriva, Red Hat, SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Introduction: Buffer Overflow Vulnerabilities In exploiting the buffer overflow vulnerability, the main objective is to overwrite some control information in order to change the flow of control in the program. The usual way of taking advantage of this is to modify the control information to give authority to code provided by the attacker to take control. According to Shaneck, "The most widespread type of exploit is called 'Smashing the Stack' and involves overwriting the return address stored on the stack to transfer control to code placed either in the buffer, or past the end of the buffer." (Shaneck, 2003) The stack is a section of memory used for temporary storage of information. In a stack-based buffer overflow attack, the attacker adds more data than expected to the stack, overwriting data. Farrow explains this in an example, "Let's say that a program is executing and reaches the stage where it expects to use a postal code or zip code, which it gets from a Web-based form that customers filled out." (Farrow, 2002) The longest postal code is fewer than twelve characters, but on the web form, the attacker typed in the letter "A" 256 times, followed by some other commands. The data overflows the buffer allotted for the zip code and the attacker's commands fall into the stack. After a function is called, the address of the instruction following the function call is pushed onto the stack to be saved so that the function knows where to return control when it is finished. A buffer overflow allows the attacker to change the return address of a function to a point in memory where they have already inserted executable code. Then control can be transferred to the malicious attack code contained with the buffer, called the payload (Peikari and Chuvakin, 2004). The payload is normally a command to allow remote access or some other command that would get the attacker closer to having control of the system. As Holden explains, "a computer is flooded with more information than it can handle, and some of it may contain instructions that could damage files on the computer or disclose information that is normally protected- or give the hacker root access to the system." (Holden, 2004) The best defense against any of these attacks is to have perfect programs. In ideal circumstances, every input in every program would do bounds checks to allow only a given number of characters. Therefore, the best way to deal with buffer overflow problems is to not allow them to occur in the first place. Unfortunately, not all programs are perfect and some have bugs that permit the attacks discussed in this paper. As described by Farrow, "because programs are not perfect, programmers have come up with schemes to defend against buffer overflow attacks." (Farrow, 2002) One technique entails enforcing the computer to use the stack and the heap for data only and to never to execute any instructions found there. This approach can work for UNIX systems, but it can't be used on Windows systems. Farrow describes another scheme using a canary to protect against buffer overflows, but only the kind that overwrite the stack. (Farrow, 2002) The stack canary protects the stack by being put in sensitive locations in memory like the return address (that tells the computer where to find the next commands to execute after it completes its current function). As described by Farrow, "before return addresses get used, the program checks to see if the canary is okay." (Farrow, 2002) If the canary has been hit, the program then quits because it knows that something has gone wrong. As a user of the programs, the best countermeasure is to make sure your systems are fully patched in order to protect yourself from exploits targeting vulnerabilities. Read Full Article: http://www.linuxsecurity.com/content/view/118881/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New zgv packages fix arbitrary code execution 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122512 * Debian: New xzgv packages fix arbitrary code execution 22nd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122518 * Debian: New blender packages fix several vulnerabilities 24th, April, 2006 Several vulnerabilities have been discoverd in in blender, a very fast and versatile 3D modeller/renderer. The Common Vulnerability and Exposures Project identifies the following problems: CVE-2005-3302, CVE-2005-4470 http://www.linuxsecurity.com/content/view/122526 * Debian: New gdm packages fix local root exploit 24th, April, 2006 A vulnerability has been identified in gdm, a display manager for X, that could allow a local attacker to gain elevated privileges by exploiting a race condition in the handling of the .ICEauthority file. http://www.linuxsecurity.com/content/view/122527 * Debian: New abc2ps packages fix arbitrary code execution 25th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122544 * Debian: New Cyrus SASL packages fix denial of service 25th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122564 * Debian: New abcmidi packages fix arbitrary code execution 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122571 * Debian: New Mozilla Firefox packages fix several vulnerabilities 26th, April, 2006 Several security related problems have been discovered in Mozilla Firefox. http://www.linuxsecurity.com/content/view/122578 * Debian: New Mozilla Firefox packages fix several vulnerabilities 26th, April, 2006 http://www.linuxsecurity.com/content/view/122581 * Debian: New OpenVPN packages fix arbitrary code execution 27th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122591 * Debian: New Mozilla packages fix several vulnerabilities 27th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122592 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: kernel-2.6.16-1.2096_FC4 20th, April, 2006 This update includes a number of security issues that have been fixed upstream over the last week or so. http://www.linuxsecurity.com/content/view/122490 * Fedora Core 4 Update: kernel-2.6.16-1.2096_FC4 20th, April, 2006 This update includes a number of security issues that have been fixed upstream over the last week or so. http://www.linuxsecurity.com/content/view/122491 * Fedora Core 5 Update: gnome-pilot-2.0.13-7.fc5.6 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122492 * Fedora Core 4 Update: gnome-pilot-2.0.13-5.fc4.2 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122493 * Fedora Core 4 Update: qt-3.3.4-15.5 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122494 * Fedora Core 5 Update: tzdata-2006d-1.fc5 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122495 * Fedora Core 4 Update: tzdata-2006d-1.fc4 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122496 * Fedora Core 5 Update: procps-3.2.6-3.3 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122506 * Fedora Core 5 Update: procinfo-18-18.2.2 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122507 * Fedora Core 5 Update: gnome-user-share-0.9-4 21st, April, 2006 Fixes login when using password. http://www.linuxsecurity.com/content/view/122508 * Fedora Core 5 Update: beagle-0.2.5-1.fc5.1 21st, April, 2006 This upgrade to 0.2.5 fixes various bugs, including making the firefox extension work again. It also contains fixes for a minor security issue where you could inject command line argument into the indexer helpers. http://www.linuxsecurity.com/content/view/122509 * Fedora Core 4 Update: jwhois-3.2.3-3.3.fc4.1 21st, April, 2006 Updates jwhois to 3.2.3 and updates the default configuration. http://www.linuxsecurity.com/content/view/122510 * Fedora Core 5 Update: cscope-15.5-13.3 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122513 * Fedora Core 5 Update: ethereal-0.99.0-fc5.1 25th, April, 2006 Many security vulnerabilities have been fixed since the previous release. http://www.linuxsecurity.com/content/view/122561 * Fedora Core 4 Update: ethereal-0.99.0-fc4.1 26th, April, 2006 Many security vulnerabilities have been fixed since the previous release. http://www.linuxsecurity.com/content/view/122574 * Fedora Core 4 Update: system-config-date-1.8.3-0.fc4.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122586 * Fedora Core 5 Update: system-config-date-1.8.3-0.fc5.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122587 * Fedora Core 5 Update: pygtk2-2.8.6-0.fc5.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122588 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Cyrus-SASL DIGEST-MD5 Pre-Authentication Denial of Service 21st, April, 2006 Cyrus-SASL contains a vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. http://www.linuxsecurity.com/content/view/122498 * Gentoo: zgv, xzgv Heap overflow 21st, April, 2006 xzgv and zgv attempt to decode JPEG images within the CMYK/YCCK colour space incorrectly, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122499 * Gentoo: Crossfire server Denial of Service and potential 22nd, April, 2006 The Crossfire game server is vulnerable to a Denial of Service and potentially to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122519 * Gentoo: Mozilla Firefox Multiple vulnerabilities 23rd, April, 2006 Several vulnerabilities in Mozilla Firefox allow attacks ranging from execution of script code with elevated privileges to information leaks. http://www.linuxsecurity.com/content/view/122520 * Gentoo: fbida Insecure temporary file creation 23rd, April, 2006 fbida is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/122521 * Gentoo: Dia Arbitrary code execution through XFig import 23rd, April, 2006 Buffer overflows in Dia's XFig import could allow remote attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/122522 * Gentoo: xine-ui Format string vulnerabilities 26th, April, 2006 Format string vulnerabilities in xine-ui may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122579 * Gentoo: xine-lib Buffer overflow vulnerability 26th, April, 2006 xine-lib contains a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122580 * Gentoo: Ethereal Multiple vulnerabilities in protocol dissectors 27th, April, 2006 Ethereal is vulnerable to numerous vulnerabilities, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122590 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated cyrus-sasl packages addresses vulnerability 24th, April, 2006 A vulnerability in the CMU Cyrus Simple Authentication and Security Layer (SASL) library < 2.1.21, has an unknown impact and remote unauthenticated attack vectors, related to DIGEST-MD5 negotiation. http://www.linuxsecurity.com/content/view/122541 * Mandriva: Updated php packages address multiple vulnerabilities. 24th, April, 2006 A cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP <= 5.1.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. http://www.linuxsecurity.com/content/view/122542 * Mandriva: Updated mozilla-firefox packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Firefox browser that could allow a remote attacker to craft malicious web pages that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, cookies, or other information from web pages. http://www.linuxsecurity.com/content/view/122543 * Mandriva: Updated mozilla packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Suite that could allow a remote attacker to craft malicious web pages that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, cookies, or other information from web pages. http://www.linuxsecurity.com/content/view/122565 * Mandriva: Updated ethereal packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Ethereal network analyzer. These issues have been corrected in Ethereal version 0.99.0 which is provided with this update. http://www.linuxsecurity.com/content/view/122566 * Mandriva: Updated mozilla-thunderbird packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Thunderbird email client that could allow a remote attacker to craft malicious web emails that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, or other nformation. http://www.linuxsecurity.com/content/view/122567 * Mandriva: Updated ruby packages fix vulnerability 25th, April, 2006 A vulnerability in how ruby's HTTP module uses blocking sockets was reported by Yukihiro Matsumoto. By sending large amounts of data to a server application using this module, a remote attacker could exploit it to render the application unusable and not respond to other client requests. http://www.linuxsecurity.com/content/view/122570 * Mandriva: Updated module-init-tools packages fix CUPS-related bug 27th, April, 2006 The default configuration of module-init-tools was to send a HUP signal to the CUPS daemon whenever the "usblp" kernel module is loaded, for example when a USB printer is plugged in. Due to udev also sending a HUP signal to the CUPS daemon on pluggin in a USB printer there were two HUPs one shortly after the other which often makes the CUPS daemon crashing. http://www.linuxsecurity.com/content/view/122589 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: thunderbird security update 21st, April, 2006 An updated thunderbird package that fixes various bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122511 * RedHat: Moderate: ipsec-tools security update 25th, April, 2006 Updated ipsec-tools packages that fix a bug in racoon are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122550 * RedHat: Moderate: php security update 25th, April, 2006 Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122551 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Mozilla Firefox, Mozilla Suite 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122489 * SuSE: MozillaThunderbird various problems 25th, April, 2006 Multiple vulnerabilities fixed. http://www.linuxsecurity.com/content/view/122549 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 1 01:41:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:15 -0500 (CDT) Subject: [ISN] Pentagon Hacker Compromises Personal Data Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/04/28/AR2006042801540.html By ROBERT BURNS The Associated Press April 28, 2006 WASHINGTON -- An intruder gained access to a Defense Department computer server and compromised confidential health care insurance information for more than 14,000 people, the department said Friday. William Winkenwerder Jr., the assistant defense secretary for health affairs, said the affected individuals have been advised by letter that the compromise of personal information could put them at risk for identity theft. "Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve," he said in a brief statement. The Pentagon established a toll-free telephone number (1-800-600-9332) for affected people to call if they have questions. The computer server is for people insured under the Pentagon's TRICARE health care system. The type of information that was compromised was not disclosed in the Pentagon announcement, but Winkenwerder said it varied and investigators do not know the intent of the crime or if the compromised information will be misused. A spokesman for Winkenwerder, who asked not to be identified, said the information included names, Social Security numbers, credit card numbers and some personal health information. Routine monitoring of one of the health care insurance system's public servers detected unusual activity, and an investigation led to the discovery on April 5 that an intrusion had occurred and information was compromised. As a result, additional monitoring tools were installed to improve security of existing networks and data files, Winkenwerder said. ? 2006 The Associated Press From isn at c4i.org Mon May 1 01:41:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:38 -0500 (CDT) Subject: [ISN] Your computer is not secure. Message-ID: http://hartfordadvocate.com/gbase/News/content?oid=oid:153106 By Meir Rinde April 27, 2006 When agents from the federal Bureau of Alcohol, Tobacco and Firearms arrested convicted felon Michael Crooker on a charge of illegally shipping a firearm across state lines, they searched his apartment in the Feeding Hills neighborhood of Agawam, Mass. and found substances that gave them pause. They called in military and civilian hazardous material units, and a bomb squad, and police closed off all areas within 1,000 feet. A story spread that investigators found the poison ricin in the apartment; in reality, they found castor beans, which have commercial uses but do contain ricin. They also found lye, which is used in ricin production, and rosary peas, which contain a toxin called abrin. In Crooker?s car they found powerful homemade fireworks, and they conducted a controlled explosion of at least one device. That was almost two years ago. He?s now locked up at the state correctional facility in Suffield Connecticut, awaiting trial on a single charge of trying to ship an air-gun silencer to a man in Ohio. The 52-year-old ex-con fills his time studying his case and writing letters to the judge, as well as filing lawsuits against the government and other parties, as he has done all his life. Among the entities he has targeted is the computer maker Hewlett Packard. In his suit, Crooker traces back the history of his Compaq Presario notebook computer, which the ATF seized when he was arrested. He bought it in September 2002, expressly because it had a feature called DriveLock, which freezes up the hard drive if you don?t have the proper password. The computer?s manual claims that ?if one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq?s headquarters staff,? Crooker wrote in the suit. Crooker has a copy of an ATF search warrant for files on the computer, which includes a handwritten notation: ?Computer lock not able to be broken/disabled. Computer forwarded to FBI lab.? Crooker says he refused to give investigators the password, and was told the computer would be broken into ?through a backdoor provided by Compaq,? which is now part of HP. It?s unclear what was done with the laptop, but Crooker says a subsequent search warrant for his e-mail account, issued in January 2005, showed investigators had somehow gained access to his 40 gigabyte hard drive. The FBI had broken through DriveLock and accessed his e-mails (both deleted and not) as well as lists of websites he?d visited and other information. The only files they couldn?t read were ones he?d encrypted using Wexcrypt, a software program freely available on the Internet. Despite the exposure of his e-mails, Crooker isn?t in prison on a chemicals or explosives charge. Rather, he?s been detained for two years on a single firearms charge because the judge thinks he?s too dangerous to let out on bail. A six-page rap sheet included in his firearms charge file lists arrests going back to March 1970, when he was 16 and committed an armed robbery while wearing a ski mask, according to the Springfield Republican. In 1977, he was accused of threatening to kill President Gerald Ford; he was cleared, but convicted of mailing death threats to the police chief of Southwick, Mass., where he grew up, and to a probation officer. In 1986, he was charged with rape and attempted murder; the charges stemmed from a phone argument with his wife, he says, and were dropped. In 1993, he plead guilty to a conspiracy to possess guns, witness tampering -- he admits he blew up a witness?s car -- and IRS fraud. He and an accomplice had filed about 70 false tax returns and pocketed the refunds. The judge who ordered him to remain incarcerated described Crooker as ?a real threat to the community at large, if not particular individuals as well.? The judge wrote that prosecutors believe Crooker has made ricin in the past; that he is accused of keeping three hundred rounds of ammunition at his parents? house; that in letters he refers to Timothy McVeigh as a ?martyr? and ?expresses admiration for Osama bin Laden?s brilliance.? If the government agrees Crooker is so dangerous he can?t stay at home while he awaits trial, should he be allowed to use purportedly unbreakable computer security systems to hide potentially criminal activity? Because of cases like Crooker?s, some might argue the government should have access to security backdoors to discourage criminals or at least catch them more easily, much as the technology in the movie Minority Report allows police to prevent crime by arresting criminals before they act. Of course, Crooker does not agree. Sitting in a low-ceilinged prison visiting room last week, his bright yellow prison jumpsuit hanging loosely on his narrow six-foot frame, Crooker rifled through stacks of legal documents and criticized what he described as HP?s deception in not admitting up front that DriveLock was flawed, and in selling him out to the feds. ?Even if it?s the CIA and the NSA, it?s wrong for HP to say, ?we can?t help you if you lose your password?,? he said. ?It?s causing people to hide things on their computers, and they?re not secure.? Crooker argues that by providing the FBI with a way to circumvent DriveLock, and claiming the system was impenetrable when there was actually a backdoor, HP committed a breach of contract. We left a message for HP?s lawyer, Thomas W. Evans of Cohen & Fierman in Boston, and got a call back from Ryan Donovan, a company spokesman in Palo Alto, Calif. ?We don?t comment on pending litigation,? he said. In a legal response sent to Crooker but not yet available in court, Evans says HP didn?t help the FBI, and argues it was unreasonable for Crooker to expect that data he entered on the laptop would remain inaccessible to others. Crooker?s goal is primarily to get money from HP. He?s demanded $350,000, and would probably accept much less. But he has also stepped into a much larger debate over computer security: whether HP and other companies are providing their customers with sufficiently strong protection and whether the government should allow anyone access to security systems so strong that even federal law enforcement agents have a hard time breaking through them. Crooker has spent many years in prison, but he?s had some success with the law as well. In 1984, when he faced a charge of having an unregistered machine gun, a federal District Court panel reviewed his claims that he should have access to certain ATF documents. Although he ultimately didn?t get everything he wanted, the judges ruled ATF hadn?t given a specific enough reason for withholding the documents, and Crooker v. BATF became an important footnote to discussions of Freedom of Information law. In his current criminal case, he argues that although the silencer would fit on an actual firearm, it was only intended for use on the air gun it was attached to. ?You wouldn?t believe the hearings and motions we?ve filed on this,? he said. He knows firearms law inside and out. He?s published a pamphlet called A Felon?s Guide to Legal Firearms Ownership , which you can buy online for $4.95. But his lawsuit against HP may be a long shot. Crooker appears to face strong counterarguments to his claim that HP is guilty of breach of contract, especially if the FBI made the company provide a backdoor. ?If they had a warrant, then I don?t see how his case has any merit at all,? said Steven Certilman, a Stamford attorney who heads the Technology Law section of the Connecticut Bar Association. ?Whatever means they used, if it?s covered by the warrant, it?s legitimate.? If HP claimed DriveLock was unbreakable when the company knew it was not, that might be a kind of false advertising. But while documents on HP?s web site do claim that without the correct passwords, a DriveLock?ed hard drive is ?permanently unusable,? such warnings may not constitute actual legal guarantees. According to Certilman and other computer security experts, hardware and software makers are careful not to make themselves liable for the performance of their products. ?I haven?t heard of manufacturers, at least for the consumer market, making a promise of computer security. Usually you buy naked hardware and you?re on your own,? Certilman said. In general, computer warrantees are ?limited only to replacement and repair of the component, and not to incidental consequential damages such as the exposure of the underlying data to snooping third parties,? he said. ?So I would be quite surprised if there were a gaping hole in their warranty that would allow that kind of claim.? That point meets with agreement from the noted computer security skeptic Bruce Schneier, the chief technology officer at Counterpane Internet Security in Mountain View, Calif. ?I mean, the computer industry promises nothing,? he said last week. ?Did you ever read a shrink-wrapped license agreement? You should read one. It basically says, if this product deliberately kills your children, and we knew it would, and we decided not to tell you because it might harm sales, we?re not liable. I mean, it says stuff like that. They?re absurd documents. You have no rights.? Schneier entered the field of computer security as a cryptographer. He invented an algorithm called Blowfish, which is used in many software programs including Wexcrypt, which Crooker used on some of his files, and which the FBI has apparently been unable to crack. In recent years Schneier has been a prominent critic of most computer security schemes, saying that they?re not reliable in part because companies aren?t financially liable for failures. He described Crooker?s lawsuit as ?kind of funny.? ?Part of me says, ?Well, go get them,?? Schneier said. ?Because the industry, for years, makes all of these false promises. So here?s someone who?s saying, ?Look, goddammit, I believed them, and I got arrested,? or something. So that?s kind of neat, actually.? Online, self-declared computer geeks have discussed at length how to unlock DriveLock?ed hard drives. The general consensus is that, unlike many computer password systems, DriveLock is a hard-drive-only system, a technology added to the drive, rather than a routine in the computer software. Only a chip on the hard drive knows where the password is stored, and the chip simply will not allow the drive to spin if the password is not provided. Putting the drive in a different computer, or tinkering with computer system files, doesn?t help. Encryption isn?t the problem, either: your files may just be sitting there, in readable form, but the drive refuses to work. The computer geeks seem to throw up their hands at devising a home-office method of getting around DriveLock. However, in a ?clean room? laboratory setting it should be possible to take apart a hard drive and scan the platters where magnetic information is stored. A few companies advertise password removal services for a fee, such as Nortek Computers Limited, in North Bay, Ontario, Canada. For $85, the company will simply erase your hard drive, which removes the password and at least makes the drive useable again. For $285, the company will copy your information off the drive, wipe the drive, and put the information back on, sans the password, said Chris Boyer, a support specialist at Nortek. He wouldn?t describe how it?s done, except to say that some computer drives can be penetrated using ?non-invasive? methods, while others are more difficult. ?There?s quite a bit involved, engineering-wise and facility-wise,? Boyer said. The company is alert to suspicious clients who seem to be trying to break into someone else?s computer, and keeps records of device serial numbers, he said. It has removed passwords for law enforcement agencies in the U.S., Canada, England, Denmark and other countries. The availability of commercial password removal suggests HP may be sincere when it says it didn?t help the FBI. But Crooker said that?s no obstacle to his lawsuit. ?Why are HP and Compaq still advertising this DriveLock system when they have to know about the Canadian operation for $285?? he asked. ?They?re lulling us into this sense of security, when for $285 it can be exposed? It ain?t right.? In the recent past the federal government has attempted to build in backdoors to certain computer systems: In the early 1990s, the National Security Agency tried to require the installation of a chip in phone transmission systems, so agents could eavesdrop on encrypted conversations. The Electronic Frontier Foundation and other civil liberties groups attacked the proposal, which eventually died (although recently AT&T reportedly allowed the NSA to monitor millions of phone calls without warrants, using specially installed supercomputers). So while DriveLock may not be wholly secure, software that uses Blowfish and other encryption methods remains widely available. To civil liberty advocates, that?s good news, even if it means individuals like Michael Crooker can hide their secrets from law enforcement. ?Encryption software is becoming a very ordinary thing. That?s a very positive development in terms of limiting the erosion of privacy in certain ways,? said Seth Schoen, a staff technologist at the Electronic Frontier Foundation. Crooker said he understands the argument for allowing the government to penetrate computer security systems. ?I can see both sides of it,? he said. But that doesn?t mean he?s letting HP off the hook for pretending DriveLock was really secure. That?s a point security experts would agree with: undisclosed flaws are the Achilles? heel of any security scheme, because then the user of the system doesn?t even know what kind of incursions to watch out for. For Bruce Schneier, the key to preventing such flaws is the kind of legal liability that Michael Crooker is trying to create, forcing companies to pay though the nose until they develop security that really works. ?Unfortunately, this probably isn?t a great case,? Schneier said. ?Here?s a man who?s not going to get much sympathy. You want a defendant who bought the Compaq computer, and then, you know, his competitor, or a rogue employee, or someone who broke into his office, got the data. That?s a much more sympathetic defendant.? Copyright ? 1995-2006 New Mass Media. All rights reserved From isn at c4i.org Mon May 1 01:40:25 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:40:25 -0500 (CDT) Subject: [ISN] Ag firm employee charged with hacking into county data base Message-ID: http://www.lititzrecord.com/pages/news/local/4/22302 By Michael Yoder - Record Express Staff Lititz Record Express Apr 27, 2006 LITITZ, PA - A Lancaster man has been charged with illegally logging into the county's web-based computer assisted dispatch program while working at a local agricultural firm. Duane Kline, of Lancaster, was charged on April 20 with the unlawful use of a computer and other computer crimes by using the East Hempfield Township Police Department's login and password to access the Lancaster County-Wide Communications World Wide Web based Computer Assisted Dispatch site. Kline, who is an employee of Northeast Agri Systems, 139A W. Airport Rd., Lititz, is accused of logging into the computer system on 161 separate occasions between June 27 and Nov. 7, 2005. He is accused of gaining information on restricted police intelligence and investigative information he did not have access to see and also disseminating portions of the information verbally. According to the affidavit filed in Manheim Township, Lancaster County Detective Peter J. Savage Jr. investigated an anonymous tip received in February that Kline was logging into the computer system on his computer at Northeast Agri Systems and sharing privileged information with friends. Savage was able to determine that Kline did access the computer system though Northeast's Internet protocol address and was logging into the system using the East Hempfield Township Police Department password. Kline is a lieutenant with the West Hempfield Fire and Rescue Company. On March 15 Savage interviewed Kline and asked him about accessing the site. According to the affidavit, Kline admitted logging into the restricted site. He said initially he would log in for curiosity, but later he admitted running names in the system to look for background information. Kline admitted running the name in the system of an ex-employee at Northeast Agri Systems after the individual was fired from the company. From isn at c4i.org Mon May 1 01:41:52 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:52 -0500 (CDT) Subject: [ISN] Schools scramble to safeguard computer systems Message-ID: http://www.boston.com/news/local/massachusetts/articles/2006/04/29/schools_scramble_to_safeguard_computer_systems/ By Maria Sacchetti Globe Staff April 29, 2006 Private industry long ago adopted safeguards against hacking, but public schools, which just began putting student records online in recent years, are only starting to recognize their vulnerability. The allegations that a student gained access to a teacher's computer at Boston Latin School and saw tests and student records apparently took officials by surprise. Boston Public Schools had begun to talk about improving computer security at all schools before the alleged incident, but immediately tightened security afterward. ''For lack of a better term, this is sort of a test case to figure out where security breaches might be," said Jonathan Palumbo, a school system spokesman. Lexington High officials are debating whether to e-mail report cards to parents, weighing the convenience against the security risks. Brookline High forced teachers to make their passwords tougher to guess this year after students broke into the computer system to change grades. ''You can't assume that you're smarter than the kids about computers," said Michael Frantz, assistant headmaster at Brookline High. ''It certainly is a wake-up call. . . . This kind of thing can really happen to us." Decades ago, public schools were untroubled with computer security. But now 95 percent of the state's classrooms are wired for the Internet, according to the state Department of Education. Teachers store grades on the Internet. Clerks track student absences and tardiness online. Some even share that with parents: letting them check online to make sure their child went to school or to monitor their grades. A year ago, Lexington High investigated a student on allegations that he altered his attendance records, which had been posted online. The school now wants to e-mail report cards, but officials said they are not sure whether the school has protected itself well enough against hackers. ''I really worry about that. We're certainly behind," said Bill Cole, a dean at the school. ''We definitely have a population here that would see it as a challenge here and break in." This school year, Brookline High officials suspended the two students it caught breaking into the computer system and changing grades. ''You can't make a guarantee that it wouldn't happen again," Frantz said. ''We're more careful, and things are tighter than they were. I think it would be a lot more difficult for it to happen." Charlie Lyons, superintendent and director at Shawsheen Valley Technical High School, in Billerica, said he spends $50,000 a year on computer updates and security. He also hired a director of computer services because the school has nearly 700 computers. ''There's no system that's unbreakable. There's going to be some kid from MIT that's probably going to . . . be able to break into any system in the world," Lyons said. Francis Cahill, who taught Latin at Boston Latin School for 33 years before retiring in June 2005, said more teachers who used to keep grades on paper and tests in files are relying on computers. Students are ''a lot more sophisticated than a lot of the teachers," said Cahill, who had never heard of a student breaking into the school's computer system during his time at Latin. ''Kids are always looking for a leg up no matter what school they're in. It doesn't surprise me at all. ''I would guess that in any kind of school where kids are trying to get into college, the same kind of thing could happen." Tracy Jan of the Globe staff contributed to this report. ? Copyright 2005 The New York Times Company From isn at c4i.org Mon May 1 01:42:04 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:42:04 -0500 (CDT) Subject: [ISN] Pentagon Halts Contractor Clearances Message-ID: http://www.washingtonpost.com/wp-dyn//content/article/2006/04/28/AR2006042801878.html By Renae Merle Washington Post Staff Writer April 29, 2006 The Pentagon stopped processing security clearances for government contractors this week, potentially exacerbating a shortage of employees authorized to work on the government's most secret programs. The Defense Security Service blamed overwhelming demand and a budget shortfall for the halt, which caught the government contracting community by surprise. Already, 3,000 applications have been put on hold, said Cindy McGovern, a DSS spokeswoman. "We're holding them [the applications] now to see if we can resolve the issue. The more drastic step would be not accepting them" at all, McGovern said, a step the agency considered but dropped for now. The demand for security clearances among private companies has grown dramatically since the Sept. 11, 2001, terrorist attacks as the government increasingly relies on contractors to do intelligence gathering and work on classified programs. There has been growing frustration with the wait time, which some companies have described as up to a year, to obtain clearances for new employees. Some firms have reverted to gimmicks and large bonuses to attract employees with pre-existing clearances, and industry officials worry that this week's action will increase competition and salary demands. The move affects not only defense contractors, but also those who work on projects for more than 20 other agencies, including NASA and the Department of Homeland Security. "We have companies right now that have positions that are funded that they can't find people for," said Stan Soloway, president of the Professional Services Council. "This could completely shut the system down." The Defense Security Service blames, in part, the sheer volume of requests. Between October and March, more than 100,000 security-clearance applications were submitted. The service is also struggling with a budget shortfall, McGovern said, noting that its funding was cut by $20 million this year. McGovern said she did not know how much of a shortfall the agency faces. Last year, the Office of Personnel Management took over the job of conducting background investigations. But the Defense Security Service picks up the tab, which can be as much as $3,700 for a top-secret clearance. The Office of Personnel Management can also charge a premium of 19 to 25 percent for the work, which was not factored into the DSS budget, said David Marin, staff director for the House Government Reform Committee. Marin estimates the agency's shortfall at between $75 million and $100 million. The agency's efforts to cut costs began earlier this month when it alerted contractors that it would no longer offer a more expensive expedited application process. On Tuesday, the agency stopped forwarding new applications to the OPM altogether. The decision is "both baffling and disturbing," Rep. Thomas M. Davis III (R-Va.), chairman of the Government Reform Committee, said in a letter to the agency yesterday. Davis expects to hold a hearing on the issue, according to his office. "It sure could get to be a real problem really fast," said John Douglas, president of the Aerospace Industries Association, a lobby group that represents companies including Lockheed Martin Corp. and Boeing Co., the Pentagon's largest contractors. "There doesn't seem to be any exceptions, and you would think that if you were working on a classified project to stop IEDs [improvised explosive devices], there would be." ? 2006 The Washington Post Company From isn at c4i.org Mon May 1 01:42:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:42:15 -0500 (CDT) Subject: [ISN] NIST releases standards for security logs Message-ID: http://www.fcw.com/article94229-04-28-06-Web By Wade-Hahn Chan Apr. 28, 2006 The National Institute of Standards and Technology released technical guidelines on how federal agencies should manage security logs. The guidelines cover log generation, transmission, storage, analysis and disposal. The guidelines, NIST Special Publication 800-92: Guide to Computer Security Log Management [1], include suggestions for creating a log management policy, prioritizing log files and creating a centralized log management infrastructure to include all hardware, software, networks and media. The 64-page document notes that agencies must deal with larger quantities, volumes and varieties of security logs. They also must comply with a growing number of legislative requirements such as the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act. [1] http://csrc.ncsl.nist.gov/publications/drafts/DRAFT-SP800-92.pdf From isn at c4i.org Tue May 2 04:42:33 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:42:33 -0500 (CDT) Subject: [ISN] Iridium trumpets latest satellite phones for emergency response Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,111058,00.html By Todd R. Weiss MAY 01, 2006 COMPUTERWORLD Just a month before the official U.S. hurricane season begins on June 1, Iridium Satellite LLC today unveiled satellite telephone communications equipment that will interoperate with existing UHF and VHF radio systems already used by police, rescue agencies, firefighters and other first responders. In an announcement today, the Bethesda, Md.-based vendor said the equipment can prevent much of the widespread communications troubles that plagued the Southeast U.S. after Hurricanes Katrina and Rita pummeled the area last year. In the wake of the storms, land-line and cellular telephone systems were largely devastated in Louisiana, Mississippi and parts of other nearby states due to downed lines, destroyed towers and other communications infrastructure failures. Emergency workers had to use radios, satellite telephones and other means to communicate until telephone service was restored. The Iridium systems offer interoperable voice and data communications, will work anywhere and are portable, according to the company. The data services include integration of radio frequency identification tags to help track vehicles, supplies and personnel wirelessly during emergencies so that response efforts can be monitored, the company said. Iridium services are already being used in some states, including Florida, Georgia, Louisiana, Mississippi, Missouri, South Carolina and Texas. The Iridium systems can interoperate with other communications systems, including VHF and UHF radios, making them flexible in times of emergency, Greg Ewert, executive vice president for Iridium, said in a statement. "Many states that could be affected by hurricanes this season are still far from being prepared from a communications perspective," he said. The Iridium systems also offer quick setup and do not use a land-based infrastructure that can be damaged in a disaster, according to the company. "Iridium may typically be thought of as a satellite phone in the hands of a first responder," Ewert said. "Increasingly, government customers are seeking Iridium for tracking and redirecting of important assets in an emergency, including critical supplies, vehicles and even personnel. This is done through communications systems based on our data-only transceiver. Many first responders [during Hurricanes Katrina and Rita] were left vulnerable when it came to asset tracking. Supplies sat by the side of the road because communications were hampered with a lack of deployed mobile satellite services. They were unable to redirect supplies as needed. With our solution, they can stay in touch and stay in control." Ted O'Brien, vice president of market development at Iridium, said today that the systems can be expanded as needed. Satellite telephone handsets are priced at about $1,500 each, while a fixed base station that can be used in a rescue facility costs about $3,000, including an external antenna. The interoperability system that allows satellite telephone users to communicate with VHF and UHF radio users -- as well as more than two-dozen other systems -- costs about $10,000. Small mobile wireless modems that can be attached to vehicles and supply containers for wireless tracking cost about $500 each if tracking capabilities are to be deployed. The equipment can be used with solar chargers so it can be recharged when power is out, or vehicle battery charger adapters can be used. "First responders using Iridium tell us time and again that we're often the only line of communications they have, particularly during and right after a disaster strikes," Ewert said in a statement. "When communications infrastructure goes down, they need to get to the disaster scene and connect back to headquarters to coordinate their rescue and relief mission. ... It usually takes several days for first responders to set up more permanent, fixed communications services in a disaster scene. They use Iridium to keep in touch and to coordinate their rescue mission as it unfolds." Iridium provides global satellite voice and data communications using 66 cross-linked satellites, according to the company. Since revamping its operations five years ago following the bankruptcy of its predecessor (see "Iridium Refocuses on B2B" [1]), the new Iridium Satellite LLC has positioned itself as a business and government satellite communications provider for fail-safe communications. The original Iridium LLC was about to decommission its satellite network in 2001 when it was purchased by a consortium of buyers for $25 million. The satellite system cost $5 billion when it was built in 1998 by Schaumburg, Ill.-based Motorola Inc. and others. [1] http://www.computerworld.com/industrytopics/defense/story/0,10801,59152,00.html From isn at c4i.org Tue May 2 04:43:31 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:43:31 -0500 (CDT) Subject: [ISN] Hacker turns Canadian PM into baby eater Message-ID: http://www.theinquirer.net/?article=31390 By Nick Farrell 02 May 2006 COMMUTERS ON ONE of Canada's busiest trade routes were amused when the LED message board announced that Prime Minister Stephen Harper eats babies. Instead of announcing the next stop, the LED board on the GO trains, seemed to feel that it was very important that the world knew about Harper's dining habits. Alas, no one seems to have snapped a picture of the phenomenon, but the story has been confirmed by the people running the possessed LED board, Exclusive Advertising. The outfit said that its LED board had been hacked and the message had not been authorised by it, or GO trains. Exclusive Advertising said that it was sprucing up on its security after the incident. However, the press release, here [1], seems more interested in catching the hacker than apologising to Harper. It also repeats the LED comments in big bold letters in case you were left wondering what the Hacker claimed. ? [1] http://www.c4i.org/StephenHarperBabies.jpg From isn at c4i.org Tue May 2 04:43:45 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:43:45 -0500 (CDT) Subject: [ISN] SANS Institute updates list of 'Top 20 Internet Security Vulnerabilities' Message-ID: http://www.networkworld.com/news/2006/050106-sans-top-20.html By Ellen Messmer NetworkWorld.com 05/01/06 SANS Institute Monday updated its list of "Top 20" vulnerabilities discovered in products or types of exploits and attacks that threaten users on the Internet. The SANS "Spring Update" of its Top 20 Internet Security Vulnerabilities cites a growth in critical vulnerabilities discovered in the Mac OS/X operating systems, as well as vulnerabilities associated with the Mozilla Firefox open-source Web browsers that had to be patched. Rohit Dhamankar, editor of the SANS Top 20 and manager of security research at 3Com's TippingPoint division, said the good news is that software patches for the Mozilla Firefox open-source browsers are usually more quickly issued compared with Microsoft's patch process for its Internet Explorer. "The [Mozilla Firefox] patches arrive much faster, typically within a week," said Dhamankar, adding that Microsoft generally waits for its scheduled second Tuesday of the month to issue software patches. He added that so many zero-day exploits have been discovered recently in association with Microsoft Explorer, the browser's name should be changed to "Internet Exploiter." Other trends cited by SANS Institute include SQL injection vulnerabilities and attacks against databases, as well as the "scourge" of successful "spear phishing" attacks, especially against U.S. defense and nuclear-energy sites. In spear phishing, an attacker sends e-mail pretending to be a trusted source to a targeted victim who turns over sensitive information to the attacker. While SANS Director of Research Alan Paller declined to reveal the names of specific agencies that had been the target of spear phishing, this type of attack has caused so much concern in the U.S. government, he said, that there's been a new word coined for such an attack: "exfiltration." A play on the word "infiltration," the word "exfiltration" is "being used a lot around Washington these days," because of a number of successful spear-phishing attacks, says Paller. From isn at c4i.org Tue May 2 04:44:00 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:00 -0500 (CDT) Subject: [ISN] NCSoft to Appeal Ruling on Data Theft Case Message-ID: http://times.hankooki.com/lpage/200604/kt2006043016491310160.htm By Kim Tae-gyu Staff Reporter 04-30-2006 NCSoft, Korea??s biggest online game developer, is likely to appeal last week??s verdict that mandated it to pay 500,000 won ($530) to five holders of hacked accounts for cyber game ``Lineage II.???? ``We cannot accept the ruling because there was no report of actual damage from the case, which involves just the potential risk of information leakage,???? NCSoft spokeswoman Lee Hwa-su said. Last Friday, the Seoul District Court ordered NCSoft, the maker of the famous role-playing game Lineage II, to pay out 500,000 won to five plaintiffs, who lodged a civil complaint last autumn. NCSoft is expected to receive the notice of the ruling this week or next. It may at least indirectly affect two similar cases filed by about 8,500 subscribers to Lineage I, the precedent for Lineage II, and by 414 against Kookmin Bank, the nation??s biggest lender. In its ruling, the court said that NCSoft managed personal information in a manner that made it vulnerable to leakage. While conducting a regular game upgrade in May 2005, NCSoft failed to encrypt a database log file that contained usernames and passwords, the court observed. As a result, the account data of numerous Lineage II subscribers, who logged onto the online game during May 11 to May 16 last year, were available at a computer used for the game. Five subscribers filed a lawsuit last autumn, seeking 5 million won each in compensation and could partially win the case in a half-year litigation last Friday. But NCSoft still denies its responsibility for the plaintiffs, who the company claims have failed to prove any practical damages from the data leakage. ``The account data in question were kept in a computer file, where even an expert would struggle to find out, for very short period of time or six days at longest,???? Lee said. ``There is little likelihood that the data was leaked outside and we have yet to receive any damage report from it. We think this is a different case compared to other identity theft,???? she said. Observers also point out NCSoft would not comply with the verdict, which might cause the company to collapse due to resultant court actions. ``Should NCSoft obey the compensation ruling, other Lineage II users would try to gain windfalls by taking the firm to the court. How can the outfit take such a risk????? asked Han Ik-hee, an analyst at Prudential Securities. Indeed, subscribers who pay a monthly fee of 29,600 won for the Lineage II membership amount to 1 million, the potential beneficiary of the compensation verdict. The legal battle marks back-to-back bad news for NCSoft, which already suffered from setbacks due to the identity theft case related to Lineage I, which caught the nation off guard early this year, and triggered lawsuits by roughly 8,500. Complaints piled up in February that hackers were stealing private data from millions of Korean people. The stolen data is believed to be have been collected mostly by Chinese crackers, who used it to sign up for Lineage I. From isn at c4i.org Tue May 2 04:42:17 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:42:17 -0500 (CDT) Subject: [ISN] 'Second Life' fending off denial-of-service attacks Message-ID: http://news.com.com/Second+Life+fending+off+denial-of-service+attacks/2100-1043_3-6067003.html By Daniel Terdiman Staff Writer, CNET News.com May 1, 2006 The popular virtual world "Second Life" was shut down twice over the weekend as its publisher, Linden Lab, fended off denial-of-service attacks. The attacks took the form of someone creating self-replicating objects in the world that began to crash servers and forced San Francisco-based Linden Lab to temporarily close down the entire "Second Life" grid. This is not the first time "Second Life" has been hit by denial-of-service attacks. Last fall, it was hit with similar assaults. Shortly thereafter Philip Rosedale, the company's CEO, told "Second Life" members that the company planned to turn the responsible parties in to the FBI. "Second Life" is an open-ended virtual world that allows its users to create, buy and sell nearly any kind of avatars, vehicles, attire and buildings they can imagine. Users can play for free, and Linden Lab makes money through the sale of virtual "land" and subsequent land-maintenance fees. "Second Life" is not the only virtual world to suffer recent server problems. Over the past month, Blizzard Entertainment's "World of Warcraft" has been dealing with a variety of ongoing server problems that prevented users from getting into the game, kicked some out with no warning and deactivated their accounts due to billing problems. Those issues, however, are not related to any kind of outside attack. This weekend's attacks took advantage of the fact that any "Second Life" member can create nearly any kind of objects in the virtual world that they like. "What happened is people create an object that then replicates itself, and then of course, it's like cell division," said Robin Harper, vice president of community development and support. First there's "two and then four, and pretty soon you've got objects sprouting and they go across boundaries and they crash servers." Harper said that Linden Lab had been able to contain the object replication, and indeed, a check by CNET News.com Monday morning showed that "Second Life" was up and running normally. Still, she said that the attacks are serious business and that Linden Lab is once again getting federal authorities involved. "It's certainly a very important issue because it disrupts commerce," said Harper. "It disrupts events. People have weddings planned or a party or something, and it gets in the way. It's (also) costing our customers money, and that's what makes it something we can discuss with the federal authorities, because it's a significant economic disruption." Ginsu Yoon, Linden Lab's general counsel, said that he expects federal authorities to take action, but isn't sure when that will happen. He said law enforcement action on the previous attacks is forthcoming as well, and that the perpetrators shouldn't take heart in any delay in prosecution. "People who are thinking that they're off free because there's been grid attacks before and nothing happened--they will be surprised," said Yoon. "It's just a matter of time." And while Linden Lab won't say who the perpetrators are, citing the ongoing investigation and the company's policy not to give out the names of its customers, it hinted that it knows. "We have very specific information about the identities of individuals involved in the attacks," Yoon wrote to CNET News.com on Monday in an e-mail originally drafted in January. "There are people who think that bringing down our grid is fun, and that it's not breaking the law. I'd encourage those people to read the federal code" about denial-of-service attacks. From isn at c4i.org Tue May 2 04:44:13 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:13 -0500 (CDT) Subject: [ISN] Ohio U. alumni at risk for identity theft Message-ID: http://www.cantonrep.com/index.php?ID=283728 By Melissa Griffy Seeton REPOSITORY EDUCATION WRITER May 2, 2006 Bob Tscholl has contributed to Ohio University in many respects: He's a Bobcat as are his three children. A recent security breach may mean he'll give a little more. But the Canton attorney has faith the university will do all it can to prevent that. "It kind of goes with the territory," Tscholl said. "Anytime you belong to an organization nowadays, you have to be aware there is some risk ... . I'm not too concerned." Ohio University President Roderick McDavis announced at a press conference Monday that he, too, is among the more than 300,000 alumni and friends of Ohio University - not current students - whose personal information may have been compromised when unauthorized access was gained to a computer system supporting alumni relations. "We are doing everything in our power to reduce the impact of this data theft," Ohio University Associate Provost for Information Technology and Chief Information Officer Bill Sams said in a press release. "At this point, we have no evidence of illegal use of the breached information." The breached computer system contained biographical information on more than 300,000 individuals and organizations, including the Social Security numbers of more than 137,000 people, according to university officials. The files did not contain credit-card or bank information. The security violation was discovered on April 24 when, according to Sams, "The university immediately began assessing the situation to determine its extent. Once it became clear that personal information was involved, we began the process of notifying the affected individuals." University officials were unable to confirm Monday how many Ohio University alumni are from the Stark County area. A search of recent college graduates revealed 12 local residents graduated from the school in December and eight received diplomas last May. The FBI is investigating the incident, and university officials said the college will hire an outside consultant to conduct a risk assessment of its computer information systems. A separate security breach occurred at the college on April 21, when office files were compromised at its Technology Transfer Department. The files included e-mails, patent and intellectual property files. Ohio University is at least the third college that has announced in recent months unauthorized access was gained to confidential information. In September, two computers were stolen from Kent State University offices. The computers contained the names and Social Security numbers of practically every student and instructor since 2002, and every graduate since 1988. And, in August, Web site security was breached at Stark State College of Technology. Students couldn't access their own personal information - such as their grades or student loans - instead the personal information of another student was shown, including Social Security numbers. College officials said the incident was not the result of a hacker, but a computer software glitch. Reach Repository writer Melissa Griffy Seeton at (330) 580-8318 or e-mail: melissa.griffy @ cantonrep.com -=- COULD I BE AFFECTED? Ohio University is sending e-mails and letters to people who may have been affected by the security breach. As a precaution, the university will not request personal information electronically as part of this notification. The university cautions people to not disclose personal information if they receive an e-mail - even if it appears to come from the university. The university has established a Web page at www.ohiou.edu/datatheft to provide detailed information, and a toll-free hotline at (800) 901-2303. Source: Ohio University -=- PROTECT YOURSELF FROM IDENTITY THEFT Ohio University recommends that alumni protect themselves from the security breech by: -- Obtaining a free credit report from Equifax (800) 525-6285, Experian (888) 397-3742 and TransUnion (800) 680-7289. -- Calling these three credit reporting agencies to place fraud alerts lasting 90 days on credit inquiries. -- Monitoring credit accounts for any unusual activity during the next several months. Source: Ohio University ?2006 The Repository From isn at c4i.org Tue May 2 04:44:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:28 -0500 (CDT) Subject: [ISN] InfoSec News List Information Message-ID: http://www.infosecnews.org InfoSec News is a privately run, medium traffic list that caters to the distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. To subscribe to InfoSec News, Click here [1]. The subject line will always contain the title of the article, so that you may quickly and efficiently filter past the articles of no interest. This list will contain: Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. Information on where to obtain articles in current magazines. Security Book reviews and information. Security conference/seminar information. New security product information. And anything else that comes to mind... Feedback is encouraged. The list maintainers would like to hear what you think of the list, What could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Anonymous feedback is always welcome. Please DO NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as 75+ returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). This is not a whim! Other moderators have begun to do the same. Special thanks to the following for continued contribution: William Knowles, Brian Martin, Jay Dyson, Emerson Tan, Nicholas Brawn, Felix von Leitner, Robert G. Ferrell, eric wolbrom, Matthew Patton, Marjorie Simmons, Richard Forno Darren Reed, Robert Slade, Attrition.org, Curiosity.org and several other contributors. InfoSec News Archives: http://www.landfield.com/isn http://lists.jammed.com/ISN/ http://lists.insecure.org/isn/ http://www.attrition.org/pipermail/isn http://online.securityfocus.com/archive/12 http://marc.theaimsgroup.com/?l=isn&r=1&w=2 InfoSec News is Moderated by William Knowles wk (at) c4i.org. ISN is a private list. Moderation of topics, member subscription, & everything else about the list is solely at his discretion. The InfoSec News membership list is NOT available for sale or disclosure. InfoSec News is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. [1] http://www.infosecnews.org From isn at c4i.org Wed May 3 02:37:52 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:37:52 -0500 (CDT) Subject: [ISN] Iron Mountain loses more backup tapes Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=5915 By Chris Mellor Techworld 02 May 2006 Accident-prone Iron Mountain has mislaid more backup tapes containing personal information. On April 6th, a driver reported that backup tapes belonging to the Long Island Rail Road (LIRR) and another customer had gone missing. The LIRR tapes contained personal information about 17,000 past and current employees - virtually everyone who has every worked for the concern. The second customer's tapes did not contain personal information. So far no evidence of theft has been found; the tapes have apparently just been mislaid. The LIRR is providing a paid-for one year account with a credit check and identity theft monitoring service - a costly exercise for 17,000 people. Iron Mountain has previously lost backup tapes belonging to Times Warner in March, 2005. These covered 600,000 current and past employees. From isn at c4i.org Wed May 3 02:27:30 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:27:30 -0500 (CDT) Subject: [ISN] Oracle keeps many users waiting on April patches Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,111098,00.html By Robert McMillan IDG NEWS SERVICE MAY 02, 2006 Testing problems are forcing some Oracle Corp. users to wait a little longer than usual for the company's latest round of security patches, the first of which were released last month. Though Oracle offered patches for a number of its most popular products as part of its April 18 Critical Patch Update, it had said that updates for many other versions of the products would not become available until May 1. Now, the database vendor is saying that many of those critical updates may not be available until as late as May 15. Oracle typically releases about 150 patches for a variety of different operating systems in its Critical Patch Updates, which ship every three months. The problem with the April update is that some of the patches have not yet passed the comprehensive suites of tests that Oracle uses to ensure that they will not disrupt customer's applications, said Darius Wiles, manager of Oracle Security Alerts. "There were some [updates] that failed out of the test suite, so we needed some more time to test them," Wiles said. Oracle is particularly eager to complete testing and release updates for some of the more widely used versions of its database, including version 8.1.7.4 and 10.1.0.4. But the company first needs to ensure that the new software will not disrupt customers, Wiles said. Oracle users can find more information on the estimated delivery date of Oracle's patches by checking the pre-installation notes Oracle has published for each of its products. These can be found on Oracle's MetaLink online support service by searching for document: 360464.1 Security researcher and Oracle critic David Litchfield believes that by waiting so long to update some versions of its products, Oracle is undermining the value of its regular patch release cycle, which is designed to provide customers with regular, predictable software updates. In an interview, Litchfield criticized both the lateness of the updates and their quality. "The whole point of a regular patch cycle is that people can plan ahead and install once," said Litchfield, managing director of Next Generation Security Software Ltd., in Sutton, England. "But if you are having to install it nine times, where's the benefit of that?" Litchfield estimates that two-thirds of Oracle's supported products are now unpatched, leaving many users vulnerable. But Wiles countered that the problem appears to be worse than it is. Because updates for some applications, such as Oracle's application server, are dependent on the database fixes, there has been a bottleneck effect with the updates. "Once we get the database stuff cleared, there are going to be a whole bunch of products that are going to be patched." Though some security researchers such as Litchfield are critical of Oracle's delays, most customers prefer that the software vendor deliver a tested and reliable product, said David Kennedy, a senior risk analyst with Cybertrust Inc., in Herndon, Virginia. "I'm sympathetic with Oracle," he said. "They get barbecued for not coming up with patches fast enough." "On the other hand," he said, "They could be just slow and lazy." From isn at c4i.org Wed May 3 02:39:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:39:10 -0500 (CDT) Subject: [ISN] Retaliation for Antispam Success? Message-ID: http://www.wired.com/news/technology/internet/0,70798-0.html By Joanna Glasner May, 02, 2006 An unusual spam war has erupted on the net, pitting an apparently irate spammer against an Israeli antispam firm that claims it's making junk e-mailers think twice about bugging its customers. Blue Security's controversial method uses reverse spam, if you will, returning massive quantities of opt-out messages to companies it identifies as spammers. Apparently the companies on the receiving end don't like it one bit. In an escalation of hostilities this week, Blue Security customers began receiving thousands of messages demanding that members either drop the company's service or continue to receive an avalanche of unwanted e-mails. In addition, U.S. internet users were unable to access Blue Security's website Tuesday. The company said it is still investigating the cause, which may have been a distributed denial of service attack. "We have devised a method to retrieve your address from their database," one message states. "So by signing up and remaining a Blue Security user not only are you opening yourself up for this, you are also potentially verifying your e-mail address through them to even more spammers." Blue Security's founder and CEO, Eran Reshef, called the spammer's allegations of a security hole a baseless scare tactic. Bulk e-mailers, he said, want to stifle the spread of Blue Frog, a tool that customers install on their computers that automatically floods spammers with opt-out messages. "The best way to combat this is to continue running the Blue Frog," Reshef said. The spammer's counteroffensive comes as Blue Security, a 2-year-old firm based in Israel, claims to be making dramatic progress in stopping spam. Three weeks ago, Blue Security said, the world's top junk mailer, responsible for about 9 percent of all spam, stopped sending messages to inboxes of its half-million registered users. On Monday, the company said, the second-largest spammer started contacting its affiliates and advising them not to contact Blue Frog users. Blue Security's controversial spam-fighting approach is modeled as a sort of e-mail version of the Federal Communications Commission's national Do Not Call registry. Through its "Do Not Intrude Registry," users send automated messages opting out of future mailings from spammers, a right spelled out in the Can-Spam Act. Not everyone is sold on the concept. Critics of Blue Security's methodology say that by maintaining a list of people who don't want spam, the company makes users vulnerable to the kind of attack that occurred this week. "The bad guys will be able to figure out who's on the list, and they'll be able to play games like this," said John Levine, a board member of the Coalition Against Unsolicited Commercial Email. "It's the obvious counterattack of an annoyed spammer." From isn at c4i.org Wed May 3 02:38:57 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:38:57 -0500 (CDT) Subject: [ISN] Aetna Loses Laptop Containing Customer Data Message-ID: http://www.consumeraffairs.com/news04/2006/05/aetna_laptop.html By Martin H. Bosworth ConsumerAffairs.Com May 1, 2006 An employee of health insurance giant Aetna lost a laptop containing data on 38,000 customers, the company said. The information included names, addresses, and Social Security numbers, but no financial information. The individuals were employees of companies who bought group health coverage from Aetna. The companies asked not to be identified. Aetna spokesperson Cynthia Michener declined to verify where the theft took place, or if any of the information had been used. In a subsequent statement, Aetna CEO Ronald Michener claimed the laptop had been secured with "strong password protection," and that the employee responsible "did not follow corporate policies." "We have offered to pay for credit monitoring services for our affected members to help prevent any potential misuse of the information, and we are contacting each affected individual directly with information on how to access this service," Michener said. The Aetna CEO also claimed that the company would be augmenting its data security structure to ensure all their employees followed proper procedure in the future. Michener also said that Aetna was contacting all affected individuals, and would be offering them free credit monitoring for an unspecified period of time, to ensure they were protected from possible fraud or identity theft. The theft or loss of laptops has been the latest trend in data breaches, with over 500,000 individuals potentially affected as a result of laptops being stolen or misplaced in the last six months. Companies affected have included Hewlett-Packard, Verizon, Ameriprise, and Ford. The common thread in virtually all of these incidents is an employee or employees downloading confidential data onto laptops, and either leaving them physically vulnerable or failing to encrypt them. Stealing laptops from vehicles in order to resell them has often led to customers' information being exposed. Companies typically offer free credit monitoring to employees or consumers affected by data breaches, but many affected individuals often fail to utilize the service. Some don't follow the procedures necessary to sign up for it, while others are suspicious of providing more personal information to companies that have already jeopardized their customers' financial privacy. Copyright ? 2003-2005 ConsumerAffairs.Com Inc From isn at c4i.org Thu May 4 04:15:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:20 -0500 (CDT) Subject: [ISN] Three rules for safer Wi-Fi away from home Message-ID: http://software.newsforge.com/software/06/04/20/2032257.shtml By Joe Barr May 02, 2006 Almost everyone has heard about wardriving, the geek sport in which you drive around and see what wireless access points (WAP) you can find and access. Because of the ink wardriving has received over the years, many home and business users have wised up and added security to their WAPs. But how about the busy traveler, the exec at Marriott, or the slacker at Starbucks? Do they take that same level of care with wireless security while they're on the road and seduced by the easy availability of Wi-Fi hotspots? Probably not, but they should. Here are three simple assumptions you should make before taking your wireless laptop on the road. Memorize these rules, understand what they mean, and learn what to do to protect yourself. When you can do that, you can begin to protect your private, confidential, and corporate data from inquisitive eyes. * Always assume someone is trying to see you enter a user ID or password. * Always assume that someone is reading every packet you send and receive by Wi-Fi. * Always assume that an "evil twin" is lurking near every Wi-Fi access point. In following the first rule, don't worry about appearing to be rude or paranoid by moving the laptop screen position to block the view of your fingers as you're typing a password or user ID. Do the same thing to prevent those sitting to your right, left, or behind you on the plane, in the airport, or anywhere else from getting an eyeful of corporate secrets. Act as if it is the most normal thing in the world to expect a little privacy, because it is, just as it is when you're entering your PIN at an ATM. Better than the above is not to do any of those things when you are close enough to others that they can see what you're trying to protect, even inadvertently. While we're talking about physical security at the keyboard, password protect your laptop and set the timeout on your screensaver to a low number. Leaving your laptop behind in the hotel room while you go out for dinner or a meeting? Fine. Disconnect it from the network, power it down, and lock it. The Wall of Shame So much for point one -- on to point two. At Defcon each year, a group of attendees sniffs every packet sent and received via the wireless access points, looking for user IDs and passwords. Each time they find one, they unceremoniously add it to The Wall of Shame in public view. Just about the only thing easier than using a Wi-Fi network these days is intercepting the packets on it. Avoid ending up on your own personal wall of shame by using only secure, encrypted connections to access your email, corporate accounts, financial data, and anything else of value. If your business or ISP provides Web mail, use it instead of unencrypted connections to POP or IMAP mail servers. A virtual private network between your laptop and headquarters or your home office is even more secure. The bad guys will still be able to intercept every packet, but if they are protected by encryption, you're way ahead of the game. Most script kiddies stand about as much chance of cracking a recent WEP or WPA encryption scheme as they do of winning the Lotto. But there are others who will only be slowed down. The evil twin Finally, what about that intriguingly named evil twin? That's what security pros are calling a phishing scheme where the bad guys spoof a legitimate WAP's service set identifier (SSID), the name that differentiates one access point from another. Evil twins disrupt traffic to the authentic WAP and those associated with it lose their connection, then automatically re-associate with the device with the spoofed SSID. You can avoid falling victim to this deception by not automatically attaching to a WAP and by not running your wireless connection in ad hoc mode. Know the SSID of the network you want to attach to, and learn what security options, if any, are available for it. Always use WEP or WPA instead of unprotected connectivity if you have that choice. If you can't, don't access sensitive data over the wireless connection, period. And finally, running a firewall -- the default behavior on most modern Linux distributions -- is a very good idea. Your common sense is your best protection against losing confidential or personal data. Always behave as if the bad guys are really there, and that they really want all of your data. Acting on these assumptions is not a guarantee of wireless security, but following them will make you a lot safer than you would be otherwise. From isn at c4i.org Thu May 4 04:15:36 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:36 -0500 (CDT) Subject: [ISN] Apple online store hacked Message-ID: http://networks.silicon.com/webwatch/0,39024667,39158606,00.htm By Dan Ilett 3 May 2006 Apple's Korean online store has been defaced by a hacker. The attack, carried out by someone working under the name 'Dinam', who claimed in his post to be Turkish, was brought to the attention of silicon.com last Thursday. The defacement was removed from Apple's website shortly after silicon.com alerted the company. Apple has subsequently refused to comment on the matter. Jason Hart, CEO of security company Whitehat UK, told silicon.com: "The defacer has managed to get administrator access to the web server." Although Hart suspected the hacker was after little more than "self-gratification" through vandalising the site, he said Apple should communicate what happened to its customers to end speculation. Hart said: "The worst thing Apple can do is not tell customers what has happened. It's like all the big companies though - they're constantly having to defend themselves as they're being probed all the time." The defacement - which took the form of a dozen lines of code posted to the apple.co.kr homepage - was documented on hackers' forum zone-h.org, which said Dinam attacked a Mac OSX server running Apache. Richard Starnes, president of the Information Systems Security Association UK, said: "Defacements are not that big a deal provided the customer data has not been disclosed or they have suffered an economic impact. "Defacements just tend to be embarrassing. But we know Apple is a good company and takes defacements seriously." From isn at c4i.org Thu May 4 04:15:03 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:03 -0500 (CDT) Subject: [ISN] Vietnam hacker to face the long arm of the law Message-ID: http://www.thanhniennews.com/education/?catid=4&newsid=15117 Translated by Thanh Tuan Vietnamnet May 4, 2006 The Ministry of Public Security decided Wednesday to go ahead with the prosecution of hacker Nguyen Thanh Cong for alleged links with a gang forging fake ATM cards. The initial investigation reported that Cong had misappropriated hundreds of millions dong (US$1 is equal to around VND15,950) from ATM machines, although his exact role in the ring has yet to be determined. Cong, aka with moniker "DantruongX" from "Be Yeu (Lovely babe)'s hacker group, was arrested last week for waging a month of Denial of Service (DoS) attacks on a commercial website, causing devastating loss to its owner, Viet Co Ltd. Viet Co normally has 40 technicians to keep the website up, and nearly went broke paying them during the idle month it was under the DoS attacks initiated by Cong, according to local media. A denial of service attack is an attack on a computer system or network that causes a loss of service to users, typically by overloading the victimized system, rendering website access impossible. Cong's arrest came as little surprise to those in the IT community given the devastating loses to Viet Co, and is currently out on bail. From isn at c4i.org Thu May 4 04:16:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:18 -0500 (CDT) Subject: [ISN] IE 7.0 and Attractive Alternatives Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Thawte http://list.windowsitpro.com/t?ctl=28F05:4FB69 Symantec http://list.windowsitpro.com/t?ctl=28EFF:4FB69 IronPort http://list.windowsitpro.com/t?ctl=28F01:4FB69 ==================== 1. In Focus: IE 7.0 and Attractive Alternatives 2. Security News and Features - Recent Security Vulnerabilities - Oracle Database Vault and Secure Backup Lock Down Access to Data - AttachmateWRQ To Acquire NetIQ - Name That Computer! 3. Security Toolkit - Security Matters Blog - FAQ - Instant Poll - Share Your Security Tips 4. New and Improved - Put Endpoints to the Security Test ==================== ==== Sponsor: Thawte ==== Learn all you need to know about code signing technology, including the goals and benefits of code signing, how code signing works and the underlying cryptographic and security concepts and building blocks. http://list.windowsitpro.com/t?ctl=28F05:4FB69 ==================== ==== 1. In Focus: IE 7.0 and Attractive Alternatives ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Microsoft recently released Internet Explorer (IE) 7.0 Beta 2 for public download (first URL below). Even with the security and other improvements in IE 7.0, some people still think IE is substandard or that using IE is the equivalent of painting a target on your forehead. Still others have more scathing comments about IE: Industry luminary John Dvorak recently called IE a "dead albatross" in a column published on PC Magazine's Web site (second URL below). http://list.windowsitpro.com/t?ctl=28F11:4FB69 http://list.windowsitpro.com/t?ctl=28F1D:4FB69 Dvorak thinks that trying to integrate the browser tightly with the OS was one of Microsoft's worst moves ever. That argument makes some sense given the number of security vulnerabilities that continue to be discovered in the browser. Dvorak thinks Microsoft should ditch IE and instead invest in Opera Software and make a large donation to Mozilla Foundation to help boost development of their respective browsers. Such a move by Microsoft isn't likely. In fact, Microsoft is driving forward with IE tool proliferation. If you have a copy of IE 7.0, head over to Microsoft's "Add-Ons for Internet Explorer Web site at the URL below, where you'll find at least 63 third-party security-related tools arranged in four categories: Online Protection tools help guard against spyware and malware; Pop-Up Blockers are probably self-explanatory; Privacy tools help protect against exposure of your private information and guard against spyware and malware; and Parental Controls control online activity and help protect your children against a range of risks. Although the site claims to be for IE add-ons, you'll find many standalone tools, such as Microsoft Windows Defender and Lavasoft's Ad- Aware. http://list.windowsitpro.com/t?ctl=28F18:4FB69 If IE 7.0 won't run on your particular platforms, then undoubtedly you know about Firefox ( http://list.windowsitpro.com/t?ctl=28F17:4FB69 ) and Opera ( http://list.windowsitpro.com/t?ctl=28F1C:4FB69 ), and might opt to use those browsers instead. But do you know about Maxthon Browser, Tablane, and Avant Browser? Maxthon Browser, by Maxthon International, is designed on top of the IE engine and introduces a ton of new functionality not available in Microsoft's versions of IE. For example, Maxthon offers tabbed browsing, enhanced pop-up blocking, a quick way to delete private information that might be stored by the browser, enhanced drag-and-drop features, support for extensions and plug-ins, support for skins, support for many languages, and a whole lot more. In short, Maxthon (at the URL below) is what IE should have been years ago. http://list.windowsitpro.com/t?ctl=28F1A:4FB69 Two other browsers, which are also based on the IE engine and which, you might look into further are Tablane by Tablane Technology (at the first URL below) and Avant Browser, by Avant Force (at the second URL below). Tablane has some nice features, such as "lanes," which are a way of displaying multiple Web pages in a single view. Other features include support for Really Simple Syndication (RSS) feeds and a unique function that lets you use multiple search engines at once. http://list.windowsitpro.com/t?ctl=28F1B:4FB69 http://list.windowsitpro.com/t?ctl=28F16:4FB69 Avant Browser claims to be "the fastest browser on Earth" and has many interesting features, some of which are similar to those found in Maxthon, such as enhanced pop-up blocking and privacy controls. However, Avant doesn't use the common tabbed interface--instead it displays many resizable windows inside the browser's single window interface. Look at the screen capture on the browser's home page to see what I mean. Avant Force also says that Avant has "no security holes," which is an extraordinary claim. I'm sure security researchers will eventually put that claim to many tests. So even if you can't use the new IE 7.0 for some reason, several alternatives can enhance the functionality and security of your current installation of IE. Do some research and testing to see if any of the alternatives might fit your needs. ==================== ==== Sponsor: Symantec ==== A multi-tier approach to email security prevents unauthorized access and can stop spam, viruses, and phishing attacks. Learn to implement one today, and protect your network security and business systems! http://list.windowsitpro.com/t?ctl=28EFF:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=28F04:4FB69 Oracle Database Vault and Secure Backup Lock Down Access to Data Oracle's new Database Vault provides more granular control over access privileges in Oracle Database. Oracle also announced the availability of its new Secure Backup, which encrypts data written to tape and works with Oracle Database and various file systems on various platforms. http://list.windowsitpro.com/t?ctl=28F0B:4FB69 AttachmateWRQ To Acquire NetIQ AttachmateWRQ announced that it will acquire security solutions provider NetIQ for approximately $495 million in cash, which equates to about $12.20 per share of stock. NetIQ, founded in 1995, will no longer be publicly traded. Instead the company will become a business unit of AttachmateWRQ. The transaction is expected to close within 90 days. http://list.windowsitpro.com/t?ctl=28F0E:4FB69 Name That Computer! Jeff Fellinge takes a look at how naming conventions and IP standards can help you quickly identify systems and compares the approaches that two everyday Windows tools take to resolve IP addresses to names. http://list.windowsitpro.com/t?ctl=28F0D:4FB69 ==================== ==== Resources and Events ==== Learn the essentials about how consolidation and selected technology updates build an infrastructure that can handle change effectively. http://list.windowsitpro.com/t?ctl=28F00:4FB69 Use virtual server technology to consolidate your production environment using only a fraction of the server hardware in the data center. Live Event: Thursday, May 18 http://list.windowsitpro.com/t?ctl=28EFE:4FB69 Design effective policies to protect your company's assets and data. Don't accidentally damage what you mean to protect! View this on-demand seminar today. http://list.windowsitpro.com/t?ctl=28F02:4FB69 Learn to differentiate alternative solutions to disaster recovery for your Windows-based applications to determine what works for you and ensure seamless recovery of your key systems--whether a disaster strikes just one server or the whole site. Live event: Thursday, May 11 http://list.windowsitpro.com/t?ctl=28F09:4FB69 Increase administration efficiency, build flexible yet inexpensive file-server environments, and maximize potential through consolidation of your SQL Server environment. Make the most of your resources today! http://list.windowsitpro.com/t?ctl=28F03:4FB69 ==================== ==== Featured White Paper ==== Learn how to address challenges such as making email truly available 24x7x365, securing against viruses, comprehensively backing up email data, and more. http://list.windowsitpro.com/t?ctl=28EFD:4FB69 ==================== ==== Hot Spot: IronPort ==== Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=28F01:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Use the Command Line, Luke by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=28F12:4FB69 If Luke Skywalker were a security administrator, his most powerful tools might be command-line tools. If you think you can figure out how to terminate a bunch of processes, some of which spawn new processes when they're terminated, you might want to take the hacking challenge "Star Hacks, Episode V: The Empire Hacks Back" described in this blog article. http://list.windowsitpro.com/t?ctl=28F0C:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=28F10:4FB69 Q: How can I verify whether a domain controller (DC) is in a certain site? Find the answer at http://list.windowsitpro.com/t?ctl=28F0F:4FB69 Instant Poll What are your vacation plans for this summer? - Taking 1 week - Taking 2 weeks - Taking 3 weeks - Not taking any time off - Taking my work to the beach Go to the Windows IT Pro home page and submit your vote http://list.windowsitpro.com/t?ctl=28F13:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Windows IT Pro Master CD--SAVE 50%! Subscribe today and get portable, high-speed access to the entire Windows IT Pro article database on CD: a searchable library that includes every Windows IT Pro issue ever published. The newest issue also includes BONUS Windows IT Tips. Order now and save: http://list.windowsitpro.com/t?ctl=28F06:4FB69 May Exclusive--Save $100 off the Exchange & Outlook Newsletter For a limited time, order the Exchange & Outlook Administrator newsletter and SAVE up to $100! You'll get 12 helpful issues loaded with solutions you won't find anywhere else and FREE access to the entire Exchange & Outlook online article database. Subscribe now: http://list.windowsitpro.com/t?ctl=28F08:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Put Endpoints to the Security Test Senforce Technologies launched Senforce intelligent Network Access Control. iNAC compares the security state of an endpoint device that's attempting to connect to a network to a policy that defines security conditions that must be met to allow network access. IT administrators can create access policies that define which applications and services are permitted and that specify actions to take when endpoints don't comply. Pricing starts at $65 per user and quantity discounts are available. For more information, visit http://list.windowsitpro.com/t?ctl=28F19:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=28F14:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=28F0A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu May 4 04:16:31 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:31 -0500 (CDT) Subject: [ISN] Trojan Snags World Of Warcraft Passwords To Cash Out Accounts Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=187002835 By Gregg Keizer TechWeb.com May 2, 2006 A new password-stealing Trojan targeting players of the popular online game "World of Warcraft" hopes to make money off secondary sales of gamer goods, a security company warned Tuesday. MicroWorld, an Indian-based anti-virus and security software maker with offices in the U.S., Germany, and Malaysia, said that the PWS.Win32.WOW.x Trojan horse was spreading fast, and attacking World of Warcraft players. If the attacker managed to hijack a password, he could transfer in-game goods -- personal items, including weapons -- that the player had accumulated to his own account, then later sell them for real-world cash on "gray market" Web sites. Unlike some rival multiplayer online games, Warcraft's publisher, Blizzard Entertainment, bans the practice of trading virtual items for real cash. "Win32.WOW is a clear indication that malware writers are targeting anything that involves money," said MicroWorld chief executive Govind Rammurthy in a statement. "Bucks may be smaller compared to a Trojan that steals bank accounts or credit card numbers...[but] cyber criminals are not complaining as long as the target is soft and numbers are high." The Trojan spreads via traditional vectors, such as e-mail and peer-to-peer file sharing, added Rammurthy, but it has also been watched while it installs in a drive-by download from gaming sites' pop-up ads. The surreptitious installation is accomplished by exploiting various vulnerabilities in Microsoft's Internet Explorer Web browser. Identity thieves have aimed at Warcraft previously. Just over a year ago, players were warned about a campaign that collected passwords from a bogus log-in site. From isn at c4i.org Thu May 4 04:16:44 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:44 -0500 (CDT) Subject: [ISN] Cyberattack knocks millions of blogs offline Message-ID: http://news.zdnet.com/2100-1009_22-6068344.html By Joris Evers CNET News.com Published on ZDNet News May 3, 2006 About 10 million LiveJournal and TypePad blogs were offline or barely reachable for several hours Tuesday as the result of a massive denial-of-service attack. The attack started around 4 p.m. PDT, targeting the popular blogging services and the corporate Web site of their provider Six Apart, company vice president Anil Dash said in an interview Wednesday. Service was back to normal at midnight, according to Six Apart's Web site. "Any large service tends to have a pretty constant level of attacks, but this was on a scale that I don't think anybody could have anticipated," Dash said. "I think it is of a scale that would have impacted any large site on the Web." In a distributed denial-of-service, or DDoS, attack the target is overloaded with requests for information. The requests come from a large number of hosts, typically compromised computers. As a result, legitimate users can no longer access the site. Six Apart intends report the attack to the authorities, such as the FBI, but hasn't done so yet, Dash said. "We have not yet had the time to think about the next steps yet," he said. The San Francisco company has some theories on the origin and motivation of the attack, but Dash declined to speculate. Unlike large online businesses, Six Apart isn't typically the object of large-scale onslaughts, Dash said. If it does face an attack, often the problem is related to the content posted on one of the blogs it hosts, he said. Six Apart's main hosting facility is in a large data center located at 365 Main in San Francisco. The attack morphed as the blog company tried to respond, making it more challenging to deal with. "They were changing pretty rapidly," Dash said. "We have learned enough that if it does happen again, we know what to do." Six Apart plans to make amends to its customers, but has not yet decided how. Late last year, when it had some performance issues, it let its users decide how they wanted to be compensated, Dash said. "We will definitely do whatever makes things right for them," he said. From isn at c4i.org Thu May 4 04:16:56 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:56 -0500 (CDT) Subject: [ISN] Info. assurance a matter of survival Message-ID: http://www.gcn.com/online/vol1_no1/40663-1.html By Patience Wait GCN Staff 05/03/06 SALT LAKE CITY - Information management, and information assurance in particular, may be more mundane than other software topics but it is part of the foundation of all systems, according to Kelly Miller, chief systems engineer of the National Security Agency. "I can't say [IA] has been ignored, but it has been under-emphasized," he said. Miller, speaking to software engineers at the 18th annual Joint Services Systems and Software Technology Conference, adapted a saying of Charles Darwin to make his point. Where Darwin once said the creature that survives is not the smartest or the strongest but the one most adaptable to change, Miller said, "In the Information Age we're faced with, the survivors will be those who have the most assured information." It takes the same skill set to defend networks as to exploit them, he said. But the emphasis is not equal - it only takes one vulnerability to exploit a system, but to protect a system all the vulnerabilities have to be guarded. The global network is a "national interest item," he said. The size of the problem is breathtaking, with 20 million e-mails a minute zipping around the globe and 40 million voicemails left each hour. And supervisory control and data acquisition networks, used throughout the chemical and utilities industries, were developed years before the Internet and never designed to include computer security. The biggest threat is spyware - "the new spam," Miller called it. A recent survey found that 87 percent of business PCs and 88 percent of consumers' computers are infected. With a dearth of skilled professionals to address the challenge, Miller said a national strategy for IA needs to be created and executed. "Our operations, organizations, laws and policies have not kept pace with this changing technology," Miller said. "The current defense is not effective... Not only are we not keeping pace, we're taking a step backwards." From isn at c4i.org Fri May 5 01:26:23 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:23 -0500 (CDT) Subject: [ISN] Blue Security offloads DoS attack onto blogs Message-ID: http://www.channelregister.co.uk/2006/05/04/blue_security_dos_flak/ By John Leyden 4 May 2006 A denial of service attack against Blue Security, distributors of a controversial anti-spam system, has taken the firm's site offline. Mistakes in the firm's response to the attack are been linked to a traffic flood that took numerous blogs offline too. Blue Security has established a 'Do Not Intrude Registry' (akin to the Do Not Call Registry for telemarketing) with around 450,000 members. Participants download a small tool, called Blue Frog, which systematically flood the websites of spammers with opt-out messages. Depending on your point of view, this initiative can either be viewed as community action or vigilantism. Earlier this week members of the Blue community received aggressive spam messages from an unknown group in an attempt to intimidate users into dropping out of Blue Security's network. Ordinary punters who had nothing to do with Blue Security also received the same messages proving, if proof were needed, that the belligerent junk mail campaign was a scatter-shot affair. This campaign of intimidation was followed by a denial of service attack against Blue Security's website on Wednesday. Posts in the North American Network Operators Group mailing list report that during the ongoing attack traffic heading for bluesecurity.com was offloaded to the firm's TypePad-hosted weblog, bluesecurity.blogs.com. This configuration change is blamed for taking the website of blogging outfit Six Apart, which runs TypePad and Live Journal, offline too leaving the information superhighway temporarily bereft of the outpourings of numerous bloggers. Six Apart, rather gallantly, has been careful not to blame Blue Security but others have criticised the latter firm for redirecting the flood it was receiving. Six Apart restored services to normal early on Thursday morning while Blue Security's website was still unavailable by tapas time on Thursday. A spokeswoman for Blue Security confirmed that its site was under attack. She added that the firm regretted making configuration changes, since amended, that hit Six Apart's services. ? From isn at c4i.org Fri May 5 01:26:38 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:38 -0500 (CDT) Subject: [ISN] Idaho utility hard drives -- and data -- turn up on eBay Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,111148,00.html By Sharon Fisher MAY 04, 2006 COMPUTERWORLD Anybody with five bucks and a little patience may be able to score sensitive corporate or customer data on eBay. If your organization has engaged in the common practice of disk drive recycling -- selling unneeded disk drives directly or through a service -- company data might wind up for sale on eBay Inc.'s auction site, even if the drives have been wiped first. Idaho Power Co. discovered that possibility last week as it scrambled to track down company disk drives that had been sold on eBay without having been scrubbed first. The Boise, Idaho-based utility serves approximately 460,000 customers in the southern part of Idaho and in eastern Oregon. Data on the drives, which had been used in servers, contained proprietary company information such as memos, correspondence with some customers and confidential employee information, the company said. Idaho Power had recycled approximately 230 SCSI drives -- a year's worth of updates -- through a single salvage vendor, Grant Korth, which then sold 84 of the drives to 12 parties through eBay. The company recovered 146 of the drives from the vendor. It also got assurances from 10 of the 12 parties that bought them on eBay that the drives would be returned or the data on them would not be saved or distributed. The other two drives are still being tracked down; an Idaho Power spokesman did not know what information was on them. Nampa, Idaho-based Grant Korth refused to comment. In the meantime, Idaho Power has launched an independent investigation through Blank Law & Technology PS in Seattle into why its policy on scrubbing drives was not followed. Typically, Idaho Power was to have either physically destroyed the drives or scrubbed them to U.S. Department of Defense standards -- which involves degaussing them or overwriting the data with a minimum of three specified patterns -- and the salvage vendor was to have done the same, the Idaho Power spokesman said. The company's probe could take several months, depending on what data was on the drives, he said. Similarly, Idaho Power will not know what regulatory penalties might apply until its investigation is completed. Idaho Power is not alone, said Frances O'Brien, a research vice president for asset management at Gartner Inc. "It happens all the time," she said. Typically, a user either doesn't know to clean the drives or doesn't do it correctly, she said. According to a Gartner survey, organizations use outside companies to dispose of PCs 29% of the time and to get rid of servers 31% of the time. Other methods included donating hardware, putting it in storage, selling it to employees, returning it to the vendor and selling it to third parties. Aside from the financial concerns with losing data, organizations that improperly recycle disk drives can run afoul of a number of regulations, depending on their industry: the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley for the banking industry, the Family Educational Rights and Privacy Act for educational institutions and the Fair and Accurate Credit Transactions Act. In addition, several states, including California and New York, have broad-based privacy regulations, said Robert Houghton, president of Redemtech Inc., a Columbus, Ohio-based outsourcer. The problem is widespread. Gartner estimates that through 2009, consumers and businesses will replace more than 800 million PCs worldwide and dispose of an estimated 512 million. What's more, a company can get a bad reputation for not taking proper care of personal data, O'Brien said. When companies hire an outsourcer -- which is a practice that Gartner recommends -- it needs to be careful of what the salvage company will do and how they will prove it. "If everyone else is charging $20, and someone says they'll do it for $2, you've got to wonder why," she said. Simson Garfinkel, a postdoctorate fellow at Harvard University's Center for Research on Computation and Society, researched the issue by buying more than 1,000 hard drives on eBay to see what sort of data could be gleaned from them. He found disk drives that held information from an automated teller machine, a drive from a medical center that held 31,000 credit card numbers, a supermarket credit card processor and a travel agency that had discarded data on travel plans, credit card numbers and ticket numbers. "One of the drives had consumer credit applications on it -- names, work histories, Social Security numbers -- all the information you need to apply for credit." Even though drives may have been wiped of data, someone with the know-how and patience could still retrieve information, Garfinkel said. Standard tools such as Format and Delete simply remove the reference to the files -- the data is still there. Garfinkel himself has written a number of tools to retrieve information such as e-mail addresses and credit card numbers on wiped disks. Despite his findings, Garfinkel said companies seem to be doing a better job protecting data, and he pointed to the Fair and Accurate Credit Transactions Act as a possible reason. "The percentage of drives out there that have usable data is going down, so companies are more aware of the issue," he said. Similarly, when Houghton's company has done an audit on clients' supposedly wiped disk drives, 25% to 30% of them still had readable data, he said. Idaho Power said that in the future, it will destroy drives rather than sell them for salvage -- a policy Garfinkel backs. "The resale value of a hard drive is really minuscule, and it's easy to verify it's been destroyed," he said. "These things are worth $5 to $20 each. I don't think anyone's buying them on the secondary market for extortion, but you never know." From isn at c4i.org Fri May 5 01:18:42 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:18:42 -0500 (CDT) Subject: [ISN] Q. What could a boarding pass tell an identity fraudster about you? A. Way too much Message-ID: http://www.guardian.co.uk/idcards/story/0,,1766266,00.html The Guardian May 3, 2006 This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing gum wrappers and baggage tags, cast off by some weary traveller, when I first laid eyes on it just over a month ago. The traveller's name was Mark Broer. I know this because the paper - actually a flimsy piece of card - was a discarded British Airways boarding-pass stub, the small section of the pass displaying your name and seat number. The stub you probably throw away as soon as you leave your flight. It said Broer had flown from Brussels to London on March 15 at 7.10am on BA flight 389 in seat 03C. It also told me he was a "Gold" standard passenger and gave me his frequent-flyer number. I picked up the stub, mindful of a conversation I had had with a computer security expert two months earlier, and put it in my pocket. If the expert was right, this stub would enable me to access Broer's personal information, including his passport number, date of birth and nationality. It would provide the building blocks for stealing his identity, ruining his future travel plans - and even allow me to fake his passport. It would also serve as the perfect tool for demonstrating the chaotic collection, storage and security of personal information gathered as a result of America's near-fanatical desire to collect data on travellers flying to the US - and raise serious questions about the sort of problems we can expect when ID cards are introduced in 2008. To understand why the piece of paper I found on the Heathrow Express is important, it is necessary to go back not, as you might expect, to 9/11, but to 1996 and the crash of TWA Flight 800 over Long Island Sound, 12 minutes out of New York, with the loss of 230 lives. Initially, crash investigators suspected a terrorist bomb might have brought down the aircraft. This was later ruled out, but already the Clinton administration had decided it was time to devise a security system that would weed out potential terrorists before they boarded a flight. This was called Capps, the Computer Assisted Passenger Pre-screening System. It was a prosaic, relatively unambitious idea at first. For example, in highly simplistic terms, if someone bought a one-way ticket, paid in cash and checked in no baggage, they would be flagged up as an individual who had no intention of arriving or of going home. A bomber, perhaps. After 9/11, the ambitions for such screening grew exponentially and the newly founded Department of Homeland Security began inviting computer companies to develop intelligent systems that could "mine" data on individuals, whizzing round state, private and public databases to establish what kind of person was buying the ticket. In 2003, one of the pioneers of the system, speaking anonymously, told me that the project, by now called Capps II, was being designed to designate travellers as green, amber or red risks. Green would be an individual with no criminal record - a US citizen, perhaps, who had a steady job and a settled home, was a frequent flyer and so on. Amber would be someone who had not provided enough information to confirm all of this and who might be stopped at US Immigration and asked to provide clearer proof of ID. Red would be someone who might be linked to an ever-growing list of suspected terrorists - or someone whose name matched such a suspect. "If you are an American who has volunteered lots of details proving that you are who you say you are, that you have a stable home, live in a community, aren't a criminal, [Capps II] will flag you up as green and you will be automatically allowed on to your flight," the pioneer told me. "The problem is that if the system doesn't have a lot of information on you, or you have ordered a halal meal, or have a name similar to a known terrorist, or even if you are a foreigner, you'll most likely be flagged amber and held back to be asked for further details. If you are European and the US government is short of information on you - or, as is likely, has incorrect information on you - you can reckon on delay after delay unless you agree to let them delve into your private details. "That is inconvenient enough but, as we tested the system, it became clear that information was going to be used to build a complete picture of you from lots of private databases - your credit record, your travel history, your criminal record, whether you had the remotest dubious links with anyone at your college who became a terrorist. I began to feel more and more uncomfortable about it." Eventually, he quit the programme. All of this was on my mind as I sat down with my computer expert, Adam Laurie, one of the founders of a company called the Bunker Secure Hosting, to examine Broer's boarding-pass stub. Laurie is known in cyber-circles as something of a white knight, a computer wizard who not only advises companies on how to make their systems secure, but also cares about civil rights and privacy. He and his brother Ben are renowned among web designers as the men who developed Apache SSL - the software that makes most of the world's web pages secure - and then gave it away for free. We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information. Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.) Laurie was anything but smug. "This is terrible," he said. "It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies simply not geared up for collecting or securing it as it gets shared around more and more people. It doesn't enhance our security; it undermines it." Just over $100m had been spent on Capps II before it was scrapped in July 2004. Campaigners in the US had objected to it on grounds of privacy, and airlines such as JetBlue and American faced boycotts when it emerged that they were involved in trials - handing over passenger information - with the Department of Homeland Security's Transportation Security Administration. Even worse, JetBlue admitted it had given the private records of 5 million passengers to a commercial company for analysis - and some of this was posted on the internet. But the problems did not end with the demise of Capps II. Earlier that month, after 18 months of acrimonious negotiation, the EU caved in to American demands that European airlines, too, should hand over passenger information to the United States Bureau of Customs and Border Protection, BCBP, before their aircraft would be allowed to land on US soil. The BCBP wanted up to 60 pieces of information routinely gathered by booking agencies and stored as a Passenger Name Record, PNR. This included not only your flight details, name, address and so on, but also your travel itinerary, where you were staying, with whom you travelled, whether you booked a hire car in the US, whether you booked a smoking room in your hotel, even if you ordered a halal or kosher meal. And the US authorities wanted to keep it all for 50 years. At first, the European Commission argued that surrendering such information would be in breach of European data protection law. Eventually, however, in the face of huge fines for airlines and cancelled landing slots, it agreed that 34 items from PNRs could be handed over and kept by the US for three and a half years. Capps II was superseded by a new system called Secure Flight in August 2004. Later, in October last year, the BCBP demanded that airlines travelling to, or through, the US should forward "advance passenger information", including passport number and date of birth, before passengers would be allowed to travel. It called this the advance passenger information system, or APIS. This is the information that Laurie and I had accessed through the BA website. "The problem here is that a commercial organisation is being given the task of collecting data on behalf of a foreign government, for which it gets no financial reward, and which offers no business benefit in return," says Laurie. "Naturally, in such a case, they will seek to minimise their costs, which they do by handing the problem off to the passengers themselves. This has the neat side-effect of also handing off liability for data errors. "You can imagine the case where a businessman's trip gets delayed because his passport details were incorrectly entered and he was mistaken for a terrorist. Since BA didn't enter the data - frequent flyers are asked to do it themselves - they can't be held responsible and can't be sued for his lost business." By the time I found the ticket stub and went to Laurie, he had already reported his suspicions about a potential security lapse to BA (on January 20) by email. He received no response, so followed up with a telephone call asking for the airline's security officer. He was told there wasn't one, so he explained the lapse to an employee. Nothing was done and he still has not been contacted. Three months ago, after further objections in the US, but before our investigation, Secure Flight was suspended after costing the US taxpayer $144m. At the time, Kip Hawley, transportation security administrator, said: "While the Secure Flight regulation is being developed, this is the time to ensure that the Secure Flight security, operational and privacy foundation is solid." The TSA said it would continue its passenger pre-screening programme in yet another guise after it had been audited and added that it had plans to introduce more security, privacy and redress for errors - confirming critics' suspicions that no such systems were yet in place. To the consternation of privacy activists in Europe, the TSA also spelled out plans for its desire for various US government departments to share information, including yours and mine. Dr Gus Hosein, a visiting fellow specialising in privacy and terrorism at the London School of Economics, is concerned about where the whole project will go next. "They want to extend the advance passenger information system [APIS] to include data on where passengers are going and where they are staying because of concerns over plagues," he says. "For example, if bird flu breaks out, they want to know where all the foreign travellers are. The airlines hate this. It is a security nightmare. Soon the US will demand biometric information [fingerprints, retina scans etc] and they will share that around. "But what the BA lapse shows is that companies cannot be trusted to gather this information without it getting out to criminals who would abuse it. The potential for identity theft is huge, but the number of agencies among which it will be shared is just growing and growing." And that is where concern comes in over the UK's proposed ID cards, which may one day be needed to travel to the US. According to the Home Office, the identity cards bill currently going through Parliament allows for up to 40 pieces of personal information to be held on the proposed ID card, with digital biometric details of all of your fingerprints, both your irises and your face, all of which can be transmitted to electronic readers. The cards will contain a microchip the size of a grain of sand linked to a tiny embedded antenna that transmits all the information when contacted by an electronic reader. This readable system, known as Radio Frequency Identification, or RFID, has recently been installed in new British passports. The Home Office says the information can be transmitted across a distance of only a couple of centimetres because the chips have no power of their own - they simply bounce back a response to a weak signal sent from passport readers at immigration points. However, the suspicion is that the distance over which the signal can be read relates only to the weakness of the signal sent out by the readers. What if the readers sent out much stronger signals? Potentially, then, criminals with powerful readers could suck out your information as you passed by. The Government denies that this scenario is viable, but, in January, Dutch security specialists Riscure successfully read and de-encrypted information from its country's new biometric passports from a distance of about 30ft in just two hours. "The Home Office says British passport information is encrypted, but it's a pretty basic form of encryption," says Hosein. "Everyone expects the ID cards to be equally insecure. If the government insists they won't be cracked, read or copied, they're kidding themselves and us." BA has now closed its security loophole after being contacted by the Guardian in March, but that particular lapse is beside the point. Because of the pressure being applied to airlines by the US, breaches will happen again elsewhere as our personal data whizzes around the globe, often without our knowledge or consent. Meanwhile, accountability remains lamentable. Several calls to the US Transportation Security Administration were not returned. Perhaps the last word should go to Mark Broer, the man whose boarding pass stub started off this virtual paper chase. He is aged 41 and is a successful executive with a pharmaceutical recruitment company. When I told him what we had done with his boarding pass stub, he was appalled. "I travel regularly and, because I go to the US, I submitted my personal information and passport number - it is required if you are a frequent flyer and want to check yourself in," he says. "Experienced travellers today know that they have to give up information for ease of travel and to fight terrorism. It is an exchange of information in return for convenience. But as far as I'm concerned, having that information leaked out to people who could steal my identity wasn't part of the deal." From isn at c4i.org Fri May 5 01:26:07 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:07 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-18 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-04-27 - 2006-05-04 This week: 90 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia Survey Secunia would like to invite you to participate in an electronic survey evolving the usefulness of our mailing lists. To value your effort Secunia will offer you free access to the Secunia Security Manager for three months as well as have a price draw for an iPod nano. We hope that you will give us a few minutes of your time, as your response will help us provide you with better services in the future. The questionnaire contains 19 questions and it takes approximately 5 minutes to answer the questionnaire. https://ca.secunia.com/survey/?survey_url=kei933wBid2 The survey is being conducted in accordance with the general Secunia Security Policy and your answers will of course be kept strictly confidential. Best regards, Niels Henrik Rasmussen CEO Secunia ======================================================================== 2) This Week in Brief: A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Additional information and a solution is available in the referenced Secunia advisory. Reference: http://secunia.com/SA19880 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 2. [SA19802] Firefox "contentWindow.focus()" Deleted Object Reference Vulnerability 3. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 4. [SA19631] Firefox Multiple Vulnerabilities 5. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 6. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 7. [SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability 8. [SA19868] Linux Kernel CIFS chroot Directory Traversal Vulnerability 9. [SA19860] Oracle Database "DBMS_EXPORT_EXTENSION" Package SQL Injection 10. [SA19861] Invision Power Board "from_contact" SQL Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19942] BankTown BtCxCtl20Com ActiveX Control Buffer Overflow [SA19934] Argosoft FTP Server "RNTO" Command Buffer Overflow [SA19889] CyberBuild Multiple Vulnerabilities [SA19875] Kerio MailServer Attachment Filter Bypass Vulnerability [SA19965] Gene6 FTP Server MKD/XMKD Denial of Service Vulnerability [SA19917] Golden FTP Server Pro NLST/APPE Command Denial of Service [SA19864] Magic ISO Maker ISO File Extraction Directory Traversal UNIX/Linux: [SA19962] Debian update for ethereal [SA19958] Red Hat update for ethereal [SA19950] Ubuntu update for thunderbird [SA19941] Debian update for mozilla-thunderbird [SA19902] Gentoo update for mozilla [SA19963] Debian update for clamav [SA19960] Red Hat update for squirrelmail [SA19959] Red Hat update for dia [SA19949] Ubuntu update for libtiff4 [SA19936] Mandriva update for libtiff [SA19926] Linux Kernel SCTP Netfilter Denial of Service Vulnerability [SA19920] Rsync "xattrs.diff" Patch Integer Overflow Vulnerability [SA19919] Gentoo update for mplayer [SA19914] Gentoo update for phpwebsite [SA19912] Gentoo update for clamav [SA19897] SUSE Updates for Multiple Packages [SA19880] ClamAV Freshclam HTTP Header Buffer Overflow Vulnerability [SA19874] Mandriva update for clamav [SA19872] Debian update for asterisk [SA19951] Ubuntu update for xserver-xorg [SA19943] Mandriva update for xorg-x11 [SA19921] SUSE update for xorg-x11-server [SA19916] OpenBSD update for x.org [SA19915] Gentoo update for xorg-x11 [SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability [SA19955] Ubuntu update for kernel [SA19906] NeoMail "sessionid" Cross-Site Scripting Vulnerability [SA19885] DirectAdmin "domain" Cross-Site Scripting Vulnerability [SA19879] CPS "pos" Cross-Site Scripting Vulnerability [SA19966] Hostapd EAPoL Frame Handling Denial of Service [SA19910] Quagga RIPd RIPv1 Request Handling Security Issue [SA19928] ejabberd Insecure Temporary File Creation Vulnerability [SA19903] TrueCrypt External Command Execution Vulnerability [SA19898] Debian update for resmgr [SA19887] Resource Manager resmgrd USB Device Granting Security Issue [SA19869] Linux Kernel SMBFS chroot Directory Traversal Vulnerability [SA19868] Linux Kernel CIFS chroot Directory Traversal Vulnerability Other: [SA19894] Fujitsu NetShelter/FW DNS Handling Denial of Service [SA19881] Cisco Unity Express Expired Password Change Vulnerability [SA19953] CA Resource Initialization Manager Privilege Escalation Cross Platform: [SA19952] Albinator File Inclusion and Cross-Site Scripting Vulnerabilities [SA19944] phpBB phpbb-Auction Module "phpbb_root_path" File Inclusion [SA19923] FtrainSoft Fast Click "path" File Inclusion Vulnerability [SA19918] DMCounter "rootdir" File Inclusion Vulnerability [SA19911] Aardvark Topsites PHP "CONFIG[path]" File Inclusion Vulnerability [SA19907] Artmedic Event "page" File Inclusion Vulnerability [SA19905] phpBB Advanced GuestBook "phpbb_root_path" File Inclusion [SA19893] OpenPHPNuke master.php File Inclusion Vulnerability [SA19892] phpBB Knowledge Base Mod File Inclusion Vulnerability [SA19891] WEBInsta Limbo sql.php File Inclusion Vulnerability [SA19886] X7 Chat "help_file" Directory Traversal Vulnerability [SA19884] phpBB TopList "phpbb_root_path" File Inclusion Vulnerability [SA19866] phpwcms Multiple Vulnerabilities [SA19948] Invision Gallery "album" SQL Injection Vulnerability [SA19933] CMScout Multiple Script Insertion Vulnerabilities [SA19930] Russcom.Loginphp Script Insertion and Open Mail Relay [SA19927] PHP Multiple Unspecified Vulnerabilities [SA19925] PHP Linkliste "linkliste.php" Script Insertion Vulnerability [SA19924] 321soft Php-Gallery Multiple Vulnerabilities [SA19922] CGI:IRC client.c Buffer Overflow Vulnerability [SA19908] 4images "sessionid" SQL Injection Vulnerability [SA19904] PHP Newsfeed SQL Injection Vulnerabilities [SA19899] Advanced Poll "User-Agent" SQL Injection Vulnerability [SA19896] HB-NS Multiple Vulnerabilities [SA19895] Ruperts News Script "username" SQL Injection [SA19888] AZNEWS "ID" Parameter SQL Injection Vulnerability [SA19883] TextFileBB BBcode Script Insertion Vulnerability [SA19882] PHP Pro Publish SQL Injection Vulnerabilities [SA19876] MaxTrade "categori" SQL Injection Vulnerability [SA19870] Trac Wiki Macro Script Insertion Vulnerability [SA19867] Leadhound SQL Injection and Cross-Site Scripting Vulnerabilities [SA19940] VHCS "server_day_stats.php" Cross-Site Scripting Vulnerabilities [SA19937] JSBoard "table" Cross-Site Scripting Vulnerability [SA19935] MyNews Cross-Site Scripting Vulnerabilities [SA19932] SF-Users "register.php" Script Insertion Vulnerability [SA19913] phpkb Knowledge Base "searchkeyword" Cross-Site Scripting [SA19909] Thyme "searchfor" Cross-Site Scripting Vulnerability [SA19901] Invision Power Board Topic Deletion SQL Injection [SA19878] Pinnacle Cart "setbackurl" Cross-Site Scripting Vulnerability [SA19877] OrbitHYIP Multiple Cross-Site Scripting Vulnerabilities [SA19871] SunShop Shopping Cart Cross-Site Scripting Vulnerabilities [SA19865] MyBB Multiple SQL Injection Vulnerabilities [SA19929] MySQL Information Disclosure and Buffer Overflow Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19942] BankTown BtCxCtl20Com ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-03 Park Gyu Tae has discovered a vulnerability in BankTown BtCxCtl20Com ActiveX Control, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19942/ -- [SA19934] Argosoft FTP Server "RNTO" Command Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-03 Infigo Information Security has discovered a vulnerability in Argosoft FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19934/ -- [SA19889] CyberBuild Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-03 r0t has reported some vulnerabilities in CyberBuild, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19889/ -- [SA19875] Kerio MailServer Attachment Filter Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-02 A vulnerability has been reported in Kerio MailServer, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19875/ -- [SA19965] Gene6 FTP Server MKD/XMKD Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-05-04 Alexey Biznya has discovered a vulnerability in Gene6 FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19965/ -- [SA19917] Golden FTP Server Pro NLST/APPE Command Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-05-03 A vulnerability has been discovered in Golden FTP Server Pro, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19917/ -- [SA19864] Magic ISO Maker ISO File Extraction Directory Traversal Critical: Less critical Where: From remote Impact: System access Released: 2006-04-28 Sowhat has discovered a vulnerability in Magic ISO Maker, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19864/ UNIX/Linux:-- [SA19962] Debian update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Debian has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19962/ -- [SA19958] Red Hat update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19958/ -- [SA19950] Ubuntu update for thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2006-05-03 Ubuntu has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19950/ -- [SA19941] Debian update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2006-05-04 Debian has issued an update for mozilla-thunderbird. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and phishing attacks, potentially disclose sensitive information, cause a DoS (Denial of Service), and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19941/ -- [SA19902] Gentoo update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-05-01 Gentoo has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, cause a DoS (Denial of Service), disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19902/ -- [SA19963] Debian update for clamav Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Debian has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19963/ -- [SA19960] Red Hat update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-04 Red Hat has issued an update for squirrelmail. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information, and by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/19960/ -- [SA19959] Red Hat update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-04 Red Hat has issued an update for dia. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19959/ -- [SA19949] Ubuntu update for libtiff4 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Ubuntu has issued an update for libtiff4. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19949/ -- [SA19936] Mandriva update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Mandriva has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19936/ -- [SA19926] Linux Kernel SCTP Netfilter Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-04 A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19926/ -- [SA19920] Rsync "xattrs.diff" Patch Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-02 A vulnerability has been reported in rsync, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19920/ -- [SA19919] Gentoo update for mplayer Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-02 Gentoo has issued an update for mplayer. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19919/ -- [SA19914] Gentoo update for phpwebsite Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-05-03 Gentoo has issued an update for phpwebsite. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19914/ -- [SA19912] Gentoo update for clamav Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-03 Gentoo has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19912/ -- [SA19897] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access Released: 2006-05-01 SUSE has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to disclose sensitive information, conduct cross-site scripting attacks, execute arbitrary SQL code, cause a DoS (Denial of Service), and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19897/ -- [SA19880] ClamAV Freshclam HTTP Header Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-01 A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19880/ -- [SA19874] Mandriva update for clamav Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-02 Mandriva has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19874/ -- [SA19872] Debian update for asterisk Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2006-05-01 Debian has issued an update for asterisk. This fixes some vulnerabilities, which can be exploited by malicious users to disclose sensitive information, and by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19872/ -- [SA19951] Ubuntu update for xserver-xorg Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-04 Ubuntu has issued an update for xserver-xorg. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19951/ -- [SA19943] Mandriva update for xorg-x11 Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 Mandriva has issued an update for xorg-x11. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19943/ -- [SA19921] SUSE update for xorg-x11-server Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 SUSE has issued an update for xorg-x11-server. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19921/ -- [SA19916] OpenBSD update for x.org Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 OpenBSD has issued an update for xorg-x11. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19916/ -- [SA19915] Gentoo update for xorg-x11 Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 Gentoo has issued an update for xorg-x11. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19915/ -- [SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 A vulnerability has been reported in X11, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19900/ -- [SA19955] Ubuntu update for kernel Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2006-05-04 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities and weaknesses, which can be exploited by malicious, local users to disclose potentially sensitive information, bypass certain security restrictions and cause a DoS (Denial of Service), or by malicious people to disclose certain system information and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19955/ -- [SA19906] NeoMail "sessionid" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 O.u.t.l.a.w has discovered a vulnerability in NeoMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19906/ -- [SA19885] DirectAdmin "domain" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 O.U.T.L.A.W has reported a vulnerability in DirectAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19885/ -- [SA19879] CPS "pos" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 r0t has reported a vulnerability in CPS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19879/ -- [SA19966] Hostapd EAPoL Frame Handling Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-05-04 Matteo Rosi has reported a vulnerability in Hostapd, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19966/ -- [SA19910] Quagga RIPd RIPv1 Request Handling Security Issue Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of system information Released: 2006-05-03 Konstantin V. Gavrilenko has reported two security issues in Quagga, which can be exploited by malicious people to bypass certain security restrictions and to disclose system information. Full Advisory: http://secunia.com/advisories/19910/ -- [SA19928] ejabberd Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-03 Julien L. has discovered a vulnerability in ejabberd, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/19928/ -- [SA19903] TrueCrypt External Command Execution Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-01 Julien Tinnes has reported a vulnerability in Truecrypt, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19903/ -- [SA19898] Debian update for resmgr Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-05-01 Debian has issued an update for resmgr. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19898/ -- [SA19887] Resource Manager resmgrd USB Device Granting Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-05-01 A security issue has been reported in Resource Manager, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19887/ -- [SA19869] Linux Kernel SMBFS chroot Directory Traversal Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-04-28 Marcel Holtmann has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19869/ -- [SA19868] Linux Kernel CIFS chroot Directory Traversal Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-04-28 Marcel Holtmann has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19868/ Other:-- [SA19894] Fujitsu NetShelter/FW DNS Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-02 A vulnerability has been reported in Fujitsu NetShelter/FW, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19894/ -- [SA19881] Cisco Unity Express Expired Password Change Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass, Manipulation of data Released: 2006-05-02 A vulnerability has been reported in Cisco Unity Express (CUE), which can be exploited by malicious users to manipulate certain information. Full Advisory: http://secunia.com/advisories/19881/ -- [SA19953] CA Resource Initialization Manager Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-04 A vulnerability has been reported in CA Resource Initialization Manager (CAIRIM), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19953/ Cross Platform:-- [SA19952] Albinator File Inclusion and Cross-Site Scripting Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-05-04 Pridels Sec Crew has reported some vulnerabilities in Albinator, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19952/ -- [SA19944] phpBB phpbb-Auction Module "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-03 VietMafia has discovered a vulnerability in the phpbb-Auction module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19944/ -- [SA19923] FtrainSoft Fast Click "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-03 R at 1D3N has discovered a vulnerability in FtrainSoft Fast Click, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19923/ -- [SA19918] DMCounter "rootdir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-02 beford has discovered a vulnerability in the DMCounter, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19918/ -- [SA19911] Aardvark Topsites PHP "CONFIG[path]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 cijfer has discovered a vulnerability in Aardvark Topsites PHP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19911/ -- [SA19907] Artmedic Event "page" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 A vulnerability been reported in Artmedic Event, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19907/ -- [SA19905] phpBB Advanced GuestBook "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-02 [Oo] has discovered a vulnerability in the Advanced Guestbook module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19905/ -- [SA19893] OpenPHPNuke master.php File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 [Oo] has reported a vulnerability in OpenPHPNuke, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19893/ -- [SA19892] phpBB Knowledge Base Mod File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 [Oo] has discovered a vulnerability Knowledge Base Mod for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19892/ -- [SA19891] WEBInsta Limbo sql.php File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 [Oo] has discovered a vulnerability in Limbo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19891/ -- [SA19886] X7 Chat "help_file" Directory Traversal Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2006-05-02 rgod has discovered a vulnerability in X7 Chat, which can be exploited by malicious people to disclose sensitive information and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19886/ -- [SA19884] phpBB TopList "phpbb_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-02 [Oo] has discovered a vulnerability in the TopList module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19884/ -- [SA19866] phpwcms Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2006-05-01 bugreporter has reported some vulnerabilities in phpwcms, which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19866/ -- [SA19948] Invision Gallery "album" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-04 Devil-00 has reported a vulnerability in Invision Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19948/ -- [SA19933] CMScout Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-04 Nomenumbra has discovered some vulnerabilities in CMScout, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19933/ -- [SA19930] Russcom.Loginphp Script Insertion and Open Mail Relay Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-05-03 Nomenumbra has discovered two vulnerabilities in Russcom.Loginphp, which can be exploited by malicious people to use it as an open mail relay and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19930/ -- [SA19927] PHP Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-05-04 Some unspecified vulnerabilities with unknown impacts have been reported in PHP. Full Advisory: http://secunia.com/advisories/19927/ -- [SA19925] PHP Linkliste "linkliste.php" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 d4igoro has discovered a vulnerability in PHP Linkliste, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19925/ -- [SA19924] 321soft Php-Gallery Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2006-05-03 d4igoro has discovered some vulnerabilities in 321soft Php-Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/19924/ -- [SA19922] CGI:IRC client.c Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-02 A vulnerability has been reported in CGI:IRC, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19922/ -- [SA19908] 4images "sessionid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-02 CrAzY CrAcKeR has discovered a vulnerability in 4images, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19908/ -- [SA19904] PHP Newsfeed SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has reported some vulnerabilities in PHP Newsfeed, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19904/ -- [SA19899] Advanced Poll "User-Agent" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-02 Aliaksandr Hartsuyeu has reported a vulnerability in Advanced Poll, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19899/ -- [SA19896] HB-NS Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has reported some vulnerabilities in HB-NS, which can be exploited by malicious people to conduct script insertion or SQL injection attacks. Full Advisory: http://secunia.com/advisories/19896/ -- [SA19895] Ruperts News Script "username" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has reported a vulnerability in Ruperts News Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19895/ -- [SA19888] AZNEWS "ID" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has reported a vulnerability in AZNEWS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19888/ -- [SA19883] TextFileBB BBcode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 r0xes.ratm has discovered a vulnerability in TextFileBB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19883/ -- [SA19882] PHP Pro Publish SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has discovered some vulnerabilities in PHP Pro Publish, which can be exploited by malicious people to conduct SQL injection attacks and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19882/ -- [SA19876] MaxTrade "categori" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-01 r0t has reported a vulnerability in MaxTrade, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19876/ -- [SA19870] Trac Wiki Macro Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-28 A vulnerability has been reported Trac. which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19870/ -- [SA19867] Leadhound SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-28 r0t has reported some vulnerabilities in Leadhound, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19867/ -- [SA19940] VHCS "server_day_stats.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 O.U.T.L.A.W has reported some vulnerabilities in VHCS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19940/ -- [SA19937] JSBoard "table" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 Alexander Klink has reported a vulnerability in JSBoard, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19937/ -- [SA19935] MyNews Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 DreamLord has reported two vulnerabilities in MyNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19935/ -- [SA19932] SF-Users "register.php" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 Nomenumbra has discovered a vulnerability in SF-Users, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19932/ -- [SA19913] phpkb Knowledge Base "searchkeyword" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 d4igoro has reported a vulnerability in phpkb Knowledge Base, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19913/ -- [SA19909] Thyme "searchfor" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-02 O.U.T.L.A.W has discovered a vulnerability in Thyme, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19909/ -- [SA19901] Invision Power Board Topic Deletion SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-05-02 Devil-00 has reported a vulnerability in Invision Power Board, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19901/ -- [SA19878] Pinnacle Cart "setbackurl" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-02 r0t has reported a vulnerability in Pinnacle Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19878/ -- [SA19877] OrbitHYIP Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 r0t has reported some vulnerabilities in OrbitHYIP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19877/ -- [SA19871] SunShop Shopping Cart Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 r0t has reported some vulnerabilities in SunShop Shopping Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19871/ -- [SA19865] MyBB Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-04-28 o.y.6 has discovered some vulnerabilities in MyBB, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19865/ -- [SA19929] MySQL Information Disclosure and Buffer Overflow Vulnerabilities Critical: Less critical Where: From local network Impact: Exposure of sensitive information, System access Released: 2006-05-03 Stefano Di Paola has reported some vulnerabilities in MySQL, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19929/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri May 5 01:26:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:57 -0500 (CDT) Subject: [ISN] Avian Flu: Can IT Handle a Pandemic? Message-ID: http://www.eweek.com/article2/0,1895,1957612,00.asp By Larry Dignan May 4, 2006 VeriCenter Chief Technology Officer Dave Colesante is a rare bird. Unlike many IT executives, Colesante has actually thought about a potential avian influenza virus, or bird flu, pandemic and reckons his company, which provides technology services, is relatively prepared if the virus becomes transmitted through human contact. After all, Colensante's 225-person support staff is used to managing VeriCenter's seven data centers from home. And that's a good thing if a bird flu pandemic hits, because the federal government would encourage "social distancing" to prevent further illness. According to the Department of Health and Human Services, a severe bird flu pandemic would make 30 percent of the population, or 90 million people, ill and result in 2 million deaths. Companies would have absentee rates of about 40 percent. "You would have to set up to remotely manage IT," said Colesante in Houston. "You'd have to leverage connectivity." The big question: How many companies are prepared for a bird flu pandemic? An AMR Research study released May 2 found that 68 percent of companies with more than $1 billion in revenue aren't ready for a pandemic. An earlier study by Deloitte & Touche concluded that two-thirds of companies aren't prepared for a pandemic. Among the issues: How do you manage a work force at home? What workers would be on site in data centers to swap servers and manage power? Can companies rely on Internet access in employees' homes? Those questions are likely to pick up for technology workers and others involved with business continuity. Through April 27, the World Health Organization tracked 205 cases of bird flu that led to 113 deaths. On April 28, a mild form of bird flu was found at a live-bird market in New Jersey. Meanwhile, public awareness?not to mention your boss' - could be stoked by "Fatal Contact: Bird Flu in America," an ABC movie airing May 9. "This is just now becoming a hot button issue," said Henry Fieglein, chief innovation officer of thin-client company Wyse Technology, in Austin, Texas. Fieglein, who was the global director of infrastructure and security architecture at Deutsche Bank, led a task force to prepare the bank for a pandemic. According to Fieglein, the bank is exploring thin-client technology that would extend into workers' homes to securely re-create on-site technology such as telephony and trading applications. Deutsche Bank said in a statement that its business continuity plan can "cover a wide range of contingencies, including pandemics," but officials declined further comment. While preparations are fluid, there is one bright side: We have time. "An avian flu pandemic is not coming tomorrow, and the disease is probably a ways off," said Alex Tabb, principal at The Tabb Group, a New York-based consultancy to financial services firms. "But that doesn't mean you don't plan now." M. Lewis Temares, CIO and dean of the engineering school at the University of Miami, said it can't hurt to bring bird flu preparations to the forefront. "Companies aren't paying attention to this at all," said Temares. "It's like Y2K - no one worried about it until right before Y2K. Most don't have a plan." Companies remain mum about bird flu preparations, but they note the risks. For the fiscal year ended April 24, bird flu was mentioned in annual and quarterly reports 388 times, according to regulatory filings with the Securities and Exchange Commission. Where's the Return? Tabb said the biggest reason companies are quiet about their planning is that they are just getting started. In addition, it's hard to generate a return for something that may never happen. Given the uncertainty, Tabb said executives need technologies that will deliver a return even if a pandemic doesn't occur. "The main thing to determine is what you have lying around today that can be reused in the case of a pandemic," said Tabb. "Being pragmatic is important if you are going to have your staff working from home." The lack of a short-term return on bird flu planning means many companies are viewing a pandemic scenario as an extension to current business continuity plans. "We have our hurricane playbook as far as contingency planning goes, and we'd probably amend that for bird flu," said George Chizmar, vice president of IT at Apple Vacations. Colesante said VeriCenter's plan is to make sure its most valuable technology tools are ready in case bird flu breaks out. Fieglein advised that companies schedule work-at-home days to test infrastructure. Among the technology tools that will be necessary in a pandemic: * VPN: "The VPN is the most important technology to create a redundant tunnel so workers can tunnel from various locations securely," said Colesante. The challenge: It has to be tested so it can handle a crush of at-home workers, he said. * Desktop support: Some workers will use their home PCs. Companies will need to keep desktop applications standardized and maintain security. The challenge: Security could be an issue. "It's easy to say employees will work from their house, but less secure if they don't have the same level of software protection they have at work," Colesante said. * Identity management: Steve Ross, global leader of Deloitte's business continuity management practice, said a pandemic would force companies to cross-train workers on technologies. Perhaps an auditor has to fill in to manage a database. The challenge: A company will need technologies to track and provision worker roles and access permissions quickly, most likely from afar. * Citrix MetaFrame: One way around standardizing applications would be to allow workers to tunnel into applications through software from Citrix, Tabb said. The challenge: Bandwidth constraints could hamper performance. * Thin clients: Fieglein said Wyse has discussed streaming software that would deliver applications remotely to PCs. Deutsche Bank is already a Wyse hardware customer. The challenge: Companies would need to build the centralized architecture to support thin-client use in the home. Ross said those technologies only go so far because some productivity will be lost. "People are used to working together, and if you separate them, it may not go as well," he said. "Teleworking is a major issue, and there are problems with social distance." Wild Card: Cable and DSL Access Of course, all this planning isn't going to help companies if so-called last mile access to workers' homes falters. Tabb said companies with workers at home will rely on cable and DSL providers for connectivity. "If a massive number of people have to work from home, that last mile is going to get clogged quickly," Tabb said. "There will be congestion if industry has to move significant data back and forth." VeriCenter's Colesante said his workers also have wireless cards that connect to cellular networks to use in case of DSL or cable outages. The rub with all that telecommuting: Someone has to pick up the tab. "You need a continuity policy that dictates how a company approaches broadband," Tabb said. "Should the company reimburse broadband for those that aren't connected?" Add that to the long list of bird flu planning yet to be done. "No one wants to tempt fate and say we have all of this covered," said Ross, in New York. "Especially when they haven't really started to consider the implications." From isn at c4i.org Fri May 5 01:27:11 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:27:11 -0500 (CDT) Subject: [ISN] Rumsfeld urged to reverse DOD's clearance processing halt Message-ID: http://www.fcw.com/article94283-05-04-06-Web By David Hubler May 4, 2006 The Professional Services Council and six other organizations want Secretary of Defense Donald Rumsfeld to immediately reverse the Defense Security Services' decision to cease the processing of industry applications for new clearances and for periodic reviews of existing clearances. In a letter to Rumsfeld, released Thursday, the seven organizations call on him to "immediately restart the industry clearance granting process and ensure it continues for the remainder of the current fiscal year." The DSS announced April 28 that it was halting the security clearance process due to a funding shortage and the overwhelming number of requests. The announcement caught many contractors and lawmakers on Capitol Hill by surprise. The other organizations that signed the letter are the Aerospace Industries Association, Armed Forces Communications and Electronics Association, Contract Services Association, National Defense Industrial Association, Information Technology Association of America, and Intelligence and National Security Alliance. From isn at c4i.org Fri May 5 01:27:48 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:27:48 -0500 (CDT) Subject: [ISN] A million little pixels Message-ID: http://www.pitch.com/Issues/2006-05-04/news/feature_full.html By David Martin May 4, 2006 Today's seminar on raising venture capital will be presented by a man wearing a long-sleeved checkered shirt, blue jeans and black tennis shoes. "This is dressed up for me," John Flowers announces at the outset of his PowerPoint demonstration. "Usually, I'm dressed in sandals and shorts and a T-shirt that says something offensive." Flowers is the 35-year-old founder and CEO of an Overland Park technology company called Kozoru. He is standing at the front of a room at the Kauffman Foundation Conference Center. His audience is a group of two dozen young entrepreneurs, guys and gals in their twenties willing to sacrifice a Friday evening for the opportunity to learn the ways of parting investors from their money. In spite of his casual appearance (or maybe because of it), Flowers is well-qualified to make the presentation. The Silicon Valley veteran says he's raised $70 million in his career. He has even been backed by the government: Kozoru received $500,000 from a Kansas state agency that spends lottery and race-track proceeds on economic development. Flowers assures the entrepreneurs that his lesson will be something special. "Every time I do a presentation, I start from scratch," he says. His head shot pops up on a projector screen behind him. "Let's talk about me," he says. Flowers' story begins with his doing "skunk works," or secret projects, at Microsoft in the early 1990s. "There was a time when Microsoft was actually cool," Flowers says. In addition to working for Bill Gates, Flowers says he was a computer hacker. He talks about having attended Def Con, a 1994 hacker convention. Six companies that sell computer software meant to keep out hackers offered $10,000 to anyone who could crack their security systems in a Capture the Flag contest, he says. Flowers claims that he scored five of the six "flags" and then went for drinks with friends. Flowers used his hacker background to start a network security company. Hiverworld, which became nCircle, today employs 300 people. Forty-foot brass lions stand sentry in the company's San Francisco office. One of the young entrepreneurs, Mark Pydynowski, stops Flowers. "Why did you leave nCircle?" he asks. Clad in a dark suit, Pydynowski seems curious to know why someone would walk away from a flourishing company. Flowers says he's the type of person who needs to move on and do something new after a while. He says there were "no hard feelings" when he left nCircle. Flowers moves on to his current project, Kozoru. He created the company to develop a search engine that understands natural language. Instead of typing keywords, users would enter questions to find their answers. Getting computers to understand linguistics has been called the holy grail of search technology. Ask Jeeves built a brand name on the idea, but the technology itself didn't really work. Flowers came up with what he thought was a unique approach ? and a hell of a back story. He claims that he decided to start the company after studying Buddhism at a temple in Thailand. Flowers moved to Johnson County in 2003 and started Kozoru a year later. He raised a total of $3 million and recruited a team of computer experts from the Bay Area and Austin, Texas. The company planned to launch its service in the summer of 2005. But the deadline came and went without a product debut. The problems, it turned out, were more difficult to solve than Flowers had imagined. Also, the appeal of a question-and-answer search remains in doubt. At one point, the Kozoru team brought in a focus group. Test subjects sat in front of computers and were instructed to enter questions into the Kozoru search bar. "Nobody asked it a question," Flowers says in an interview. "Every single person typed in keywords. It's the funniest thing. You put a search bar in front of someone, it's like someone has trained you to think like Google rather than you thinking like you." Kozoru is now concentrating on a search engine for instant-messaging and mobile devices. The technology is supposed to be available to the public sometime next month. A successful launch would quiet doubters. On more than one occasion, Flowers has compared Kozoru with the Manhattan Project. He's undoubtedly intelligent and knowledgeable. But like A Million Little Pieces author James Frey, a talented writer who embellished the facts of his addiction to drugs and alcohol, Flowers is not all that he says he is. The daring of his hacking exploits is disputed. He lied to the state of Kansas about his education. And Pydynowski was right to wonder if there was more to the nCircle story. In fact, a fellow programmer accused Flowers of stealing his work. A "serial entrepreneur" in denim, Flowers has dazzled the local business community. But his relocation here looks as much like the arrival of a Silicon Valley washout as it does the coming of a hero. Flowers is sitting in a chair at the Kozoru office. A small hoop hangs from his left earlobe. His beard is full today, but his facial hair goes through frequent revisions. A bottle of Fiji water, his brand of choice, is within reach. His mien is calm and friendly, like that of a patient teacher. Flowers reminisces about his days of studying English literature and philosophy in college. He was attracted to the liberal arts, he says, because he didn't want to be near the nerds in computer labs. "I'm socially awkward, but they were way more awkward than I was," he says. A man of diverse interests (he edits video and writes novels and film scripts in his spare time), Flowers built Kozoru in his image. Eleven people work at the company, which leases space in a bland office park near Metcalf and Shawnee Mission Parkway in Overland Park. Most members of the Kozoru team are in their thirties and strike a hip pose. Flowers met the communications manager, Justin Gardner, through the Kansas City Screenwriters club. Network Administrator Chris Downs plays in a death-metal band and wrote and directed a horror film, Shunned. Downs left Kozoru earlier this year to work at Kansas City design agency VML. Downs says he thought that quitting a start-up would allow him more time to work on his outside projects. He immediately regretted the decision and returned after three and a half weeks. "We're happy you're back," Flowers tells Downs, who is headed outdoors for a smoke break. "You don't want to work there anyway. Bureaucracy." "First day I was there, this is what happened," Downs says. "I walked in and sat down at my desk, and I went, 'Holy shit, what have I done?'" The Kozoru work schedule is flexible but demanding. Flowers asks his crew to be present or available via video chat from 10 a.m. to 4 p.m. An approaching deadline typically means late nights and seven-day workweeks. "I'm pretty tough," Flowers says of his management style. Early spring felt like final-exam week for Flowers and his staff. Last month, Kozoru invited a group of industry types to use a trial of the new cell-phone and instant-messaging search engine. Originally, Flowers talked about Kozoru taking on search giants such as Google. The plan was to build a search engine that responded to questions with authoritative answers. In Flowers' example, the question "Who is Gordon Downie?" would return a pithy reply describing Downie as the lead singer of the Tragically Hip, a Canadian rock band. Kozoru sought to deliver needles where so many keyword searches produce haystacks. Search technology has always frustrated Flowers. He says he can remember being 9 years old and asking his Tandy TRS-80, "Why is the sky blue?" The computer simply beeped at him. Flowers says he began talking with friends in the late '90s about how cool it would be to build a better search engine. If he was going to improve search, Flowers decided that he needed to use mathematics. Math, after all, is something that computers do very well. "Our approach is to take a mathematical or statistical approach to language," he explains. "You don't care what the words are. You don't care what the words mean. You just map them to numbers and then figure out how close they are and how far they are and put them in a big graph. And then you just keep doing that and doing that until you get this nice set of patterns." Flowers says Kozoru has found something valuable. Experts may disagree. The idea is nothing new, says Marti Hearst, an assistant professor in the School of Information Management and Systems at the University of California-Berkeley. "This is a very standardized approach in the field," Hearst says. "In fact, this is what everyone in the field does now. It's like saying about FedEx that they use airplanes to deliver packages." However unique its approach, the Kozoru team ran into problems. For one thing, not all questions are as simple as "Who is Gordon Downie?" Ask an Irishman "Who is the Great Emancipator?" and he's apt to say radical Catholic lawyer Daniel O'Connell, not Abraham Lincoln. A question like "Does God exist?" introduces even more variables. "The big realization for us along the way was that we built this system that's really powerful, and it's right a lot, but there's a subjectivity to questions that you can't produce mathematically," Flowers says. "It's like trying to understand emotion ? you just can't do it." So the holy grail of natural-language search remains elusive ? much like Flowers himself. Flowers says he was born in Topeka in 1970. He tells the Pitch that he was adopted and his father (now deceased) was in the military. His grandmother bought him his first computer. "I grew up really poor, so it was a big deal," he says. "It was a $600 computer." Flowers does not volunteer much information about his childhood. One event that he has mentioned on his blog and in other settings is his arrest at age 13. Flowers tells the Pitch that the FBI kicked down his door one day. "I had committed wire fraud, which is making free long-distance phone calls." Flowers says he made the illegal calls to connect to bulletin-board systems, which were precursors to the World Wide Web. "I thought it was ridiculous that I had to pay long-distance charges to connect to another computer, so I figured a way to get around it." Flowers says he spent several months in a juvenile-detention center in San Diego run by the FBI. He says his confinement coincided with the popularity of the 1983 geek classic WarGames. Adult counselors, he says, worried about his ability to start Armageddon with the push of a few buttons. Flowers says he survived detention by befriending a big, tough guy named Andre. "I think he blew up a building ? it was awful," Flowers recalls of his protector. Flowers showed Andre how to make free calls from a cellblock pay phone. In gratitude, Flowers says, Andre "kind of bodyguarded me." Juvenile records are sealed, so no public documents exist to support or refute Flowers' story. But the FBI does not run detention centers. Juveniles convicted of federal crimes do their time at facilities run by state or local governments. "It sounds kind of fishy," Sandra Hijar, a spokeswoman for the Western Regional Office of the Federal Bureau of Prisons, tells the Pitch after hearing Flowers' tale of incarceration at age 13. "I have never heard of a juvenile FBI facility." True or false, Flowers' story bears similarities to the plight of John Draper, a famous figure in computer circles. Draper discovered in the 1960s that a toy whistle found in certain cereal boxes could be used to manipulate long-distance calling switches. The subject of a 1971 Esquire story, in which he was identified only as "Captain Crunch," Draper taught future Apple founders Steven Jobs and Steve Wozniak his secrets. He was later tracked down by the FBI and spent time in prison. After his release, Flowers says he left home when he was not quite 16 and moved in with a friend who had an apartment. He got a job delivering pizza and tried to stay in school, he says. Often unsure of dates and places ("Temporality eludes me for some reason," he says), Flowers guesses that he lived in Texas at the time he left home. He says he moved to Massachusetts and then Berkeley. Flowers' teenage years would provide still another amazing technology-related story: He claims to have come up with an idea for making movie times available by phone. Flowers wrote a version of the story on his blog two years ago: In the early 1990s, Flowers was staring at a poster for the movie Three Days of the Condor when lightning struck: a computer program that generated lists of theaters and show times from zip codes. Flowers submitted the idea to a contest run by the telephone industry. "Six days later," he wrote, "someone wrote a check for what we called 444-FILM and I purchased a brand new, 1990 Porsche Carrera 911 4X4 with the profit ..." In an interview, Flowers does not say that his application became Moviefone, the company behind 777-FILM. Rather, he notes that he came up with the idea the year before Moviefone launched. Editing the story he told on his blog, Flowers tells the Pitch that he wrote the program in 1988, not the early 1990s, perhaps remembering that Moviefone launched in 1989. AOL bought Moviefone in 1999 for $388 million, but Flowers claims no bitterness. "I was 17, and somebody wrote me a check for $80,000 because of a computer thing that I did," he says. Like the arrest, the 444-FILM story is unverifiable. Flowers says confidentiality agreements prevent him from revealing the identity of the person who wrote the $80,000 check. But Russ Leatherman, a Moviefone founder (as well as the famous voice of 777-FILM), tells the Pitch through a spokesman that he's never heard of Flowers. Doubt surrounds another story that Flowers likes to tell: his contest-winning performances at Def Con. The annual Las Vegas hacker convention called Def Con was founded by Jeff Moss in 1993. When a Pitch reporter recounted the story Flowers told at the Kauffman Foundation, Moss quickly answered: "Utter bullshit." The convention didn't include a Capture the Flag contest until the fourth Def Con in 1996, Moss says ? not 1994 or 1995, years in which Flowers has claimed to have won the prize. Moss recalls that another individual won the first two Capture the Flag contests. "It was this guy called A.J. Reznor, who won it in a pretty famous way," Moss says. "This guy won it with no monitor, attacking the machine with a keyboard only. He memorized the entire attack and did it." When asked about the discrepancy last week, a Kozoru spokesman said Flowers may have misspoken at the Kauffman Foundation and that the issue is one of semantics. In fact, Moss does acknowledge that Flowers may have a Capture the Flag victory to his credit. The problem, Moss says, is that Flowers has continually claimed he won on years when he didn't, and he fails to mention that he was part of a hacker team. Flowers did present a paper at Def Con 8. A video of his speech, available on the Internet, shows an overweight and grungy-haired Flowers talking in a hotel conference room about network security. At one point in the hourlong presentation, he pops open a bottle of beer. At another point, he holds up a white paper by Network Associates, a leading security company now known as McAfee. Flowers expresses his contempt for corporate network security by flinging the document into the crowd. "Fuck that," he says. Flowers, who is 6 feet 1 inch tall, is standing next to his blue 1994 Mazda RX-7 in the parking lot outside the Kozoru office. He is wearing a "Cult of Chuck Palahniuk" T-shirt under a light jacket. Palahniuk, the author of Fight Club, is one of Flowers' heroes, along with Steve Jobs and the late physicist Richard P. Feynman. Like the T-shirt, the car speaks to Flowers' identity. A decal of his beloved Apple Computers is stuck to the rear window. Below the Apple sticker is a word in kanji, a Japanese writing system based on Chinese characters. The word, Flowers explains, translates to elite, a term hackers use to identify themselves. The workday is over. Flowers leaves to meet his 3-year-old son, Case. He calls the boy "my own little organic learning engine." Flowers is learning what it means to be a divorced father. Flowers and Case's mother, Gretchen, separated last year after 12 years of marriage. The divorce was finalized last month. The couple married in Arlington, Texas. They lived in Kansas City for a time in the mid-'90s, when Flowers helped UtiliCorp (now Aquila) install an e-mail system. He moved to the Bay Area in 1996 for a job at Farcast, a now-defunct Internet company. Flowers founded Hiverworld, the network security company, in 1998. He left in 2003. Five years, he says, is about twice as long as he can spend doing anything. "I left and decided, 'That's it. I'm done with technology. I'm going to write a screenplay. I'm going to write a book. I'm going to find a million things that aren't technology.'" Whatever his artistic yearnings, Flowers did not leave the company in a blaze of glory. A year after founding the company in 1998, Flowers was accused of lifting the work of security expert Fyodor Vaskovich. Several employees left the company after the incident, which contributed to the decision to rename the business nCircle. Restricted in what he can say by a confidentiality agreement, Vaskovich tells the Pitch that his copyright dispute with Hiverworld was "settled amicably" in 2001. "Since their reincarnation with new management, nCircle has become an important partner and a pleasure to work with," he writes in an e-mail. Flowers calls the copyright claim "complete and utter bullshit" and says it has been settled. He adds: "I was accused of stealing something, but you know what? People get accused of stealing stuff all the time. The resolution was, there was no resolution. It never went anywhere. There was no trial. There was no case ? nothing. Never went anywhere. It was just an accusation by someone who was mad at me when they quit. I have kind of a strong personality, and some people don't respond well to that." Flowers says he stayed on for three years after the accusation was made. He also notes that he was able to convince a few nCircle veterans to join his new venture. After leaving the Bay Area, Flowers says he and his wife were traveling around the country when they found a house they liked in Mission, Kansas. They hit the road again a few months after Gretchen gave birth to Case at Menorah Medical Center. "One of us had a rucksack, the other one had the kid, and we just took off." What follows is another remarkable John Flowers story. The young family went first to Boston and then visited several countries in Europe. "It was total Zen travel," Flowers says. "We would just wake up [and say], 'What do you want to do today?'" Flowers wanted to see Hong Kong, but during a layover in Bangkok, he became captivated by Thailand. John, Gretchen and their toddler son moved about the country, staying in bungalows, before arriving in a place called Chiang Rai. There, Flowers knocked on the door of a temple and announced that he wanted to study Buddhism. A person who answered the door spoke some English and told him that his request would be difficult to meet. Flowers asked to see the teacher in charge. With the man who answered the door serving as interpreter, Flowers spoke with the teacher. "I said something that apparently impressed him," he says. Flowers received an invitation to spend a month in the temple. Gretchen and Case returned to the States. Flowers says the teacher gave him the arduous task of grinding pepper with a mortar and pestle. His eyes watered, and his skin blistered. "I did that for hours every day," Flowers says. "It was brutal." Using broken Thai, Flowers was eventually able to communicate with the teacher, who, he says, was "a fairly well-known Buddhist monk." When he was not grinding pepper or taking walks with the monk, Flowers meditated. He discovered that he wasn't very good at meditating. "Sort of on the dirt floor, staring at the white wall, that's when I decided, 'You know what, I think I have another company in me.'" He says he was back in the United States for only 30 days before convincing investors to fund Kozoru. As for the Thailand story, Flowers agreed last week to show his passport after a Pitch reporter asked for evidence of the journey. But as of press time, he had produced nothing. Mike Peck met John Flowers in the spring of 2004. Peck was serving as the fund manager at the Kansas Technology Enterprise Corporation (KTEC). A state economic-development agency, KTEC has the authority to make direct investments in promising Kansas tech companies. With his stories of raising seven figures in investments and his journey in Thailand, Flowers left quite an impression on Peck. Peck is no rube. He received an MBA from Northwestern University and worked at C-Tribe, a failed San Francisco dot-com of the late '90s. He spent time with Flowers as KTEC considered investing in Kozoru. Peck sat in as Flowers made a presentation to venture capitalists on the West Coast. Eventually, KTEC invested $500,000 ? double the size of any of the agency's previous investments. Additionally, KTEC has awarded $372,000 in tax credits to private investors in Kozoru. "From the first meeting with John Flowers, it was pretty apparent that he was an exceptional individual and had an exceptional vision," Peck told the Pitch in 2004. Peck said Kozoru was a "perfect storm" of an outstanding board, management and idea. Now a partner in the private-equity fund Open Prairie Equity Partners, Peck subleases office space from Kozoru. Today, Peck calls the KTEC investment in Kozoru the right opportunity at the right time. KTEC has $6.8 million invested in Kansas companies and funds, according to its most recent annual report. Tracking the performance of the investments is difficult. Of the 15 companies KTEC helped in 1998, 10 had either closed or had failed to grow beyond nonfamily employees, according to a 2003 state audit. KTEC President Tracy Taylor tells the Pitch that his staff does due diligence when looking at possible investments. "[It's] good governance and good partnering rather than just giving somebody money," he says. On paper, Kozoru looked like the kind of company that Kansas ? with only two Fortune 500 companies ? should recruit. In addition to Flowers, Kozoru had two prominent Bay Area board members: David Warthen and Ridgely Evers. Warthen was a co-founder of Ask Jeeves. Evers conceived QuickBooks accounting software. Though associated with recognizable products, Warthen and Evers were not exactly ascendant figures at the time they joined the Kozoru board. Ask Jeeves had raised $42 million in its initial public offering in 1999. But the company failed to deliver on the promise of a question-based search. Ask Jeeves acquired new technology in 2001, and the site now looks and feels very much like Google. Warthen left Ask Jeeves and stayed mostly out of the news until 2004. That year, Warthen married Cristina Schultz ? who, federal prosecutors claim, paid her way through Stanford Law School by working as a high-priced call girl under the name "Brazil." Schultz made headlines in the Bay Area when the federal government seized $61,000 from her that prosecutors say she earned as a prostitute. Warthen later stepped in to claim that the money was his, not proceeds from unlawful activity. Warthen gave the money to Schultz to hold prior to their marriage, his attorney, Doug Schwartz, says. "Of course, they were going to use it for vacations, weddings and/or a honeymoon, to be precise," Schwartz tells the Pitch. The case is still being fought in federal court. Warthen declined to comment to the Pitch about the incident. But he spoke highly of Flowers, who he said is always full of ideas. "He has not only a very strong technical knowledge, but he is a very creative thinker," he said. Evers became president of Hiverworld in 2000. He left the business at around the same time that Flowers did. Evers says he took a vacation and "did something approaching nothing [in the technology field] for a while." He joined the Kozoru board largely because of his belief in Flowers. "One of the things that I like about John is that he is interested in ? maybe only interested in ? solving big problems," Evers tells the Pitch. "What he was setting out to solve with Kozoru was nothing less than the unfulfilled promise of search. That's really what it comes down to. That's a big challenge. I like that." KTEC officials appear to have done little but talk to Flowers believers like Evers. A section of Kozoru's application for KTEC funding is subject to open-records laws. In the description of the management team, Flowers claims to hold bachelor's and master's degrees from Berkeley and a master's degree from the University of Texas in Austin. The degrees do not exist. Kathleen Maclay, spokeswoman at Berkeley, says the university has no record of a John S. Flowers attending the school in the past 25 years. Officials at Texas also could not find record of a student named John Flowers who was born in 1970. In response, Flowers replied: "That's bizarre. I don't know what to tell you. That's pretty strange. Maybe I should give them [Berkeley] a call and figure out what's going on." "When we started, we sort of naively thought we were going to create an Ask Jeeves that works," Flowers says. Turns out, nobody really cared if they could. "That ship has sailed," Flowers says. "I think people, either they don't want it or they were burned by it or they believed and then they lost faith because it didn't work the way they thought it would." The Kozoru team regrouped and decided to create a search engine that catered to mobile devices and instant-messaging software. Flowers describes a scenario in which a cellular-phone user finds the right restaurant with Kozoru's help. "Imagine being able to say, 'I want Chinese in San Francisco that's cheap, that's good for me to bring a date to and is run by the Mafia,' and getting that kind of answer, which is way outside of 411 or even what the Web is doing for you right now," he says. A few weeks ago, Kozoru gave a group of people in the information-technology business access to the system. Flowers says the early feedback has been "extremely positive." Even if a launch is successful, Kozoru is unlikely to become the area's next Sprint. Flowers itches to sell the company. Flowers spent time last fall talking to officials at Google, Apple and Yahoo. On his blog, loneronin.net, he wrote with unusual candor about his experiences as a possible acquisition target. Flowers described a visit that he and members of his team made to Google headquarters in Mountain View, California. "Everything we saw and heard and felt seemed like we were getting along great with everyone there," he wrote on December 1. "Everything, that is, until three weeks ago when ? without warning ? they stopped responding to e-mails or returning our phone calls." In a December 19 post, Flowers moaned that Google had "banned" Kozoru from using its system after a demonstration in which Kozoru had improved on Google search results. The posts shook a corner of the blogosphere that keeps watch on new computer technology. "If I were Google, I wouldn't return this guy's calls either," technology writer Nicholas Carr wrote on his blog, Rough Type. "A crank is a crank." Carr also made fun of Flowers for glossing himself as a "Futurist, Strategist, Technologist, Visionary & Polymath" on his blog. The description was later removed. Another blogger, Scott Reynolds, called Flowers "Mr. Ego" in the comment thread on Carr's blog. Reynolds faulted Flowers for creating his own page on Wikipedia, the user-edited online encyclopedia. Showing a measure of sportsmanship, Flowers participated in the comment thread, saying he agreed with a lot of what Carr had said, "except for the part about me being a crank." Addressing Reynolds' comments, Flowers said he edited but did not create the Wikipedia page. Logs showed that the original author lived in Missouri. "My guess is someone I know wrote it. I do ? after all ? have actual friends," Flowers responded. Whoever originally authored his Wikipedia page, Flowers certainly approved of its existence. "If I ever get an entry in the Wikipedia system, I will consider myself successful," he wrote on his blog seven months prior to the page's creation. As for Google's nonresponsiveness, Flowers tells the Pitch he learned later that a company rep he was expecting to hear from took a five-week vacation in Fiji. Unbowed by the banned-by-Google experience, Flowers continued to negotiate in public. In January, his blog listed the 11 reasons that Apple should buy Kozoru. A few days later, Flowers shared the comment of someone named Mark who said Flowers had "hung his dick over the fence." Flowers wrote that he was "pretty much joking" when he had entreated Apple to purchase Kozoru. During Flowers' speech at the Kauffman Foundation Conference Center, the phrase "The Spooky Art" appears on a PowerPoint slide. Flowers uses the term to describe the process of raising venture capital. The term has a familiar ring: The Spooky Art is the title of a 2003 Norman Mailer book about writing. Flowers, however, does not credit the Pulitzer Prize-winning author. A whiff of plagiarism notwithstanding, Flowers proves to be an engaging and informative speaker. Gone are the nervous laughs and incessant throat clearings that tarnished his performance at Def Con in 2000. "Your idea is not what is going to get you funded," Flowers explains in an effort to get the entrepreneurs to think about the importance of attitude and technique. Flowers seems to delight in debunking conventional wisdom. At one point, he tells the entrepreneurs to forget about writing a business plan. "Every time I say this, people throw tomatoes at me," he says. Flowers dispenses practical advice, too, much of it surely of value. He encourages the entrepreneurs to incorporate early and file a lot of patents, which he compares to arrows in a quiver. He even recommends what fonts to use in PowerPoint presentations ? Trebuchet, Georgia and, in a pinch, Monaco. Flowers says his ideas are based on "15 years of pain and suffering." A little imagination also went into the presentation. Flowers tells the audience that he served for a time as "entrepreneur in residence" at Industry Ventures, a San Francisco venture capital outfit. But Hans Swildens, a principal at Industry Ventures, says Flowers is mistaken. "We funded his last company, but he never worked here," Swildens tells the Pitch. Flowers says later that he misspoke. Instead, he says he was a "technical adviser" who looked at some deals. Toward the end of the talk, Flowers produces a list of reality-challenged statements that every successful tech entrepreneur needs. Valuable fibs include "We have clients" and "Microsoft won't be a threat." Flowers justifies the deceit on the grounds that venture capitalists expect to be told a few whoppers. Besides, the moneymen have their untruths, too. Flowers begins this section of the presentation by saying, "Here's a collection of lies you need to tell them." From isn at c4i.org Tue May 9 03:18:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:18:51 -0500 (CDT) Subject: [ISN] Antispam firm says it was victim of sophisticated attack Message-ID: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=111208 By Jaikumar Vijayan May 05, 2006 Computerworld The CEO of an antispam firm whose service was knocked off-line by a spammer earlier this week claimed that his company was the victim of a sophisticated attack carried out, in part, with the help of someone at a top-tier Internet service provider (ISP). But some security experts expressed doubts abut the company's claims and said they appear to be an attempt to deflect attention from the criticism it has recived for the way in which it handled the attacks. Eran Reshef, CEO of Blue Security Inc., an Israeli antispam firm, said his company was attacked by a major spammer named PharmaMaster who used a combination of methods to knock out the company's Web site and the servers hosting its services. Blue Security, which has its U.S. headquarters in Menlo Park, Calif., operates an antispam service designed to deter junk-mailers by spamming them back. Blue Security's Do Not Intrude program allows individuals to register their e-mail addresses with the company and essentially flood spammers who send them e-mail with automated opt-out requests. The attacks that crippled Blue Service were preceded by PharmaMaster sending out threatening e-mails to subscribers of the Do Not Intrude Registry, warning them of even more spam if they did not withdraw their subscriptions. PharmaMaster then appears to have gotten someone at a major ISP to block Blue Security's IP address on the Internet's backbone routers, most probably via a process called black-holing, Reshef claimed. With black-holing, an ISP essentially removes the advertised path to a particular Web site or IP address -- making it completely inaccessible to the outside world. According to Reshef, PharmaMaster informed Blue Security that he had gotten an ISP to agree to black-hole the company before the attacks started. "Immediately, we started seeing our IP address getting blacklisted by other ISPs," Reshef said. As a result, traffic to the company's main Web site dropped from the usual 100 hits per minute to about two per minute in less than an hour -- and nothing at all from outside of Israel. At almost the same time, massive distributed denial-of-service (DDoS) attacks were launched against the dedicated servers that provide Blue Security's antispam service. The servers, located at five separate hosting provider sites, were bombarded with up to 2GB of traffic per second, rendering them inaccessible. In what Reshef said was a bid to tell subscribers what was happening, Blue Security pointed the company's corporate Web server URL to its blog, which is hosted by Six Apart Ltd. in San Francisco. PharmaMaster then launched a DDoS attack against the server hosting Blue Security's blog. That caused thousands of other blogs hosted by Six Apart to be knocked off-line. The DDoS attacks against the company's dedicated servers meanwhile resulted in service disruptions to five hosting providers as well as major Domain Name System service provider Tucows Inc., he said. Pointing the company's main URL to the Blue Security blog site on Six Apart when it was under attack may not have been the best idea, Reshef said. But at the time, the company had little idea that the attacker would launch a separate DoS attack on the blog site as well. But Todd Underwood, chief operations and security officer at Renesys Inc., a Manchester, N.H.-based Internet monitoring company, said that based on traffic analysis, Blue Security's main Web site appears to have been under a DDoS attack for at least two days before it redirected its URL to the blog. "I do think if you are under attack, it is your duty not to redirect it against someone else," Underwood said. "It is not a fair or an ethical decision," he said, adding that it is hard to imagine that Blue Security didn't know it was being hit with a DDoS attack when it pointed its URL to the blog site. Underwood also said that it was unlikely that a spammer would have been able to get an individual at a major ISP to install a "no route" to Blue Security, as Reshef claimed. "These are not the kind of networks where people can sneak in and make routing configuration changes" without logging that change or discussing it with others, he said. "The suggestion that some Russian spammer could bribe someone to install a no-route" is hard to believe, he said. John Levine, chairman of the Internet Anti-Spam Research Group, said that other antispam efforts have been similarly targeted as well. But they did not involve an ISP. And neither did those who were attacked respond like Blue Security did, he said. "If you know you are under a DoS attack, pointing your DNS at other parties is irresponsible," he said. From isn at c4i.org Tue May 9 03:18:04 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:18:04 -0500 (CDT) Subject: [ISN] Crafts website hacked by terrorists Message-ID: http://www.boston.com/news/local/massachusetts/articles/2006/05/07/crafts_website_hacked_by_terrorists/ By Michael Levenson Globe Staff May 7, 2006 A plumber who loves glass etching, Andrew Roberge had crafts to sell. His son, Mike, knew Web design. Carriage House Glass is the marriage of their talents, an online catalog of sandblasted vases and goblets that ''caters to those who love beautiful and unique gifts," the site proclaims. But the website, which they started four years ago, offered more than just beautiful baubles, specialists in terrorism say. The site contained hidden files filled with the radical writings of a top aide to Osama bin Laden, including ''The International Islamic Resistance Call," Abu Musab al-Suri's 1,600-page manifesto advocating jihad. The website was hacked a year ago by followers of Suri, a Syrian-born Al Qaeda leader, who turned the Roberge's labor of love into an online reading room for aspiring mujahadeen, the specialists said. The revelation came as a shock to the Roberges, who said they had no idea that Islamic extremists had intruded on their website. ''We got hacked! Unbelievable!" exclaimed Mike Roberge, when told last week of the hidden content on his site. His startled father added, ''Believe me, I wouldn't let this [expletive] get on my site. I don't need that. I don't need none of that. I'm a firm believer in minding my own business." The father and son from Lawrence vowed to delete the postings and replace them with images of eagles and American flags, ''something wicked patriotic," Mike Roberge said. A link to the hidden files on the website was circulated on bulletin boards frequented by Muslim extremists for a year, said Jarret Brachman, director of research at the Combating Terrorism Center at the US Military Academy in West Point, N.Y. Regular visitors to www.carriagehouseglass.com could never see the hidden material, specialists said. Only visitors who knew the address of the pages inside could access the cache of downloadable Arabic writings, and see the flash animation featuring the Kaaba, the black stone cube that Muslims face when they pray in Mecca. Brachman and other researchers had been aware of the files, but said the intrusion onto the site was not unusual in the burgeoning world of online Islamic extremism. ''This is a very tangential, very peripheral site that only those who are actively following this sort of literature would be accessing," Brachman said. ''It doesn't cause me alarm: these guys are pests in terms of this stuff," he said. ''This is standard procedure for these guys to post this kind of material." FBI spokeswoman Gail A. Marcinkiewicz declined to comment on whether the agency knew of the website or was monitoring it. She said the FBI would investigate a website only if it directly advocated violence. Specialists said Suri's writings advocate violence, but Marcinkiewicz said, ''unless . . . there's something very urgent in that paper, it's not that we wouldn't take a look at it, it's just that we have to prioritize. There's no quick and easy answer here." ''Without knowing what it's saying, it may go the bottom of the pile of all the 101 things we have to do over here," she added. Piggybacking on Carriage House Glass, which is password-protected, allowed extremists to avoid using a credit card or other traceable data needed to start a new website, said Rita Katz, director of the Search for International Terrorist Entities in New York. ''Of course, it's a disturbing phenomenon, but we know that Al Qaeda and the jihadist online community is quite sophisticated, and they use our own techniques against us," Katz said. ''It's disturbing because it could happen to anyone." As more terrorist training grounds shut down globally, more extremists are going online, said Steven R. Corman, an Arizona State University professor who has studied the shift. Michael Levenson can be reached at mlevenson (at) globe.com. ? Copyright 2006 The New York Times Company From isn at c4i.org Tue May 9 03:18:20 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:18:20 -0500 (CDT) Subject: [ISN] Gone in 60 seconds -- the high-tech version Message-ID: http://news.com.com/Gone+in+60+seconds--the+high-tech+version/2100-7349_3-6069287.html By Robert Vamosi Special to CNET News.com May 6, 2006 Let's say you just bought a Mercedes S550--a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system. After you pull into a Starbucks to celebrate with a grande latte and a scone, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later, you look up to discover your new Mercedes is gone as well. Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care. Wireless or contactless devices in cars are not new. Remote keyless entry systems--those black fobs we all have dangling next to our car keys--have been around for years. While the owner is still a few feet away from a car, the fobs can disengage the auto alarm and unlock the doors; they can even activate the car's panic alarm in an emergency. First introduced in the 1980s, modern remote keyless entry systems use a circuit board, a coded radio-frequency identification (RFID) technology chip, a battery and a small antenna. The last two are designed so that the fob can broadcast to a car while it's still several feet away. The RFID chip in the key fob contains a select set of codes designed to work with a given car. These codes are rolling 40-bit strings: With each use, the code changes slightly, creating about 1 trillion possible combinations in total. When you push the unlock button, the keyfob sends a 40-bit code, along with an instruction to unlock the car doors. If the synced-up receiver gets the 40-bit code it is expecting, the vehicle performs the instruction. If not, the car does not respond. A second antitheft use of RFID is for remote vehicle immobilizers. These tiny chips, embedded inside the plastic head of the ignition keys, are used with more than 150 million vehicles today. Improper use prevents the car's fuel pump from operating correctly. Unless the driver has the correct key chip installed, the car will run out of fuel a few blocks from the attempted theft. (That's why valet keys don't have the chips installed; valets need to drive the car only short distances.) One estimate suggests that since their introduction in the late 1990s, vehicle immobilizers have resulted in a 90 percent decrease in auto thefts nationwide. But can this system be defeated? Yes. Keyless ignition systems allow you the convenience of starting your car with the touch of a button, without removing the chip from your pocket or purse or backpack. Like vehicle immobilizers, keyless ignition systems work only in the presence of the proper chip. Unlike remote keyless entry systems, they are passive, don't require a battery and have much shorter ranges (usually six feet or less). And instead of sending a signal, they rely on a signal being emitted from the car itself. Given that the car is more or less broadcasting its code and looking for a response, it seems possible that a thief could try different codes and see what the responses are. Last fall, the authors of a study from Johns Hopkins University and the security company RSA carried out an experiment using a laptop equipped with a microreader. They were able to capture and decrypt the code sequence, then disengage the alarm and unlock and start a 2005 Ford Escape SUV without the key. They even provided an online video of their "car theft." But if you think that such a hack might occur only in a pristine academic environment, with the right equipment, you're wrong. Real-world examples Meet Radko Soucek, a 32-year-old car thief from the Czech Republic. He's alleged to have stolen several expensive cars in and around Prague using a laptop and a reader. Soucek is not new to auto theft--he has been stealing cars since he was 11 years old. But he recently turned high-tech when he realized how easily it could be done. Ironically, what led to his downfall was his own laptop, which held evidence of all his past encryption attempts. With a database of successful encryption strings already stored on his hard drive, he had the ability to crack cars he'd never seen before in a relatively short amount of time. And Soucek isn't an isolated example. Recently, soccer player David Beckham had not one, but two, antitheft-engineered BMW S5 SUVs stolen. The most recent theft occurred in Madrid, Spain. Police believe an auto theft gang using software instead of hardware pinched both of Beckham's BMWs. How a keyless car gets stolen isn't exactly a state secret--much of the required knowledge is Basic Encryption 101. The authors of the Johns Hopkins/RSA study needed only to capture two challenge-and-response pairs from their intended target before cracking the encryption. In an example from the paper, they wanted to see if they could swipe the passive code off the keyless ignition device itself. To do so, the authors simulated a car's ignition system (the RFID reader) on a laptop. By sitting close to someone with a keyless ignition device in his pocket, the authors were able to perform several scans in less than one second without the victim knowing. They then began decrypting the sampled challenge-response pairs. Using brute-force attack techniques, the researchers had the laptop try different combinations of symbols until they found combinations that matched. Once they had the matching codes, they could then predict the sequence and were soon able to gain entrance to the target car and start it. In the case of Beckham, police think the criminals waited until he left his car, then proceeded to use a brute-force attack until the car was disarmed, unlocked and stolen. Hear no evil, speak no evil The authors of the Johns Hopkins/RSA study suggest that the RFID industry move away from the relatively simple 40-bit encryption technology now in use and adopt a more established encryption standard, such as the 128-bit Advanced Encryption Standard (AES). The longer the encryption code, the harder it is to crack. The authors concede that this change would require a higher power consumption and therefore might be harder to implement; and it wouldn't be backward-compatible with all the 40-bit ignition systems already available. The authors also suggest that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks, and that automobile manufacturers place a protective cylinder around the ignition slot. This latter step would limit the RFID broadcast range and make it harder for someone outside the car to eavesdrop on the code sequence. Unfortunately, the companies making RFID systems for cars don't think there's a problem. The 17th annual CardTechSecureTech conference took place this past week in San Francisco, and CNET News.com had an opportunity to talk with a handful of RFID vendors. None wanted to be quoted, nor would any talk about 128-bit AES encryption replacing the current 40-bit code anytime soon. Few were familiar with the Johns Hopkins/RSA study we cited, and even fewer knew about keyless ignition cars being stolen in Europe. Even Consumer Reports acknowledges that keyless ignition systems might not be secure enough for prime time, yet the RFID industry adamantly continues to whistle its happy little tune. Until changes are made in the keyless systems, any car we buy will definitely have an ignition key that can't be copied by a laptop. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue May 9 03:18:37 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:18:37 -0500 (CDT) Subject: [ISN] SCADA on thin ice - Industrial control systems pose little-noticed security threat Message-ID: http://www.fcw.com/article94273-05-08-06-Print By Michael Arnone May 8, 2006 The electronic control systems that act as the nervous system for all critical infrastructures are insecure and pose disastrous risks to national security, cybersecurity experts warn. Supervisory control and data acquisition (SCADA) and process control systems are two common types of industrial control systems that oversee the operations of everything from nuclear power plants to traffic lights. Their need for a combination of physical security and cybersecurity has largely been ignored, said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent research group funded by the Homeland Security Department. Control systems security is one of six areas of critical vulnerabilities Borg included in a new cybersecurity checklist released in April by the research group. The private-sector owners of critical infrastructure refuse to release data and deny that their aging, inherently insecure systems pose any security risk, said Dragos Ruiu, an information technology security consultant to the U.S. government who runs several hacker conferences. Control systems security has been a hot topic in the past year at those conferences. "It's one of those issues that is so big, you just don't want to see it because any solutions will be expensive, awkward and prohibitive," Ruiu added. Average hackers can break into the systems, said Robert Graham, chief scientist at Internet Security Systems (ISS). He, Borg and other experts fear that major cyberattacks on control systems could have socioeconomic effects as severe and far-reaching as Hurricane Katrina or even the 1986 Chernobyl nuclear disaster in Ukraine. Most experts agree that measuring the risk from cyberattacks on critical infrastructure is difficult. Attacks are rare because control systems are still complex and individualized enough to make cracking them difficult, although a hacker who knows a particular system well can break into it easily, said Jason Larson, senior cybersecurity researcher at the Idaho National Laboratory, which leads federal efforts into critical infrastructure cybersecurity. Even if a facility has not been attacked, that doesn't mean it's secure or the threat isn't real, said Michael Assante, senior manager of critical infrastructure protection at the laboratory. "The idea that the technology is obscure and not well-understood by a potential aggressor is dangerous thinking," he wrote in an e-mail message. Government and industry have known for years that critical infrastructures offer ripe targets for attack. In 2002, the FBI's National Infrastructure Protection Center found that al Qaeda members had sought information on control systems for water supply and wastewater management facilities. Open-heart surgery Control systems are built to run around the clock for decades without interruption or human intervention. A single critical infrastructure facility can have thousands of SCADA devices spread over hundreds of miles. Because of the systems' structure and management, standard IT security practices don't work for them, experts say. "It's more like open-heart surgery," said William Rush, a physicist at the Gas Technology Institute, a nonprofit research organization for the natural gas industry. The systems have proprietary operating systems and applications that run on 20- to 30-year-old hardware built before security became a major IT issue, leaving them riddled with vulnerabilities. According to conventional wisdom, critical infrastructure owners can't upgrade or patch systems because any jitter or delay caused by IT security features could lead to catastrophic breakdowns costing millions of dollars. Any mistakes in IT implementation could affect the processes the systems control, leading to product alterations, chemical interactions, explosions or worse. The situation got even more complicated in late 2001 when infrastructure owners started connecting their control systems to Internet-enabled corporate networks to maximize the use of their sophisticated equipment, said Eric Byres, research leader at the Internet Engineering Lab at the British Columbia Institute of Technology, a leading industrial cybersecurity research facility. That introduced new vulnerabilities on top of existing ones and created complex connections that opened new backdoors, Byres said. The result is a smorgasbord for would-be attackers. "It's open season," he said. 'The stories here are terrifying' Utility owners say they realize cyberattacks pose a risk but don't see it as a huge problem, Rush said. The federal government says industry is responsible for protecting critical infrastructure and has told both industry and vendors to get moving. Vendors, however, are waiting for sufficient demand for security products to make them, while industry is waiting for an ample supply of products to buy them. "It's a chicken-and-egg situation," Rush said. All parties are waiting for government standards to guide and certify their efforts. But Rush and other experts who are passionate about improving security fume at the delays. "Everyone's waiting for a major catastrophe to happen before they do anything," Graham said. "There will never be a big move until the government or [malicious] hackers force it." Until then, tailored attacks by an individual or a massive worm attack could bring down critical infrastructure. "The stories here are terrifying," Borg said. In January 2003, the Slammer worm infected the safety monitoring system at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, and replicated so fast that it disabled the system for nearly five hours. The worm knocked out the plant's central command system for six hours. A report from the North American Electric Reliability Council found that power wasn't disrupted, but the failure stopped commands to other power utilities. At the Black Hat Federal conference in Arlington, Va., in January, Graham presented a dozen horror stories of control system insecurity. For example, during negotiations to provide penetration testing to a critical infrastructure facility, the facility's operators confidently told an ISS team they didn't need help because their control system was already secure. The ISS team promptly found an unsecured wireless access point connected to the facility's business network, which in turn linked to the control system, Graham said. Using a 10-year-old exploit for Sun Microsystems' Solaris operating system, the team took over the control system as the operators watched. When the team was within a few keystrokes of breaking something sensitive, the facility's operators begged them to stop. Needless to say, he said, ISS got the job. Solutions grow into maturity The control systems security situation isn't all bad, said John Sebes, chief technology officer and general manager of the public sector at Solidcore, which develops software that monitors changes to servers and prevents unauthorized code from running on them. The vulnerabilities are real and serious, but facilities now have their pick of mature security products to harden their systems, he said. With work and patience, critical infrastructure sectors have found they can use IT security best practices and install commercial IT security products without crashing control systems, he said. "Industry as a whole has been moving away from the Chicken Little syndrome," said Keith Stouffer, a mechanical engineer in the Intelligence Systems Division of the National Institute of Standards and Technology's Mechanical Engineering Laboratory. "The problem is addressable. Let's start addressing it." Industry better get a move on as attackers ramp up attacks, Graham said. ISS is predicting an increased frequency of minor attacks on control systems during the next three years. "We see it's inevitable," Graham said. "We have seen it in every other industry, and these guys are next." From isn at c4i.org Tue May 9 03:19:04 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:19:04 -0500 (CDT) Subject: [ISN] Malaysia welcomes the world in fight against cyber-terrorism Message-ID: http://thestar.com.my/news/story.asp?file=/2006/5/7/nation/14173729 BY JOHAN FERNANDEZ May 7, 2006 IMPACT is its name, and making an impact in the battle against cyber-terrorism is its mission. Unveiled in Austin, Texas, the Malaysian initiative seeks to bring together governments and the international private sector to deal with increasing threats in cyberspace. Known as the "International multilateral partnership against cyber-terrorism" or "IMPACT" it will serve as a pioneer platform to allow governments of the world to exchange notes and ideas, as well as to facilitate the sharing of skills and best practices, with the ultimate objective of combating these constantly evolving threats. Prime Minister Datuk Seri Abdullah Ahmad Badawi who made this announcement at the closing ceremony of the 15th World Congress on IT (WCIT 2006) here on Friday said that IMPACT was not just a Malaysian concern. "IMPACT is conceived as a partnership - between governments, as well as between governments of the world and the international private sector. "Given that some of the best skills and technologies in cyber-security reside in the private sector, it is only natural that all governments need to work closely with businesses to effectively combat cyber-terrorism," he said. He said the potential to wreak havoc and cause disruption to people, firms, governments and entire global systems have increased as the world became more globalised and dependent on information and communications technology (ICT). "Today, governments across the world must be prepared to deal with threats in cyberspace. "Even if one were to exclude the risks to life and limb, the economic loss caused by the disruption of a cyber-attack can be truly severe - for example, a nationwide blackout, collapse of trading systems or perhaps the crippling of a central bank cheque clearing system," he said. He said the threats posed by cyber-terrorism were something that modern societies and their governments could no longer ignore. "No country can manage this problem in isolation and to effectively overcome this global threat and it is imperative that countries throughout the world work in concert to wipe out this danger." IMPACT has got off to a good start with some leading names lending their support. "America's Symantec Corporation, Japan's Trend Micro, and Russia's KaperskyLlab have already agreed to be key partners and to serve on IMPACT's international advisory board to be established soon," he said. The Prime Minister said he was encouraged that the private sector, globally, has given its strong support and expected more of such world-class companies following suit. For a start, IMPACT would focus its activities in three key areas - security certification, research and development; as well as establishing a global emergency response centre. IMPACT will be sited in Cyberjaya, at the heart of "MSC Malaysia," with access to world-class ICT infrastructure. "I am confident that IMPACT, with the co-operation of governments and the global private sector, will be able to find effective solutions to the global threat of cyber-terrorism," Abdullah said. "I would like to invite all governments and the global private sector to partner with us in this worthy cause," he added. On the WCIT, the Prime Minister said Malaysia was honoured and excited about hosting the next congress in 2008. "Apart from expanding our partnerships with global technology leaders, we see our hosting of WCIT 2008 as an opportunity to stimulate further discussion on technology and technology-related policy development," Abdullah said. He also thanked former US secretary of state Colin Powell, who was one of the keynote speakers on Friday, for his kind words about Malaysia. From isn at c4i.org Tue May 9 03:19:16 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:19:16 -0500 (CDT) Subject: [ISN] Wells Fargo computer missing Message-ID: http://www.twincities.com/mld/pioneerpress/14513672.htm BY SHERYL JEAN Pioneer Press May. 06, 2006 Wells Fargo & Co., the largest bank in Minnesota and the nation's fifth largest, said Friday that a computer containing sensitive data for some of its mortgage customers is missing and might have been stolen. It's not known whether the computer contained Minnesota customers' information. The computer, which was being transported by an unidentified global shipping company between Wells Fargo locations, had names, addresses, Social Security numbers and mortgage loan account numbers of some Wells Fargo mortgage customers and potential customers. It did not contain other types of customer account numbers. Wells Fargo spokeswoman Peggy Gunn wouldn't estimate the number of individuals who could be affected, citing an ongoing law enforcement investigation. She added, "The event affects a relatively small percentage of Wells Fargo's customers." San Francisco-based Wells Fargo said it had no indication that the customer information has been accessed or misused. Gunn said the computer has two layers of security, but she declined to elaborate. She also declined to describe the type of computer or how and when it disappeared. Wells Fargo will notify by mail individuals whose information was stored on the computer by May 30. The bank is offering those affected a free one-year credit monitoring service. Wells Fargo has reported two other computer security breaches, in 2003 and 2004. The bank has had no indication that the information was accessed or misused in either case, Gunn said. Also Friday, Union Pacific Corp., the nation's largest railroad, said it's investigating the theft of a computer containing the names and Social Security numbers of 30,000 current and retired employees. The computer was stolen April 29 from a human resources employee. Nationally, more than 160 security breaches have occurred in the past 15 months, affecting more than 55 million accounts, according to Privacy Rights Clearinghouse, a nonprofit privacy advocacy group based in San Diego. Those breaches included more than 40 cases of stolen or missing computers or laptops. "The general population is waking up to the fact that personal data is not well secured," said Beth Givens, director of the Privacy Rights Clearinghouse. New federal and state laws require companies to notify customers when personal information is lost or stolen, which makes them vulnerable to identity theft. Online: Privacy Rights Clearinghouse, www.privacyrights.org From isn at c4i.org Tue May 9 03:19:30 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:19:30 -0500 (CDT) Subject: [ISN] Universities given security guidelines for foreign students Message-ID: http://www.abc.net.au/pm/content/2006/s1632039.htm This is a transcript from PM. The program is broadcast around Australia at 5:10pm on Radio National and 6:10pm on ABC Local Radio. Reporter: Sabra Lane 5 May, 2006 MARK COLVIN: The fight against terrorism is shifting to Australian university campuses and research institutions. The Departments of Defence and Foreign Affairs want academics to report foreign students enrolled in particular subjects. The Government also want to broaden export controls, forcing lecturers to apply for licences if they're going to share their knowledge abroad. Sabra Lane reports. SABRA LANE: It's not a so much a crackdown on students recruiting for extremist causes, rather an attempt to detect spies in our midst and stop them from getting their hands on research at conferences. Last month, the Departments of Defence and Foreign Affairs sent the document called "Export Controls, Your Responsibilities" to universities and research institutions. It says universities must inform the Government if suspicious parties are trying to get their hands on material or research that could be used in weapons of mass destruction programs. President of the National Tertiary Education Union Carolyn Allport acknowledges the need for national security measures, but says academics weren't consulted. (to Carolyn Allport) Are your members comfortable with dobbing in students? CAROLYN ALLPORT: I don't think they will be. I certainly don't think they will be. So I think they're going to be very concerned about this paper. We recognise it's an important strategic objective of the Government, but at the same time, universities aren't there to be the secret police. SABRA LANE: Former senior intelligence analyst David Wright-Neville, who now heads up the Global Terrorism Research Unit at Monash University, says it's off the mark. DAVID WRIGHT-NEVILLE: I think it's a little clumsy in the sorts of obligations it places on academics. Academics certainly are aware of the sorts of risks that we confront in the contemporary environment. I don't think they need to reminded of that. It's unreasonable to expect that academics can identify terrorist activities. Trained intelligence officers with many years of experience often find it very difficult to identify terrorists, so how an academic with experience in fairly esoteric areas sometime, can do the jobs of people who are trained to do it, is really beyond me. SABRA LANE: With universities expanding offshore, the document says the likelihood countries will exploit Australian expertise for WMD programs is increasing. While short on details, it also reveals export control laws are under review, with the Government keen to include "intangible technology transfer". Carolyn Allport explains. CAROLYN ALLPORT: Research, papers produced by academics in universities, or working papers, you know, seminar papers, seminars themselves, conferences, this is what's listed in the paper. They also suggest that people who are making requests from certain designated countries to come to a conference here are also seen to be risky. If there was a conference on, I don't know, some sort of chemical conference here, for example, and someone from Iran or North Korea or China made a request to come to that conference, I'm assuming from what I read here that the Government automatically sees these people as potential terrorists. SABRA LANE: A 2004 report to the United States Congress on economic and industrial espionage found some foreigners deliberately sought jobs at universities and research houses to acquire secrets for their home countries. An intelligence analyst who declined to be interviewed by PM says the guidelines are needed as America's enemies are targeting allies like Australia and Canada. Countries he claims have underestimated espionage. David Wright-Neville disagrees. DAVID WRIGHT-NEVILLE: It suggests that we're still in the stage of sort of knee jerk panic reactions, and I really think we need to have a Bex and have a good lie down for a while, that really none of this sort of stuff is going to address the long-term threat posed by terrorism and in fact I think it runs the risk of being counter-productive. MARK COLVIN: David Wright-Neville ending that report by Sabra Lane. From isn at c4i.org Tue May 9 03:21:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:21:59 -0500 (CDT) Subject: [ISN] Petrol firm suspends chip-and-pin Message-ID: http://news.bbc.co.uk/1/hi/england/4980190.stm BBC News 6 May 2006 Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than ?1m was siphoned out of customers' accounts. Eight people, including one from Guildford, Surrey, and another from Portsmouth, Hants, have been arrested in connection with the fraud inquiry. The Association of Payment Clearing Services (Apacs) said the fraud related to just one petrol chain. Shell said it hoped to reintroduce chip-and-pin as soon as possible. Plastic crime The fraud is being investigated by the Metropolitan Police cheque and plastic crime unit. "These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed," said Apacs spokeswoman Sandra Quinn. She said Apacs was confident the problem was specific to Shell and not a systemic issue. A Shell spokeswoman said: "Shell's chip-and-pin solution is fully accredited and complies with all relevant industry standards. "We have temporarily suspended chip-and-pin availability in our UK company-owned service stations. "This is a precautionary measure to protect the security of our customers' transactions. "You can still pay for your fuel, goods or services with your card by swipe and signature. "We will reintroduce chip-and-pin as soon as it is possible, following consultation with the terminal manufacturer, card companies and the relevant authorities." Shell has nearly 1,000 outlets in the UK, 400 of which are run by franchisees who will continue to use chip-and-pin. From isn at c4i.org Tue May 9 03:23:19 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:23:19 -0500 (CDT) Subject: [ISN] Hacker Sentenced in Spam Case Message-ID: http://www.latimes.com/technology/la-fi-spam9may09,1,7522827.story?coll=la-headlines-technology By Charles Piller Times Staff Writer May 9, 2006 A Downey man was sentenced to nearly five years in federal prison Monday for using malicious software to seize control of 400,000 computers and then selling access to the "zombie" machines to spammers and hackers. Prosecutors said the 57-month sentence for Jeanson James Ancheta, 21, was the longest ever handed down for spreading computer viruses. The case also marked the first federal prosecution for using such hacking methods for financial gain. Ancheta pleaded guilty in January to selling access to so-called botnet software that can remotely control computers to deliver spam and orchestrate distributed denial-of-service attacks against websites. Such attacks send overwhelming streams of requests to the sites, causing them to shut down. Ancheta advertised his botnets online under the heading "botz4sale." "Your worst enemy is your own intellectual arrogance that somehow the world cannot touch you on this," U.S. District Judge R. Gary Klausner said at the sentencing hearing. Ancheta also admitted to directing armies of infected computers to download adware ? malicious software that causes advertising messages to appear on the user's screen and can harm affected computers. He collected $107,000 in commissions from the advertising companies. Ancheta used an elaborate subterfuge to hide his actions from the victims and from the companies whose messages were displayed on their computers, said Assistant U.S. Atty. James M. Aquilina. Ancheta also was ordered to pay $15,000 in restitution to the Naval Air Warfare Center in China Lake and the Defense Information Systems agency, whose computers were compromised by the botnet attacks. "Every conviction raises the barrier to entry for these guys," said Scott Weiss, CEO of IronPort Systems in San Bruno, Calif., which produces anti-spam software. But, he predicted, such crimes would remain common. "Most of these bot networks are not being run from suburban L.A.," Weiss said. "They hire guys in places like Ukraine where the long arm of the law doesn't reach as easily." From isn at c4i.org Wed May 10 02:09:04 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:09:04 -0500 (CDT) Subject: [ISN] Museum unscrambles secret agency's past Message-ID: http://www.theregister.co.uk/2006/05/09/inside_nsa/ By Wendy Grossman 9th May 2006 Inside the NSA A few of us got through the metal detectors before the National Security Agency (NSA) realised we were in the wrong place. We had arrived, expunged of all electronic devices from mobile phones to cameras, at the Visitors' Centre, a security outpost for visiting security personnel, instead of the National Cryptologic Museum 370 metres away by eagle. Oops. There was a time when the very existence of the National Security Agency was completely secret. Many of the sort of people who are interested in it (such as this crowd from the annual Computers, Freedom, and Privacy conference) are, therefore, somewhat surprised by the idea that it has a cryptologic museum. Approximately 50,000 people a year find their way to Fort Meade, where the museum and NSA's headquarters are located. The curators will tell you openly that the museum's creation in an abandoned hotel in 1993 was a public relations exercise. The Cold War had ended, and although cryptology has been used in American wars all the way back to George Washington, between wars the effort was generally closed down. So the NSA had to answer: why should the nation keep funding it? You would think that if anyone was likely to say "we shouldn't" it would be this group of gearheads and privacy wonks. Jostling with the NSA tour for pride of place on the programme was a panel on wiretapping featuring James Bamford, author of The Puzzle Palace, the 1982 expos? of the NSA. The NSA hasn't really forgiven him yet; mentioning his name at the museum draws a waspish response. David Kahn, whose 1967 book The Codebreakers drew a government suit when it was published, however, is now a scholar working there. The curators seem refreshingly open, at least in the sense that they voice opinions they disassociate from the NSA. Still, the last 40 years of increasingly controversial activity is omitted. For national security reasons, of course. No one argues about wiretapping in World War II or even Korea; it's today's warrantless wiretapping that's controversial. So there is no mention of Bush, the class action suit brought on behalf of AT&T customers, or the revelations by AT&T employee Mark Klein that the NSA has been cheerfully and illegally wiretapping US citizens' domestic phone calls. It's a sign of how far the American government monolith has depressed people's free spirits that even this group does not bring up the subject. When this museum opened it was also the height of the crypto wars, and cryptography was the hottest topic at this conference. Two government efforts made it so. One: continuing to promote the International Traffic in Arms regulations, which restricted the export of strong cryptography, slowing its adoption to protect, for example, ecommerce transactions. Two: backing a government standard known as the Clipper Chip, which would have included encryption in devices such as telephones and modems, but at the price of storing an escrowed key with the government. ITAR was ultimately defeated by the demands of ecommerce; Clipper Chip by the cracking work of Matt Blaze. The museum has a display of secure telephones, but mentions neither the Clipper Chip nor the ITAR battles. As sanitised as the NSA's secret history arguably is for this display, this is a much better museum than the private Spy Museum in downtown DC, which we visited a day later. The Spy Museum is all flash and celebrities, using the worst of today's multimedia jazz to distract and entertain while failing to provide anything of substance outside the book section of its gift shop. The NSA museum, by contrast, is filled with detail and history, even if it is the NSA's greatest hits: Enigma machines, the Bombe; the "CodeTalker" Navajos from World War II, SIGSALY, its first secure voice telephone system, and other such safely past triumphs. Many of the machines in question are the originals, though the SIGSALY, like the great seal the KGB used to spy on the US Embassy in Moscow, is a mock-up. A logical decision, since the original weighed 55 tons, was made up of 40 racks of equipment, and took 13 people to operate for a single call between the Pentagon and the machine's London home, the basement of Selfridge's (it didn't fit in Churchill's office, so they ran a wire). The Spy Museum also, being private, does not allow photography. The NSA museum, despite its owner's secrecy, is public, so except for the rarest 16th century books, you can photograph anything you like and admission is free. Everything in the museum is unclassified. "We hope," the curator said, "that the successes of the past will help people understand the role cryptology has played in protecting national security throughout history and that they will be able extrapolate to the present day." In other words, they hope we will believe that they are doing just as great, important stuff right now even if they can't tell us about it. The museum, he added, also provides NSA staff with a way of explaining their jobs to their friends and family. Vietnam is probably the best example of the museum's dual nature. The curator freely admitted it was a losing battle, citing a story told on a recent trip to the country by Daniel Ellsberg (time has gone by; people who used to face off angrily on opposite sides can be nostalgic together now) listing the number of nations the Vietnamese have fended off. Even so, he says, the NSA's work enabled them to predict the biggest offensives. Like Tom Lehrer in Folk Song Army: "They may have won all the battles - but we had all the good songs!" Where the NSA's intelligence efforts failed them is in the gift shop, where the choice of T-shirts had narrowed to Small and XXL. ? From isn at c4i.org Wed May 10 02:09:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:09:17 -0500 (CDT) Subject: [ISN] Nevada's cyber-security chief charged with embezzlement Message-ID: http://www.lasvegassun.com/sunbin/stories/nevada/2006/may/06/050610367.html ASSOCIATED PRESS May 06, 2006 CARSON CITY, Nev. (AP) - Randy Potts, chief of security for Nevada's Department of Information Technology, has been charged with theft, embezzlement and falsifying records. The Nevada Attorney General's Office began an investigation after Potts filed claims seeking $1,757 in reimbursement for expenses incurred while attending a homeland security conference last year in Denver. According to the criminal complaint issued Thursday, Potts obtained permission to attend the four-day conference that began last Nov. 29 after submitting a flier about it to department Director Terry Savage. But the conference actually was held in April 2005, the complaint alleges. Potts is accused of falsifying information in his request to attend the conference and of altering the date on the flier submitted to Savage. Potts has been on administrative leave since the formal investigation began in March. Potts has worked for the department for about three years, and has done an excellent job improving cyber-security for state agencies, Savage said. Savage said he would talk with the attorney general's office to determine what course of action he would take concerning Potts' job future. "I hope to resolve that issue next week," Savage told the Nevada Appeal. When questioned about the expenses, Potts submitted a two-page memo citing meetings with Colorado's chief information security officer and the Colorado Information Management Commission. But the memo did not mention anything about the homeland security meeting he used to justify the trip in the first place, Savage said. The money approved to pay for the trip came from a federal homeland security grant designated for use only on homeland security awareness training. From isn at c4i.org Wed May 10 02:09:32 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:09:32 -0500 (CDT) Subject: [ISN] UK could learn from Sarbox mistakes Message-ID: http://www.accountancyage.com/accountancyage/analysis/2155644/uk-learn-sarbox-mistakes Paul Grant Accountancy Age 04 May 2006 The worst seems to be over for US companies forced to comply with the burdensome Sarbanes-Oxley Act, with further evidence emerging that auditing costs related to section 404 of the rules are dropping. The general opinion now is that, as well as identifying efficiencies during the second year under the new laws, the higher costs first time around were also attributable to many mistakes made by companies trying to implement the new rules. UK companies could do well to learn from this, according to Dawn Cresswell, part of UHY Hacker Young's Sarbox advisory team. From 15 July, UK companies with a listing in the US will also have to face the same tough rules on internal controls. But as Cresswell said: 'UK companies have the advantage of being able to see what mistakes have been made in the US and making sure they don't make the same ones. 'US companies found they had misallocated a lot of their time and money in trying to achieve the first year of Sarbox compliance. They have now learnt from these mistakes and the dramatic reduction in costs in the second year reflects a more considered approach.' This view is backed by a recent report from consultants CRA International. Using data from Big Four clients, it found that audit costs for section 404 compliance among a sample of Fortune 1000 companies had dropped 44% on the previous year to an average of $4.8m (?2.7m). From isn at c4i.org Wed May 10 02:09:44 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:09:44 -0500 (CDT) Subject: [ISN] Utility may face investigation for sale of unscrubbed drives Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000333 Sharon Fisher May 09, 2006 State and federal regulatory agencies have not yet determined whether Idaho Power faces any penalties after a salvage operator offered unscrubbed hard disk drives for sale on eBay Inc.'s auction Web site. The utility had sold 230 disks to a salvage operator, who sold 84 on eBay. Most of the drives have been returned to Idaho Power. The incident was disclosed earlier this month. The Federal Trade Commission would not confirm or deny whether the incident is under investigation.. "In theory, there are different statutes that might come into play, but whether it was a basis for action would depend on the underlying circumstances," said Alain Sheer, an attorney in the division of privacy and identity protection in the bureau of consumer protection for the FTC, in Washington. The Idaho Public Utilities Commission, which governs Idaho Power, would only investigate the incident if it has a direct financial impact on rate payers. a spokesman said. "If they were to file a rate case and include costs of this mishap, we?d probably deny those costs," he said. "The only way we would be involved is if a rate payer filed a complaint that he was harmed." Meanwhile, a computer security expert who bought 10 unscrubbed Idaho Power drives over eBay, said he disclosed the problem only after the utility failed to respond to his inquiries for a month. Karl Hart, director of information technology at the University of Cincinnati's college of nursing and a security consultant, bought ten SCSI drives, in two lots of five, from eBay for $40 per lot. "That batch came from Idaho Power completely full of data, not cleaned up at all." Data on the drives included diagrams of the electric supplier's power grid, confidential data stored by the Idaho Power legal department about lawsuits, contracts, property transactions, and complaint letters, and personal employee data, including Social Security numbers, birth dates, and payroll information, Hart said. "There were hundreds of thousands of files on these drives," he said. Hart said he disclosed his purchase of the unscrubbed drives publicly after first unsuccessfully trying to notify the utility about the problem. A short time later, Hart said he was contacted by Blank Law & Technology PS in Seattle, a law firm hired by the utility to investigate the situation. The firm thanked him for notifying Idaho Power's attention. Hart has since returned the drives to the utility for disposal. The university received a refund for the purchase, he said. The law firm declined comment. The Boise, Idaho-based utility, which supplies electricity to some 460,000 customers in southern Idaho and eastern Oregon, had hired Grant Korth of Nampa, Idaho, to recycle the 230 drives, the company said. Hart said that Idaho Power should have required its outsourcing firm certify that the drives had been cleaned. He also noted that the issue extends beyond Idaho Power -- even to his own organization. Hart noted that he bought 25 used computers from the University of Cincinnati a year ago to test its drives for a presentation to be made by his consulting firm, Cincinnati-based Cybercon. Hart found that the computers unscrubbed drives held university public safety and criminal records data. The university is now putting policies putting in place policies to prevent similar problems, Hart said. "Even working at the university, it took a while to bring it to their attention," he said. From isn at c4i.org Wed May 10 02:08:48 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:08:48 -0500 (CDT) Subject: [ISN] UK hackers condemn McKinnon trial Message-ID: http://news.bbc.co.uk/1/hi/technology/4984132.stm BBC News 8 May 2006 The UK's hacking community has strongly criticised how fellow hacker Gary McKinnon has been treated. Accused of hacking into US military computer networks, Mr McKinnon this week is expected to find out if he is to be extradited for trial in the US. British hackers say he is being made an example of to serve political ends rather than improve computer security. The punishment he faces, up to 70 years in jail, was also too harsh a sentence for the crimes he has confessed to. No defence The US government alleges that between February 2001 and March 2002, Mr McKinnon repeatedly hacked into dozens of computers used by the US Army, Navy, Air Force, and Department of Defense. While Mr McKinnon has admitted that he spent years wandering round military computer networks, he denies that his hacking was ever motivated by anything other than curiosity. Despite this, the US government is attempting to extradite him to stand trial for what one American prosecutor called "the biggest military computer hack of all time". If extradited, tried and found guilty he could face decades in jail and millions of dollars in fines. But hackers, gathered at the regular London meetings of the UK's hacking community, have decried the treatment meted out to their fellow technophile. Mark, one of the regular attendees of the meeting, said there was little doubt that Mr McKinnon was being made a scapegoat because some of his hacking took place after 9/11 in America. What needed to be addressed by the US military, he said, was the freedom Mr McKinnon had to wander around supposedly secure computer networks. "Hackers are not just skilled," said Mark, "they are lucky people and they are persistent people. It's a combination of all three. "He was not caught for nearly two years," said Mark. "The big error was that they did not detect it in two years." Even then the only reason Mr McKinnon, aka Solo, was caught was because of mistakes he made. "It got so routine and blase that he got sloppy," said Mark. "If he had done it for two weeks they would never have caught him." Public example Mark also questioned why he was only indicted by the US government in 2005 despite being arrested by the UK's National Hi-Tech Crime Unit in 2002. Mark, and another attendee Rat, suggested that Mr McKinnon was being treated harshly to send a message to the rest of the hacking community to clean up its act. "But," they said, "the idea of clamping down on some unlucky guy and threatening him with 70 years in jail will not make the blindest bit of difference." "All [hackers] think they will not get caught," said Mark. Rat said that almost every message received by the blogs set up to document Mr McKinnon's treatment and the progress of the court case had been supportive. Dr K, another UK hacker interviewed by the BBC News website, questioned why Mr McKinnon had to be extradited to be tried for the crimes for which he has already confessed. "We have laws in this country to deal with this kind of trans-national data crime," he said, "Gary McKinnon should be tried here under UK law. "Gary McKinnon should not be extradited - he's just a hacker - not a terrorist - and the UK should resist any attempts to hype up his activities by the US government in order to pillory and crucify him in public in America," he added. From isn at c4i.org Wed May 10 02:10:15 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:10:15 -0500 (CDT) Subject: [ISN] Windows, Exchange flaws patched Message-ID: http://news.com.com/Windows%2C+Exchange+flaws+patched/2100-7350_3-6070350.html By Dawn Kawamoto Staff Writer, CNET News.com Published: May 9, 2006 Microsoft on Tuesday released three security updates, two of which address critical flaws in its Exchange e-mail server and third-party software in Windows. Critical vulnerabilities in Microsoft Exchange Calendar and Adobe's Macromedia Flash Player in Windows can lead to a remote execution of code on a user's system, according to Microsoft's security bulletins. The software giant also issued a "moderate" update for flaws in Windows, according to the software giant's bulletin. A malicious attacker could launch a denial-of-service attack by sending a specially crafted network message through the system to exploit the flaw. The critical Microsoft Exchange flaws affect Microsoft Exchange Server 2000 with Post-Service Pack (SP) 3, Microsoft Exchange 2000 Enterprise Server, and Microsoft Exchange Server 2003 with SP 1 or SP 2. "An attacker could exploit the vulnerability by constructing a specially crafted message that could potentially allow remote code execution when an Exchange Server processes an e-mail with certain...properties," according to Microsoft's bulletin. Security firm Symantec said the Microsoft Exchange flaw is the most serious of the three. "Because the majority of Exchange servers are configured to receive e-mails from anonymous users, this vulnerability has the potential to manifest itself in the form of a worm if machines are not properly patched," Oliver Friedrichs, Symantec Security Response director, said in a statement. Microsoft also issued a Windows update for what it described as critical flaws in Adobe's Macromedia Flash Player 5 and 6. An attacker could exploit these vulnerabilities in the Flash Player by constructing a malicious Flash animation file. Users visiting a Web site containing the specially crafted file may find their computer system taken over. The Flash Player flaws affect Windows XP Home Edition, with SP 1 or SP 2; XP Professional; Windows 98 with Gold service pack or SP1; Windows 98 SE with Gold service pack; and Windows ME with Gold service pack. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed May 10 02:10:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:10:29 -0500 (CDT) Subject: [ISN] Call for Papers hack.lu 2006 Message-ID: Forwarded from: info As several potential speakers for the hack.lu 2006 conference have asked for more time to submit their paper, the conference committee has decided to extend the deadline to the 15th of June. As a bonus, the registration is now open, be sure to register early to benefit from the early bird rates ! The details for the Call for Papers are as follows: Call for Papers hack.lu 2006 The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2006 (19-21.10.2006). Scope Topics of interest include, but are not limited to : * Software Engineering * Honeypots/Honeynets * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security * Malware and malicious software * New security vulnerabilities in Computer Science * Network security! Deadlines As requested by some people, we extended the date for abstract submission to the 1st July and full paper to the 1st August in order to be equitable with all the people taking part in the CfP. Abstract submission : 1 May 2006 (extended to 15th June) Full paper submission : 15 June 2006 (extended to 15th July) Notification date : around end of July beginning of August Submission guideline Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to : hack2006-paper(AT)hack.lu Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport)and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. Program Committee http://2006.hack.lu/index.php/ProgramCommittee Publication and rights Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to supportus(AT)hack.lu Web site and wiki http://www.hack.lu/ - Edition 2005 : http://2005.hack.lu/ From isn at c4i.org Wed May 10 02:10:02 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:10:02 -0500 (CDT) Subject: [ISN] I'm the Blue Security Spammer Message-ID: http://www.wired.com/news/technology/security/0,70831-0.html By Joanna Glasner May, 05, 2006 An anonymous spammer took credit on Friday for taking part in a campaign by hundreds of junk e-mailers to disable the websites of antispam firm Blue Security and affiliated internet companies. In a message to Wired News, a writer claiming to be "one of the spammers behind (the) Blue Security scandal," said junk e-mailers have organized to collect all e-mail addresses of Blue Security's users. The writer claimed that spammers have collected e-mails of 70 to 90 percent of Blue Security's half-million registered users and sent messages to their inboxes. "Blue Security is indeed hurting our business, but not by taking down our websites," the purported spammer wrote. "Instead, they create a daily nuisance to our server administrators." Officials at Blue Security, based in Herzlia, Israel, could not be reached Friday to comment on the letter's authenticity. A representative of Blue Security's public relations firm, Affect Strategies in New York, said she and co-workers who use its software have not received similar messages. Earlier this week, Blue Security's CEO, Eran Reshef, said a Russian spammer operating under the name PharmaMaster orchestrated a string of attacks this week that disabled its site and sent threatening messages to its users. The spammer, Blue Security said, also took credit for launching denial of service attacks against five hosting providers and SixApart, one of the internet's largest blog networks, where the antispam firm had posted content. Blue Security appears to have drawn spammers' ire for its method of eliminating junk e-mail, which involves sending automated opt-out requests on behalf of its registered users to companies whose products are advertised by spammers, among other things. The company claims its methods comply with the U.S. CAN-SPAM Act, an antispam law that allows recipients of unwanted e-mail to opt out of e-mail lists. Only one opt-out request is allowed per spam received. But Blue Security effectively has been able to put the squeeze on spammers by coordinating legal opt-out requests from thousands of customers at once. In the message to Wired News, the self-described Russian spammer said "attacks" sent by computers running Blue Frog, the tool installed on users' computers to send automated opt-out requests, are easy to handle, but time consuming. "The point of it is to get Blue Frog software to stop turning its subscribers' computers into zombies that attack our servers," the spammer wrote. "If you want to be removed from our mailing list, please opt out first." John Levine, a board member of the Coalition Against Unsolicited Commercial Email, said that while it's not clear the letter's author is who they claim to be, a spammer could realistically gather Blue Security's users' e-mail addresses. "The problem with any antispam list is you can reverse engineer it," Levine said. "People can find out who's on the list." Blue Security's website was operating normally on Friday, after being inaccessible most of the week. Reshef said on Thursday the attack appeared to involve a breach of the internet's backbone that blocked incoming traffic to the site. However Todd Underwood, chief operations and security officer at internet routing analysis firm Renesys, said the site's inaccessibility seemed to result from a traditional denial of service attack, in which an attacker floods a target with incoming packets of data. In response to DoS attacks, ISPs commonly block all incoming traffic to a site, but they usually notify its operators first, he said. From isn at c4i.org Thu May 11 05:22:03 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:22:03 -0500 (CDT) Subject: [ISN] Spot a Bug, Go to Jail Message-ID: http://www.wired.com/news/columns/circuitcourt/0,70857-0.html By Jennifer Granick May, 10, 2006 A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities. On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers. For proof, the man copied seven applicants' personal records and anonymously sent them to a reporter for SecurityFocus. The journalist notified the school, the school fixed the problem, and the reporter wrote an article about it. The incident might have ended there, but didn't. The school went through its server logs and easily traced the activity back to McCarty, who had made no attempt to hide his tracks. The FBI interviewed McCarty, who explained everything to the agents. Then the U.S. Attorney's Office in Los Angeles charged the security expert with violating 18 U.S.C. 1030, the federal computer crime law. Will they ever learn? In 2002, the U.S. Attorney in Texas charged Stefan Puffer with violating section 1030 after Puffer demonstrated to the Harris County District Court clerk that the court's wireless network was readily accessible to attackers. The prosecution claimed that Puffer, a security consultant, unlawfully accessed the system. Puffer argued that he was trying to help the county. A jury acquitted Puffer in about 15 minutes. In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction. The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent. Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant." But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them. In any event, McCarty had arguably already done enough to get himself prosecuted by this Justice Department. The federal statute and copycat state laws prohibit accessing computers or a computer system without authorization, or in excess of authorization, and thereby obtaining information or causing damage. What does it mean to access a networked computer? Any communication with that computer -- even if it's simply one system asking another "are you there?" -- transmits data to the other machine. The cases say that e-mail, web surfing and port scanning all access computers. One court has even held that when I send an e-mail, not only am I accessing your e-mail server and your computer, but I'm also "accessing" every computer in between that helps transmit my message. That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop. One Western District of Washington case, Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., says that when a company employee knows he is going to leave his position to go work for a competitor, but continues to use his computer account and copy information there for the purposes of aiding his new bosses, his access is unauthorized. A federal court in Maryland went the other way in a case with similar facts: In International Association of Machinists and Aerospace Workers v. Werner-Matsuda, a union employee who accessed her computer account for the purposes of helping a rival union recruit members did not violate the law. The statute proscribes unauthorized access, not authorized access for unwanted purposes, said the court. What this means for McCarty is that there are ample legal reasons for the prosecution to drop the charges against him. Yet, there are also ample legal reasons why a security professional, upon finding a database flaw, might worry that the find would bring criminal charges rather than thanks. This situation must change. People need to be able to exercise a little bit of self-help before plugging their data into web forms, and security professionals who happen upon vulnerabilities shouldn't have to choose between leaving the system wide open to attack and prosecution. One solution might be to focus more heavily on whether the user has criminal intent when accessing the system. Another might be to criminalize specific activities on the computer, but not access to a public system itself. A third might be to define unlawful access as the circumvention of some kind of security measure. As we have more cases like McCarty's, McDanel's and Puffer's, perhaps security professionals will pressure state legislatures and Congress to improve the computer crime laws. -=- Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. ? Copyright 2006, Lycos, Inc. From isn at c4i.org Thu May 11 05:22:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:22:18 -0500 (CDT) Subject: [ISN] Voting glitch said to be 'dangerous' Message-ID: http://www.insidebayarea.com/search/ci_3804675 By Ian Hoffman STAFF WRITER 05/10/2006 Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines. The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways. "This one is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa. "In the other ones, we've been arguing about the security of the locks on the front door," Jones said. "Now we find that there's no back door. This is the kind of thing where if the states don't get out in front of the hackers, there's a real threat." The Argus is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available. A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official allowed the expert to examine the machines. Black Box Voting was to issue two reports today on the security hole, one of limited distribution that explains the vulnerability fully and one for public release that withholds key technical details. The computer expert, Harri Hursti, quietly sent word of the vulnerability in March to several computer scientists who advise various states on voting systems. At least two of those scientists verified some or all of Hursti's findings. Several notified their states and requested meetings with Diebold to understand the problem. The National Association of State Elections Directors, the non-governmental group that issues national-level approvals for voting systems, learned of the vulnerability Tuesday and was weighing its response. States are scheduled to hold primary elections in May, June and July. "Our voting systems board is looking at this issue," said NASED chairman Kevin Kennedy, a Wisconsin elections official. "The states are talking among themselves and looking at plans to mitigate this." Pennsylvania, California and Iowa are issuing emergency notices to local elections officials, generally telling them to "sequester" their Diebold touch screens and reprogram them with "trusted" software issued by the state capital. Elections officials are to keep the machines sealed with tamper-resistant tape until Elections Day. In California, three counties - San Joaquin, Butte and Kern - plan to rely exclusively on Diebold touch screens in their polling places for the June primary. Nine other counties, including Alameda, Los Angeles and San Diego, will use Diebold touch screens for early voting or for limited, handicapped-accessible voting in their polling places. California elections officials told those counties Friday that the risk from the vulnerability was "low" and that any vote tampering would be revealed to voters on the paper read-out that prints when they cast their ballots, as well as to elections officials when they recount those printouts for 1 percent of their precincts after the election. "I think the likelihood of this happening is low," assistant Secretary of State for elections Susan Lapsley said. "It assumes access and control for a lengthy period of time." But scientists say that is not necessarily true. Preparations could be made days or weeks beforehand, and the loading of the software could take only a minute once the machines are delivered to the polling places. In some cases, machines are delivered several days before an election to schools, churches, homes and other polling places. Scientists said Diebold appeared to have opened the hole by making it as easy as possible to upgrade the software inside its machines. The result, said Iowa's Jones, is a violation of federal voting system rules. "All of us who have heard the technical details of this are really shocked. It defies reason that anyone who works with security would tolerate this design," he said. ? 2000-2006 ANG Newspapers From isn at c4i.org Thu May 11 05:22:34 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:22:34 -0500 (CDT) Subject: [ISN] Laws won't stop cybercriminals, say experts Message-ID: http://www.infoworld.com/article/06/05/10/78183_HNlegalsol_1.html By Grant Gross IDG News Service May 10, 2006 Terrorists and organized criminals are using computer vulnerabilities to line their pockets, but many cybersecurity ideas coming out of the U.S. Congress may not help much, some experts said Wednesday. Legislation that would require companies with data breaches to notify affected customers will create new expenses for companies, much the way the Sarbanes-Oxley Act did, said Bruce Kobayashi, a law professor at George Mason University. Congress passed Sarbanes-Oxley, or SOX, in 2002, and the law requires public companies to report their internal processes for ensuring the accuracy of financial reports. "I think Congress has to ... slow down," said Kobayashi, speaking at a data security conference sponsored by conservative think tank the Progress & Freedom Foundation (PFF). "Otherwise, we're going to get some SOX-type legislation in which firms spend a lot of money sending out notifications." Since a rash of data breaches in early 2005, Congress has introduced more than 10 bills related to data breach notification. Four bills are awaiting action on either the Senate or the House of Representatives floor, but the bills differ in their approach, and each would have to pass through the other chamber to become law. Congress is scheduled to adjourn for the year in early October. The working model for a data breach bill seems to be the SOX law, which has cost U.S. businesses hundreds of millions of dollars, Kobayashi said. "The model is a sledgehammer," he said. "What economists hope is Congress steps back and looks at the costs and benefits before they do something like that." But others speaking at the PFF conference said cybersecurity problems are more serious than most people realize. The U.S. Federal Bureau of Investigation gets frequent reports of hackers attempting to extort companies by threatening to release customer data, and the U.S. Department of State has warned of terrorist organizations training hackers, said Alan Paller, director of research for the SANS Institute. "You get shot trying to rob jewelry stores," Paller said. "[Hacking] is a much better way to raise money to buy the bombs." Some consumer groups and businesses have called for a national data breach notification law. Businesses such as data broker ChoicePoint Inc., which in February 2005 announced a breach affecting about 150,000 people, have called for a national breach notification law instead of complying with a "patchwork" of nearly 30 such state laws. Kobayashi called for Congress to pass a law allowing companies to comply with one state law, much the way U.S. corporations register in Delaware because of its corporate tax law. "We have seen innovation at the states," he said. "I don't have any answers, but I'm sure that neither does Congress." Instead of waiting for Congress to act, businesses should demand more secure IT products, said Ken Silva, chief security officer for security vendor VeriSign Inc. He encouraged technology buyers to join organizations that advocate for more secure products. "We can't wait for Congress to solve this problem because it's not going to solve the problem," Silva said. "The fact of the matter is extortion is already illegal. Passing a law to make electronic extortion even more illegal looks good on television, but it doesn't really solve the problem." From isn at c4i.org Thu May 11 05:23:08 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:23:08 -0500 (CDT) Subject: [ISN] Court: Alleged hacker can be extradited Message-ID: http://seattlepi.nwsource.com/national/1103AP_Britain_US_Hacker.html By DAVID STRINGER ASSOCIATED PRESS WRITER May 10, 2006 LONDON -- A British court recommended Wednesday that a man be extradited to the United States to face charges in the largest attack on U.S. government computer networks - including Army, Air Force, Navy and NASA systems. Gary McKinnon, 40, of London has been indicted in New Jersey and Virginia for allegedly hacking into U.S. government computers between February 2001 and March 2002. He was arrested in 2002 and has fought his extradition by claiming he could face prosecution under U.S. anti-terror laws. "My intention was never to disrupt security. The fact that I logged on and there were no passwords means that there was no security," McKinnon said, outside the hearing at London's Bow Street Magistrates Court. "I was looking for UFOs." Court records in Virginia said McKinnon caused $900,000 in damage to computers, including those of private companies, in 14 states. In New Jersey, he is accused of hacking into a network of 300 computers at the Earle Naval Weapons Station in Colts Neck, N.J., and stealing 950 passwords. The break-in - which occurred immediately after the Sept. 11, 2001, terrorist attacks - shut down the whole system for a week, Judge Nicholas Evans said. The station is responsible for replenishing the Atlantic fleet's munitions and supplies. Though McKinnon was able to view sensitive details about naval munitions and shipbuilding on the secure U.S. systems, he did not access classified information, an investigation found. British Home Secretary John Reid will make the final decision on extradition. If he approves it, McKinnon will appeal to the High Court, his lawyer Karen Todner said. Edward Lawson, another attorney for McKinnon, told an earlier hearing that his client feared prosecution by a U.S. military commission under powers introduced after the Sept. 11 attacks. But the judge said there was no "real, as opposed to fanciful, risk" of McKinnon being prosecuted under anti-terror laws, asking the suspect to accept an assurance provided by the U.S. Department of Justice. He told McKinnon that in choosing to target the United States he had "run the risk of being prosecuted in that country." Officials in New Jersey and Virginia would have to decide where McKinnon should stand trial. If convicted of the charges in New Jersey, McKinnon faces a maximum sentence of five years in federal prison and a $250,000 fine. From isn at c4i.org Thu May 11 05:23:28 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:23:28 -0500 (CDT) Subject: [ISN] The Complete, Unquestionable, And Total Failure of Information Security. Message-ID: http://www.securityabsurdity.com/failure.php by Noam Eppel Vivica Information Security Inc. May 8th, 2006 Boiling Frog Syndrome They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray - yet we tolerated it since we are use to it. It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect. The ramifications of our failure is immense. The success of the Internet and the global economy relies on trust and security. Billions of dollars of ecommerce opportunities are being lost due to inadequate security. A recent survey of U.S. adults revealed that three times the number of respondents believed they were more likely to be victimized in an online attack than a physical crime. A recent Gartner survey that indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. People are simply losing trust in the Internet. The security community is not just failing in one specific way, it is failing across multiple categories. It is being out innovated. It is losing the digital battle over cyberspace. Failing? Says Who? Today we have forth and fifth generation firewalls, behavior-based anti-malware software, host and network intrusion detection systems, intrusion prevention system, one-time password tokens, automatic vulnerability scanners, personal firewalls, etc., all working to keep us secure. Is this keeping us secure? According to USA Today, 2005 was the worst year ever for security breaches of computer systems. The US Treasury Department's Office of Technical Assistance estimates cybercrime proceeds in 2004 were $105 billion, greater than those of illegal drug sales. According to the recently released 2005 FBI/CSI Computer Crime and Security Survey, nearly nine out of 10 U.S. businesses suffered from a computer virus, spyware or other online attack in 2004 or 2005 despite widespread use of security software. According to the FBI, every day 27,000 have their identities stolen. And companies like IBM are putting out warning calls about more targeted, more sophisticated and more damaging attacks in 2006. Something is seriously wrong. One only has to open a newspaper and view current headlines documenting the almost constant loss of personal and financial data due to carelessness and hacking. It isn't just careless individuals that are leaking confidential information - it is large, multinational corporations with smart, capable I.T. departments with dedicated security professionals and huge security budgets. [...] From isn at c4i.org Fri May 12 04:10:38 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:10:38 -0500 (CDT) Subject: [ISN] Hackers slam McKinnon extradition ruling Message-ID: http://www.theregister.co.uk/2006/05/11/mckinnon_extradition_bevan_interview/ By John Leyden 11th May 2006 The prosecution of alleged Pentagon uber-hacker Gary McKinnon shows that the US is failing to take even basic precautions to protect its military systems, according to a reformed computer hacker accused of similar crimes 10 years ago. Mathew Bevan, whose hacker handle is Kuji, was accused of breaking into US military computer systems but escaped without punishment when a 1997 case at Woolwich Crown Court was dropped after a long-running legal battle. After the case, Bevan became an ethical hacker and security consultant with Tiger Computer Security, and later on a freelance basis with his firm the Kuji Media Corporation. "The internet was just starting out and in its infancy at the time of my alleged crimes. The prosecution against McKinnon, and what he says he was able to do, show that US military security has not changed. The authorities have not woken up," Bevan told El Reg. Earlier on Wednesday, a judge gave the go-ahead to the extradition of McKinnon (AKA Solo). If Home Secretary John Reid confirms the decision, which may become the subject of appeal, McKinnon faces the possibility of trial by a military tribunal and the prospect of decades in jail. McKinnon is accused of causing damage to US military and NASA systems that he allegedly conducted in search of evidence the US government was suppressing alien technology salvaged from wrecked UFOs. Bevan, like McKinnon, has an interest in free energy and evidence of UFOs. "You might say Gary was following in my footsteps and doing the same thing, albeit using different techniques. McKinnon has admitted hacking into systems in interviews. He's unfortunate because what he's done is a few years too late and in a different political climate," Bevan said. Bevan said the military systems McKinnon is accused of hacking were an open resource that were likely used by numerous hackers, some with hostile intent. "McKinnon was just snooping and what he did was not motivated by personal gain. There is no reason for his extradition. He ought to be tried in the UK. The US has labeled him as a cyberterrorist and the 'biggest military hacker ever', but this just looks like an attempt to drum up publicity for the case," he added. Daniel Cuthbert, a London-based security consultant tried over allegations that he illegally accessed the Tsunami appeal website, and subsequently convicted on what many in the security industry reckon was questionable grounds, also feels McKinnon has been harshly treated. "I do feel he is being made an example of. He screwed up and shouldn't have been in the systems at all, but at the same time the punishment he is facing just doesn't match the crime. For the amount of years he is looking at, it would have been better in the eyes of the law to be a rapist or some other type of violent criminal," Cuthbert told El Reg. "It's another example of the CPS [Crown Prosecution Service] and legal system not being able to cope with the movement of technology. They are still 10 years behind and using the CMA [Computer Misuse Act] as the backbone for all technology related cases," he added. ? From isn at c4i.org Fri May 12 04:10:50 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:10:50 -0500 (CDT) Subject: [ISN] China now global hub for spyware Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=5983 By John E. Dunn Techworld 11 May 2006 China has overtaken the US as the major distributor of spy and malware, the latest trend report from Webroot has claimed. The company used its "Phileas" malware tracking system to reckon China's proportion of global spyware as being 42 percent for the first quarter of 2006, with the US a distant second at 17 percent. This reverses the figures for Q4 of 2005, where the US was ahead. If accurate, the figures are a strong indication that 2006 will be the year that China, as long predicted, overtakes the US as the world?s number one malware producer. Last month, Sophos rated China as now only a fraction behind the US in the bellweather spam production league. The Netherlands, France and Spain come next with a combined total of 12.5 percent of malware, but no one country comes close to two main offenders. Other statistics include the news that the cumulative figure for malware-distribution sites has risen from 400,000 in 2005 to 427,000 in the first quarter of this year. The report notes that phishing attacks have made a comeback, after a period of relative stability, something the company attributes to the easier availability of Trojan source code on the Internet. Keyloggers are also advancing, with new techniques such as kernel-level driver designs and rootkits to the fore. More and more of these programs are setting out to disrupt anti-malware software as part of their attempt to avoid detection. The average piece of malware now comes in ten different variants. Explanations for China's increasing prominence in malware vary. Some have said that the country is favoured as a relay point for attacks that originate elsewhere thanks to its lax controls and legislation. So the statistsics don't necessarily mean that China is the world's largest producer of malware, only its new distribution hub. Webroot points to legislation as being the deciding factor. "One reason for China's hosting growth could be due to impending anti-spyware legislation in the United States driving spyware writers to less monitored and regulated countries," the report says. From isn at c4i.org Fri May 12 04:11:43 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:11:43 -0500 (CDT) Subject: [ISN] Ship security system draws FBI's attention Message-ID: http://www.chron.com/disp/story.mpl/business/3858026.html By BILL HENSEL JR. Copyright 2006 Houston Chronicle May 11, 2006 A ship security concept being marketed out of Houston would be a welcome tool for authorities if terrorists tried to hit the Port of Houston, the FBI said Thursday. While the agency doesn't endorse commercial products, Special Agent Jim Walsh said, a remote-control security system like that developed by VIP Systems could be useful. "I do think this is a unique system," Walsh said of the satellite-driven vessel security program being offered by VIP Systems and its partners. The system, unveiled in 2004, was reviewed Thursday at a maritime security gathering at the Port of Houston Authority headquarters. Among the features of the VIP system is one that would allow authorities to see, via satellite, inside a vessel like an oil tanker at sea and remotely shut down its engines if it were commandeered. The FBI, which would respond jointly with the Coast Guard, would rather deal with such a vessel out at sea than in port, Walsh said. One major fear of port officials throughout the world is that an oil tanker could be commandeered and used as a weapon of mass destruction, said Alex Genin, chief executive and president of VIP Systems. SkyPort International, a secure broadband satellite communications provider that is working with VIP on the system, has a contract with one company that had a vessel commandeered by pirates on the open seas in Asia. VIP is talking with several foreign governments about using its security system, Genin said, but vessel owners or insurance companies likely would have to be the ones to fund implementation. The system also features biometrics to identify ship crew members. SkyPort also is working with a Florida company that has developed a system to scan vessels and containers before they enter or leave ports. That company, SeaAway, wants to test its system at the Port of Houston, according to Bernadette Kroecker, chief executive and managing director. From isn at c4i.org Fri May 12 04:11:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:11:56 -0500 (CDT) Subject: [ISN] Hacker gets private data on students at Ohio University Message-ID: http://www.ohio.com/mld/beaconjournal/14554413.htm Associated Press May. 11, 2006 ATHENS, Ohio - Private information for all students enrolled at Ohio University since fall 2001 was stolen in the third electronic security breach discovered in three weeks, the school reported Thursday. It was the first time Social Security numbers and other private information for current students was compromised in the data thefts. The FBI found and alerted the school to the first breach last month, and two more have been discovered in the university's own review of all its systems. More breaches could be found as 20 employees working seven-day weeks continue the review, which could take another 10 days to finish, said Bill Sams, head of information technology. "We're going through every system from top to bottom," he said. Names, birth dates, Social Security numbers and medical information for 60,000 people were accessed in records at the school's Hudson Health Center, the university discovered last Thursday. The student clinic has records on all Athens campus students dating back to 2001, plus faculty, workers and regional campus students who sought treatment there. As it did with the previous thefts, the university sent e-mails Thursday to the affected people and will follow up with letters. The alerts couldn't be sent to students earlier because names in the database couldn't be accessed while the school backed it up to preserve evidence and rebuilt it with proper security, Sams said. The university reported two data thefts within three days of each other in late April. Someone gained unauthorized access to records on more than 300,000 people and organizations in the alumni relations department, including 137,000 Social Security numbers, and to a server at the school's business incubator that contained e-mails and patent and intellectual property files. After those thefts, the university set up a Web site and hot line, (740) 566-7448 or (800) 901-2303, with tips on how to prevent fraudulent use of personal information. The school also has hired a security consultant. "Given the breadth and the number of these we are operating under the assumption that we've got to make major changes very quickly," Sams said. Ohio University also has called other schools that had breaches, including Miami University in Oxford in southwest Ohio. Miami reported in September that someone had accidentally posted a grade report that included student names and Social Security numbers on a site accessible by the Internet. ON THE NET Ohio University data theft: http://www.ohiou.edu/datatheft From isn at c4i.org Fri May 12 04:11:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:11:14 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-19 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-05-04 - 2006-05-11 This week: 91 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released their monthly security bulletins for May, which fixes several vulnerabilities. Additional details can be found in the referenced Secunia advisories listed below. All users of Microsoft products are advised to visit Windows Update and apply available patches. Reference: http://secunia.com/SA20000 http://secunia.com/SA20029 http://secunia.com/SA20045 -- A vulnerability has been reported in various Sophos Anti-Virus products, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code. The vendor has issued updated versions, please refer to the referenced Secunia advisory below. Reference: http://secunia.com/SA20028 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 2. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 3. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 4. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 5. [SA19802] Firefox "contentWindow.focus()" Deleted Object Reference Vulnerability 6. [SA20029] Microsoft Exchange Server Calendar Vulnerability 7. [SA19969] AWStats "migrate" Shell Command Injection Vulnerability 8. [SA19926] Linux Kernel SCTP Netfilter Denial of Service Vulnerability 9. [SA19927] PHP Multiple Unspecified Vulnerabilities 10. [SA20045] Microsoft Windows Flash Player Code Execution Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20045] Microsoft Windows Flash Player Code Execution Vulnerabilities [SA20029] Microsoft Exchange Server Calendar Vulnerability [SA19975] Anti-Trojan unacev2.dll Buffer Overflow Vulnerability [SA19970] XM Easy Personal FTP Server USER Command Vulnerabilities [SA19968] Cryptomathic Cenroll ActiveX Control "createPKCS10()" Buffer Overflow [SA20048] Novell Client DPRPCW32.DLL Buffer Overflow Vulnerability [SA20043] EImagePro SQL Injection Vulnerabilities [SA20039] MaxxSchedule SQL Injection and Cross-Site Scripting [SA20035] IdealBB Multiple Vulnerabilities [SA20033] FileCOPA FTP Server USER Command Denial of Service [SA20030] MultiCalendars "calsids" Parameter SQL Injection Vulnerability [SA20017] EDirectoryPro "keyword" Parameter SQL Injection [SA20004] VP-ASP Shopping Cart "cid" SQL Injection Vulnerability [SA19978] acFTP USER Command Denial of Service Vulnerability [SA19977] PowerArchiver unacev2.dll Buffer Overflow Vulnerability [SA20000] Microsoft Windows MSDTC Heap Overflow Vulnerabilities [SA20061] Microsoft Windows "itss.dll" Heap Corruption Vulnerability [SA20036] Ocean12 Calendar Manager Pro Multiple Vulnerabilities [SA20006] EPublisherPro "title" Cross-Site Scripting Vulnerability [SA19981] Ublog "text" Script Insertion Vulnerability [SA20001] Intel PROset/Wireless Software Insecure Shared Section UNIX/Linux: [SA20051] Gentoo update for mozilla-thunderbird [SA20019] Gentoo update for mozilla-firefox [SA20015] Debian update for mozilla [SA20013] Gentoo update for nagios [SA19998] Ubuntu update for nagios [SA19991] Nagios Content-Length Handling Buffer Overflow Vulnerability [SA19969] AWStats "migrate" Shell Command Injection Vulnerability [SA20065] Gentoo update for quake [SA20064] Gentoo update for ruby [SA20055] Gentoo update for pdnsd [SA20042] Avaya S87X0/S8500/S8300 Tar PAX Extended Headers Buffer Overflow [SA20024] Red Hat update for ruby [SA20023] Red Hat update for libtiff [SA20021] Debian update for tiff [SA20014] SUSE update for cyrus-sasl-digestmd5 [SA20012] pstotext Filename Shell Command Injection Vulnerability [SA20011] Gentoo update for rsync [SA19994] ISPConfig "go_info[server][classes_root]" File Inclusion [SA19990] Linux Kernel SCTP Denial of Service Vulnerabilities [SA19987] vpopmail Cleartext Password Authentication Bypass [SA19985] Debian update for cgiirc [SA20022] Avahi Denial of Service and Buffer Overflow Vulnerabilities [SA19983] Sun Solaris update for Xorg X Server [SA20052] Gentoo update for php [SA20050] Sun Solaris libike Denial of Service Vulnerability [SA20046] Slackware update for apache [SA19979] SUSE updates for php4 / php5 [SA20002] Ubuntu update for mysql [SA20056] UnixWare update for Ghostscript Other: [SA20058] 3Com TippingPoint SMS Server Information Disclosure [SA20044] Cisco PIX/ASA/FWSM WebSense URL Filtering Bypass Cross Platform: [SA19993] Jetbox CMS "relative_script_path" File Inclusion Vulnerability [SA20041] ACal "path" File Inclusion Vulnerability [SA20040] EQdkp "eqdkp_root_path" File Inclusion Vulnerability [SA20031] StatIt "statitpath" Parameter File Inclusion Vulnerability [SA20028] Sophos Anti-Virus Cabinet File Processing Memory Corruption [SA20027] phpRaid "phpbb_root_path" File Inclusion Vulnerability [SA20003] Claroline File Inclusion Vulnerabilities [SA19980] Dokeos "includePath" Parameter File Inclusion Vulnerability [SA19976] Fast Click SQL Lite "path" File Inclusion Vulnerability [SA20054] Dreamweaver Server Behavior SQL Injection Vulnerability [SA20047] openEngine "template" Parameter Local File Inclusion Vulnerability [SA20037] IA-Calendar Cross-Site Scripting and SQL Injection Vulnerabilities [SA20034] SaphpLesson SQL Injection Vulnerabilities [SA20032] IBM Websphere Application Server Multiple Vulnerabilities [SA20025] IBM Websphere Application Server Welcome Page Security Bypass [SA20020] PassMasterFlexPlus "Hack Log" Script Insertion Vulnerability [SA20018] OpenFAQ "q" Parameter Script Insertion Vulnerability [SA20016] Flexcustomer Login SQL Injection Vulnerability [SA20007] X7 Chat "avatar" Parameter Script Insertion Vulnerability [SA20005] Online Universal Payment System "read" Parameter Two Vulnerabilities [SA19999] Creative Community Portal SQL Injection Vulnerabilities [SA19997] Drupal "project.module" Script Insertion Vulnerability [SA19996] 2005-Comments-Script Multiple Vulnerabilities [SA19992] PHP-Fusion Multiple Vulnerabilities [SA19989] evoTopsites Multiple SQL Injection Vulnerabilities [SA19984] Quake3 Engine "remapShader" Buffer Overflow and Directory Traversal [SA19982] Cute Guestbook Multiple Script Insertion Vulnerabilities [SA19972] Newsadmin "nid" SQL Injection Vulnerability [SA19971] Big Webmaster Guestbook Script Multiple Script Insertion Vulnerabilities [SA20057] xpoll Authentication Bypass Security Issue [SA20053] Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities [SA20038] EasyEvent "curr_year" Cross-Site Scripting Vulnerability [SA20026] CuteNews "search.php" Cross-Site Scripting Vulnerabilities [SA20008] PHP Arena paCheckbook Multiple SQL Injection Vulnerabilities [SA19995] Dynamic Galerie "pfad" Cross-Site Scripting and Information Disclosure [SA19986] PunBB "redirect_url" Cross-Site Scripting Vulnerability [SA19973] Invision Community Blog Module "selectedbids" SQL Injection [SA19988] Netscape "View Image" Local Resource Linking Weakness [SA19974] WebCalendar User Account Enumeration Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20045] Microsoft Windows Flash Player Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-09 Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20045/ -- [SA20029] Microsoft Exchange Server Calendar Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-09 A vulnerability has been reported in Microsoft Exchange Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20029/ -- [SA19975] Anti-Trojan unacev2.dll Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 Secunia Research has discovered a vulnerability in Anti-Trojan, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19975/ -- [SA19970] XM Easy Personal FTP Server USER Command Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-05 Two vulnerabilities have been discovered in XM Easy Personal FTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19970/ -- [SA19968] Cryptomathic Cenroll ActiveX Control "createPKCS10()" Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-05 Dennis Rand has reported a vulnerability in Cryptomathic Cenroll ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19968/ -- [SA20048] Novell Client DPRPCW32.DLL Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-05-10 A vulnerability with an unknown impact has been reported in Novell Client. Full Advisory: http://secunia.com/advisories/20048/ -- [SA20043] EImagePro SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-09 Dj_Eyes has reported some vulnerabilities in EImagePro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20043/ -- [SA20039] MaxxSchedule SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-08 Dj_Eyes has reported two vulnerabilities in MaxxSchedule, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20039/ -- [SA20035] IdealBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2006-05-09 CodeScan Labs have reported multiple vulnerabilities in IdealBB, which can be exploited by malicious users to compromise a vulnerable system or by malicious people to disclose certain sensitive information, conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20035/ -- [SA20033] FileCOPA FTP Server USER Command Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-08 Bigeazer has discovered a vulnerability in FileCOPA, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20033/ -- [SA20030] MultiCalendars "calsids" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-09 Dj_Eyes has reported a vulnerability in MultiCalendars, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20030/ -- [SA20017] EDirectoryPro "keyword" Parameter SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-09 Dj_Eyes has reported a vulnerability in EDirectoryPro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20017/ -- [SA20004] VP-ASP Shopping Cart "cid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 tracewar has reported a vulnerability in VP-ASP Shopping Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20004/ -- [SA19978] acFTP USER Command Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-05 Preddy has discovered a vulnerability in acFTP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19978/ -- [SA19977] PowerArchiver unacev2.dll Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-08 Secunia Research has discovered a vulnerability in PowerArchiver, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19977/ -- [SA20000] Microsoft Windows MSDTC Heap Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-09 Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20000/ -- [SA20061] Microsoft Windows "itss.dll" Heap Corruption Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-05-10 Rub?n Santamarta has discovered a vulnerability in Microsoft Windows, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20061/ -- [SA20036] Ocean12 Calendar Manager Pro Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-08 Dj_Eyes has reported some vulnerabilities in Ocean12 Calendar Manager Pro, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20036/ -- [SA20006] EPublisherPro "title" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-09 Dj_Eyes has reported a vulnerability in EPublisherPro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20006/ -- [SA19981] Ublog "text" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-05 omnipresent has discovered a vulnerability in Ublog, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19981/ -- [SA20001] Intel PROset/Wireless Software Insecure Shared Section Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-05-09 Rub?n Santamarta has discovered a vulnerability in Intel PROset/Wireless Software, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20001/ UNIX/Linux:-- [SA20051] Gentoo update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2006-05-09 Gentoo has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20051/ -- [SA20019] Gentoo update for mozilla-firefox Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Gentoo has issued an update for mozilla-firefox. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20019/ -- [SA20015] Debian update for mozilla Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-09 Debian has issued an update for mozilla. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20015/ -- [SA20013] Gentoo update for nagios Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Gentoo has issued an update for nagios. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20013/ -- [SA19998] Ubuntu update for nagios Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Ubuntu has issued an update for nagios. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19998/ -- [SA19991] Nagios Content-Length Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-08 A vulnerability has been reported in Nagios, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19991/ -- [SA19969] AWStats "migrate" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-05 OS Reviews has reported a vulnerability in AWStats, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19969/ -- [SA20065] Gentoo update for quake Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-10 Gentoo has issued updates for multiple packages based on the Quake 3 engine. These fix a vulnerability, which can be exploited by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20065/ -- [SA20064] Gentoo update for ruby Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-10 Gentoo has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20064/ -- [SA20055] Gentoo update for pdnsd Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-10 Gentoo has issued an update for pdnsd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20055/ -- [SA20042] Avaya S87X0/S8500/S8300 Tar PAX Extended Headers Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-10 Avaya has acknowledged a vulnerability in Avaya S87X0/S8500/S8300 Media Servers, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/20042/ -- [SA20024] Red Hat update for ruby Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-09 Red Hat has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20024/ -- [SA20023] Red Hat update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-09 Red Hat has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20023/ -- [SA20021] Debian update for tiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-09 Debian has issued an update for tiff. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/20021/ -- [SA20014] SUSE update for cyrus-sasl-digestmd5 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-08 SUSE has issued an update for cyrus-sasl-digestmd5. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20014/ -- [SA20012] pstotext Filename Shell Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-08 Brian May has reported a vulnerability in pstotext, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20012/ -- [SA20011] Gentoo update for rsync Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Gentoo has issued an update for rsync. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20011/ -- [SA19994] ISPConfig "go_info[server][classes_root]" File Inclusion Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-09 ReZEN has reported a vulnerability in ISPConfig, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19994/ -- [SA19990] Linux Kernel SCTP Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-09 Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19990/ -- [SA19987] vpopmail Cleartext Password Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-08 A security issue has been reported in vpopmail, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19987/ -- [SA19985] Debian update for cgiirc Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Debian has issued an update for cgiirc. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19985/ -- [SA20022] Avahi Denial of Service and Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-08 Two vulnerabilities have been reported in Avahi, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20022/ -- [SA19983] Sun Solaris update for Xorg X Server Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-05 Sun has issued an update for Xorg X server. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19983/ -- [SA20052] Gentoo update for php Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access Released: 2006-05-09 Gentoo has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to gain knowledge of potentially sensitive information, to conduct cross-site scripting attacks, and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20052/ -- [SA20050] Sun Solaris libike Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-05-09 A vulnerability has been reported in Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20050/ -- [SA20046] Slackware update for apache Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-10 Slackware has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20046/ -- [SA19979] SUSE updates for php4 / php5 Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information Released: 2006-05-05 SUSE has issued updates for php4 / php5. These fix some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to bypass certain security restrictions, to gain knowledge of potentially sensitive information, and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19979/ -- [SA20002] Ubuntu update for mysql Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-05-08 Ubuntu has issued an update for mysql. This fixes two vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20002/ -- [SA20056] UnixWare update for Ghostscript Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-10 SCO has issued an update for Ghostscript. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/20056/ Other:-- [SA20058] 3Com TippingPoint SMS Server Information Disclosure Critical: Less critical Where: From local network Impact: Exposure of system information Released: 2006-05-10 A vulnerability has been reported in 3Com TippingPoint SMS Server, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/20058/ -- [SA20044] Cisco PIX/ASA/FWSM WebSense URL Filtering Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-05-09 George D. Gal has reported a vulnerability in Cisco PIX/ASA/FWSM, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20044/ Cross Platform:-- [SA19993] Jetbox CMS "relative_script_path" File Inclusion Vulnerability Critical: Highly critical Where: Impact: System access Released: 2006-05-08 beford has discovered a vulnerability in Jetbox CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19993/ -- [SA20041] ACal "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 PiNGuX has discovered a vulnerability in ACal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20041/ -- [SA20040] EQdkp "eqdkp_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 OLiBekaS has discovered a vulnerability in EQdkp, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20040/ -- [SA20031] StatIt "statitpath" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 IGNOR3 has discovered a vulnerability in StatIt, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20031/ -- [SA20028] Sophos Anti-Virus Cabinet File Processing Memory Corruption Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-09 A vulnerability has been reported in various Sophos Anti-Virus products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20028/ -- [SA20027] phpRaid "phpbb_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-09 botan has discovered a vulnerability in phpRaid, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20027/ -- [SA20003] Claroline File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 Some vulnerabilities have been discovered in Claroline, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20003/ -- [SA19980] Dokeos "includePath" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 beford has discovered a vulnerability in Dokeos, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19980/ -- [SA19976] Fast Click SQL Lite "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-05 R at 1D3N has discovered a vulnerability in Fast Click SQL Lite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19976/ -- [SA20054] Dreamweaver Server Behavior SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-10 A vulnerability has been reported in Dreamweaver, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20054/ -- [SA20047] openEngine "template" Parameter Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2006-05-09 ck has discovered a vulnerability in openEngine, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/20047/ -- [SA20037] IA-Calendar Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-09 Dj_Eyes has reported some vulnerabilities in IA-Calendar, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20037/ -- [SA20034] SaphpLesson SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2006-05-08 Devil-00 has reported some vulnerabilities in SaphpLesson, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20034/ -- [SA20032] IBM Websphere Application Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Exposure of sensitive information Released: 2006-05-09 Some vulnerabilities have been reported in IBM WebSphere Application Server, where some have unknown impacts and others may disclose sensitive information or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20032/ -- [SA20025] IBM Websphere Application Server Welcome Page Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-08 A security issue has been reported in IBM Websphere Application Server, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20025/ -- [SA20020] PassMasterFlexPlus "Hack Log" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Nomenumbra has discovered a vulnerability in PassMasterFlexPlus, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20020/ -- [SA20018] OpenFAQ "q" Parameter Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Kamil 'K3' Sienicki has discovered a vulnerability in OpenFAQ, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20018/ -- [SA20016] Flexcustomer Login SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 Nomenumbra has discovered a vulnerability in Flexcustomer, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20016/ -- [SA20007] X7 Chat "avatar" Parameter Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Nomenumbra has discovered a vulnerability in X7 Chat, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20007/ -- [SA20005] Online Universal Payment System "read" Parameter Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2006-05-08 Preddy has reported two vulnerabilities in Online Universal Payment System Script, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/20005/ -- [SA19999] Creative Community Portal SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 r0t has reported some vulnerabilities in Creative Community Portal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19999/ -- [SA19997] Drupal "project.module" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 A vulnerability has been reported in Drupal, which can be exploit by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19997/ -- [SA19996] 2005-Comments-Script Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Some vulnerabilities have been discovered in 2005-Comments-Script, which can be exploited by malicious people to conduct cross-site scripting attacks and script insertion attacks. Full Advisory: http://secunia.com/advisories/19996/ -- [SA19992] PHP-Fusion Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-09 rgod has reported some vulnerabilities in PHP-Fusion, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19992/ -- [SA19989] evoTopsites Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 Hamid Ebadi has reported some vulnerabilities in evoTopsites and evoTopsites Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19989/ -- [SA19984] Quake3 Engine "remapShader" Buffer Overflow and Directory Traversal Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-05 Two vulnerabilities have been reported in the Quake3 Engine, which can be exploited by malicious people to access arbitrary files on a vulnerable system and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19984/ -- [SA19982] Cute Guestbook Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-05 Some vulnerabilities have been discovered in Cute Guestbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19982/ -- [SA19972] Newsadmin "nid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-05 Aliaksandr Hartsuyeu has discovered a vulnerability in Newsadmin, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19972/ -- [SA19971] Big Webmaster Guestbook Script Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-05 Javor Ninov has discovered some vulnerabilities in Big Webmaster Guestbook Script, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19971/ -- [SA20057] xpoll Authentication Bypass Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-05-09 alp_eren has discovered a security issue in xpoll, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20057/ -- [SA20053] Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-10 Some vulnerabilities have been reported in Jadu CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20053/ -- [SA20038] EasyEvent "curr_year" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Dj_Eyes has reported a vulnerability in easyEvent, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20038/ -- [SA20026] CuteNews "search.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 k4p0 has discovered some vulnerabilities in CuteNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20026/ -- [SA20008] PHP Arena paCheckbook Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 aLMaSTeR has reported some vulnerabilities in PHP Arena paCheckbook, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20008/ -- [SA19995] Dynamic Galerie "pfad" Cross-Site Scripting and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2006-05-08 d4igoro has discovered some vulnerabilities in Dynamic Galerie, which can be exploited by malicious people to disclose certain sensitive information and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19995/ -- [SA19986] PunBB "redirect_url" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-05 o.y.6 has discovered a vulnerability in PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19986/ -- [SA19973] Invision Community Blog Module "selectedbids" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-05-05 o.y.6 has reported a vulnerability in the Invision Community Blog module for Invision Power Board, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19973/ -- [SA19988] Netscape "View Image" Local Resource Linking Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-05-08 A weakness has been discovered in Netscape, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19988/ -- [SA19974] WebCalendar User Account Enumeration Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-05-05 David Maciejak has discovered a weakness in WebCalendar, which can be exploited by malicious people to identify valid user accounts. Full Advisory: http://secunia.com/advisories/19974/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri May 12 04:11:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:11:29 -0500 (CDT) Subject: [ISN] Execs tell regulators Sarbanes-Oxley costs exceed benefits Message-ID: http://www.networkworld.com/news/2006/051106-sox-costs.html By Ann Bednarz NetworkWorld.com 05/11/06 Two years of compliance with the Sarbanes-Oxley Act (SOX) have shored up corporate accounting practices - but with lopsided costs compared to benefits gained. That's the general consensus of a wide range of business executives and auditors who gathered Wednesday in Washington, D.C., for an all-day roundtable hosted by the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board (PCAOB). The SEC and PCAOB arranged the roundtable to solicit feedback about Section 404 of the legislation, which requires companies to attest to the effectiveness of internal controls put in place to protect financial reporting systems and processes. "The Sarbanes-Oxley Act was a critical step in addressing an unprecedented string of corporate scandals that were rooted in very serious governance, accounting and audit failures," said SEC Chairman Christopher Cox in his opening remarks. Section 404 has the potential to improve the accuracy and reliability of financial reporting - but only if it's implemented properly, Cox said. "In practice it hasn't always worked out that way," he acknowledged. Likewise Bill Gradison, acting chairman of the PCAOB, said that guidance the SEC issued last year and PCAOB's latest auditing standard may not be enough to clarify the rules that govern the reporting and auditing of internal controls. "Based on the information we already have, it would seem that some further changes may be in order," Gradison said. Over the course of five panel discussions, participants shared their experiences with the internal control reporting requirements. Philip Ameen, vice president and comptroller at General Electric, detailed the benefits of two years of Section 404 compliance: "One, we're certainly more focused on controls, both in our underlying operations and in operations that we're assessing for acquisition. Two, we are more sophisticated in those assessments and we're more targeted in analyzing and assessing the controls that are important to our reporting processes. And thirdly, we have a common vocabulary for talking about the controls," he said. "Overall, on balance, I think the management team, the board of directors and people down in trenches doing the testing are favorably impressed with progress that has been made in the second year of 404." That said, GE didn't experience much relief in terms of the scope and cost of compliance in the second year. It tested 38,000 significant controls in 2005, down slightly from 40,000 the year earlier. In 2004, GE spent about $33 million on Section 404 compliance, and costs ran about the same in 2005, Ameen said. While GE's tally didn't decline, research suggests other companies are seeing compliance costs drop in their second year. Colleen Cunningham, president and CEO of Financial Executives International, said companies with two years of compliance under their belts reported that costs dropped an average of 16%. That said, 85% of respondents to FEI's latest survey believe the costs of SOX compliance still outweigh the benefits. From isn at c4i.org Fri May 12 04:12:08 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:12:08 -0500 (CDT) Subject: [ISN] Teenage 'e-mail bomber' heads back to court Message-ID: http://news.zdnet.com/2100-1009_22-6071227.html By David Meyer ZDNet (UK) May 11, 2006 A teenager faces a retrial over charges that he breached British antihacking laws when he sent millions of messages to a former employer. David Lennon, who is now 18 and can therefore be named for the first time, is alleged to have used an e-mail-bombing program called Avalanche to send approximately 5 million messages to his former employer, Domestic & General Group, in early 2004. The flood crashed the company's e-mail server. The case against him, brought under the Computer Misuse Act, was dismissed in November by District Judge Kenneth Grant at Wimbledon Magistrates Court in London. At the time, Grant said that Section 3 of the act, which concerns unauthorized modification of data, had not been breached, as e-mails sent to a server configured to receive e-mails could not be classified as unauthorized. But on Thursday, judges at the Royal Courts of Justice in London sent the case back to the Magistrates Court, saying Grant "was not right to state there was no case to answer." Justice Jack said the judge should consider what answer Lennon might have expected if he had asked Domestic & General about the messages before starting the mail bombing. The U.K.'s Crown Prosecution Service, which had appealed against the original judgment, said it was pleased by Thursday's ruling. "We have sought to clarify a point of law, to update the interpretation of that law to cope with contemporary high-tech crime. As technology develops at an ever-increasing pace the law may sometimes need to be interpreted in new ways," it said in a statement. "The police and CPS are determined to ensure that those who use the Internet for crime are not beyond the reach of the law, and to make the Internet a safe place for both businesses and domestic users," it said. The case highlighted flaws in the 16-year-old Computer Misuse Act, passed in the days before Internet crime became a significant problem. Critics have complained that it does not specifically outlaw denial-of-service attacks, for example. Security expert Peter Sommer, who has called for the law to be updated, was a defense witness in Lennon's trial last year. He said on Thursday that "the defense (had been) asking the court to take a fairly narrow and literal view of the CMA." "My own view is that they could have made a decision either way. The fact that the Court of Appeal has reversed it is not a colossal surprise," he told ZDNet UK. David Meyer of ZDNet UK reported from London. From isn at c4i.org Fri May 12 04:12:18 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:12:18 -0500 (CDT) Subject: [ISN] Homeland recruits non-profit for cybersecurity software licensing Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/28526-1.html By Alice Lipowicz Staff Writer 05/10/06 The Homeland Security Department is enlisting the help of a non-profit organization to obtain cybersecurity tools for operating systems, servers and databases used by the federal government. The DHS Office of Procurement Operations said it is awarding a sole-source contract to the Hershey, Pa.-based Center for Internet Security to "provide software licenses for security configuration benchmarks and scoring tools capability," according to a presolicitation announcement [1]. The contract, which is of an unspecified amount, will last for a year. The center is chaired by Franklin Reeder, a former White House director of administration and a former chief of information policy in the U.S. Office of Management and Budget. Its president is Clint Kreitner, former president of a multihospital region of Adventist Health Systems. [1] http://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/HSHQDC%2D06%2DR%2D00033/SynopsisP.html From isn at c4i.org Tue May 16 05:11:05 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:05 -0500 (CDT) Subject: [ISN] Credit card security rules to get update Message-ID: http://news.com.com/Credit+card+security+rules+to+get+update/2100-1029_3-6072594.html By Joris Evers Staff Writer, CNET News.com May 15, 2006 SAN FRANCISCO--Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption. The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday. The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. "There is an increase in application level attacks," Maxwell said. While security stands to benefit from a broader vulnerability scan, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data. "Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more acceptable compensating and mitigating controls," he said. While PCI is good in principal, relaxing encryption requirements is not, said Paul Simmonds, a representative of the Jericho Forum, a group of companies that promote open security technologies. "It basically means that if you hack the system, you get the data," he said. "I can't think of a good alternative for encryption." The challenge with encryption is that older payment systems were not built to support the scrambling technology, said Qualys CEO Philippe Courtot. "Encryption is the ultimate measure of security, but the current applications have not been designed with encryption in mind," Courtot said The PCI security standard was developed by MasterCard and Visa and went into effect last year. It aims to reduce the risk of an attack by mandating the proper use of firewalls, message encryption, computer access controls and antivirus software. It also requires frequent security audits and network monitoring, and forbids the use of default passwords. Retailers that don't comply may face penalties, including fines. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue May 16 05:11:23 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:23 -0500 (CDT) Subject: [ISN] The War Driver Returns Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000422 David Ramel May 15, 2006 Computerworld I am back on the prowl. Stealthily I slide through the night, searching for unprotected wireless networks. I find one! And then I find hundreds more. Who cares? War driving is so 2004. Wireless security has matured and moved on. When's the last time you heard of a wireless hack? If it happens, it sure doesn't get any publicity anymore. But the news is chock-full of stolen laptops and other data breaches - take a look at our Data Security Breaches page. Why sit out in a parking lot for hours "sniffing" wireless traffic when you can just walk in and grab the finance guy's laptop? Or surf your county's Web site for all kinds of personal data? Also, increased awareness about the much-stronger WPA2 encryption spec and other precautions have cut down on all the fun - er, I mean, made us all safer. For sure, there are plenty of targets out there. Two years ago, I went war driving on my route to work and found more than 100 wireless networks. This year, I found more than 400. Back then, about 70% weren't encrypted; this year it was around 55%. So even though a higher percentage of networks are encrypted, there are now many more total unencrypted networks. Is there really a wireless security problem? So, why the lack of hacks? Is wireless security still a problem? "I think the problem is relatively small and dropping," said Gartner Inc. analyst John Pescatore. He said a big part of the problem a couple of years ago was that companies weren't supporting wireless networking but users were doing it anyway, setting up rogue access points with no central security management or strategy. Now, Pescatore said, companies are supporting wireless and following security precautions. For example, he said businesses are more aware that they need something "stronger than password authentication," so he is seeing more companies rely upon secondary authentication. Fellow Gartner analyst Ken Dulaney agrees. "This has become less of an issue," he said, for two primary reasons. First, "WPA2 has given us very good security, and the devices themselves are better protected than in past years." He said there are now multiple levels of security implemented and extending to the desktop itself - such as PC firewalls - instead of a reliance on perimeter security only. "People are beginning to realize that protecting the environment is not working," he said. Farpoint Group analyst and Computerworld columnist Craig Mathias said in an e-mail response that the wireless security threat should be divided into curious, casual hackers and professional data thieves. As for the casual hacker, he said, "I think the war-driving days are over; there's no real sport left in that, and simple WPA or WPA2 security are quite effective here." Mathias said the bigger threat is the professional data thieves, and they don't typically attack wirelessly. "Rather, they use physical theft, social engineering and exploiting known weaknesses to get what they want. The best way to counter this is to stop thinking about wireless security and start thinking about network security. This means end-to-end VPN-based encryption, encrypting sensitive data anywhere it is stored, and using strong two-factor authentication on every sensitive resource." Any wireless hacks out there? So, aren't there any big wireless hacks out there? "I don't know of any \[recent\] significant wireless breaches," said consultant Jack Gold, of J. Gold Associates, via e-mail. He said most companies have gotten pretty good at security. "Not only have they turned on the security on the AP, but they also generally run some sort of firewall and isolate each location from the rest of the network," he said. "So any 'wireless hackers' would generally have to break through the wireless security, \[and\] then also have to break through the firewalls to get beyond the local network. Not impossible, but this is a hard thing to do, and do you really want to be sitting in a car outside a shopping center trying to hack in for a long period of time? Probably not." Dulaney also didn't know of any such wireless breaches. Pescatore didn't know of any documented cases, but he has his suspicions. "I have to believe that in some cases there have been targeted wireless sniffing attacks or man-in-the-middle attacks," he said. He suspects this because he knows of breaches where the thief left no electronic trail, like there usually is in a wired intrusion. He said the attackers could have been unusually proficient and covered their tracks, but the victim companies kept good network and firewall logs that contained no evidence at all. "That's when you realize, somebody sniffing wirelessly doesn't leave a trail," he said. The computer trade press certainly believes a big wireless security threat still exists. The "Top 10 Tips for Wireless Security" story is a staple, regurgitated again and again in different forms, much like the "How to Lose 10 Pounds in a Week" or "Is He The Right One?" articles in other magazines. In fact, Computerworld just trotted out another one last week. I e-mailed the columnist to ask if it was really a big problem and if he knew of any examples of wireless data theft. He seemed shocked at my ignorance. He said my query could almost be material for another column (look for one soon; these people aren't paid chicken feed!). "Attackers love ignorance, and this is a great case of it," he said. "I am not insulting you. I am just saying that it is these misperceptions that give people a false sense of security and hackers a ... dream." I thanked him for his reply and asked him to help me overcome my ignorance by answering my original questions as to how exactly a wireless hacker would go about stealing data from even an unsecured network at a private home or company and if he knew of any specific instances of such theft, beyond hearsay reports. He didn't provide any specific techniques but said anyone with basic computer and networking knowledge could do it. He said he knew of wireless breaches but couldn't talk about them. I asked several other people and no one knew exactly how to access even an unprotected wireless network and steal stuff. Even the Web wasn't much help ? just a lot of vague references. As near as I can tell, you would have to practically beg somebody to steal from you: don't encrypt, don't change default SSID, don't change default password, turn on sharing for your PC and turn off the firewall, make sure your bank account number and password are readily available, etc. I guess there are people doing all that, but I wonder what they have to steal and who's putting much effort into finding them. If even one default is changed, it appears you would have to resort to sniffers or frame generators or traffic injectors or something equally labor- and time-intensive. So maybe there are master hackers out there with arcane methods of compromising wireless networks and installing bots, spyware, Trojans and what-have-you, and they cover their tracks and no one knows about them. Yeah, right. Please drop me a line if you know of any wireless breaches. Or if you know exactly how one would steal data from a home or company with a wireless network -- what tools you would use and how you would use them. Or if you have any thoughts on the subject at all. I would love to hear from you. Use the "Send Us Feedback" link below or send e-mail to david_ramel at computerworld.com. From isn at c4i.org Tue May 16 05:11:34 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:34 -0500 (CDT) Subject: [ISN] Botnet implicated in click fraud scam Message-ID: http://www.theregister.co.uk/2006/05/15/google_adword_scam/ By John Leyden 15th May 2006 Botnets are being used for Google Adword click fraud, according to security watchers. The SANS Institute has uncovered evidence that networks of compromised PCs are being used to click on banner ads, generating revenue for unscrupulous publishers. Pay-per-click schemes such as Google Adsense have programs to detect fraudulent clicks and suspend publishers implicated in click fraud. In an effort to disguise bogus visits, these publishers have begun hiring botnets to slip under the radar of fraud detection programs. The "bottom line is that the advertiser pays in exchange for a bot visiting him", the SANS Institute reports [1]. Generating traffic from a small number of machines (numbered in the hundreds) makes the traffic generated from compromised machines look innocuous. In return for helping click fraud scammers keep a low profile, botnet owners rake in a percentage from the scam. The ruse came to light after security experts in the SANS Institute's Internet Storm Centre investigated malicious software on a hacker's website. Control panels on the site, designed to facilitate the control of compromised machines infected with malware, were left open. This allowed security experts to analyse the actions of the botnet operator behind the site. "The botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each," a handler at SANS Institute reports in a diary entry [2] filed last weekend. The institute has reported the site and its findings to Google. ? [1] http://isc.sans.org/diary.php?storyid=1334 [2] http://isc.sans.org/diary.php?storyid=1334 From isn at c4i.org Tue May 16 05:10:53 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:10:53 -0500 (CDT) Subject: [ISN] GE security exec shares tips for reducing security risks Message-ID: http://www.networkworld.com/news/2006/051506-ge-security.html By Bob Brown NetworkWorld.com 05/15/06 When it comes to putting data and identity thieves in their place, Peter Costa says there's no room for being Mr. Nice Guy. "Have a public hanging - they have to know you'll go after them," says Costa, who heads up enterprise security at GE Consumer Finance - Americas. Companies need to be "fanatical about prosecution," he says. Costa outlined his views (which he stressed are not all necessarily those of GE as well) for dealing with data and identity theft during a presentation at last week's CIO Forum (more from the conference [1]). The unique annual conference brings together IT suppliers and potential buyers on a cruise ship sailing out of New York City. GE will actually call the parole board when a thief's hearing is coming up to discourage the person's release, Costa says. Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. "You've got to make it easy, you've got to make a point," he says. Costa maintains that there hasn't been an explosion of data theft of late, but rather, we're just hearing about it now as a result of laws that require companies to fess up when their data systems have been breached. Nevertheless, data and identify theft are huge problems that companies need to address by assessing risks and reducing them, he says. The first thing companies need to recognize, Costa says, is that theft or loss takes place in two primary ways: via intentional schemes, such as phishing or even dumpster diving, and unintentional means, such as a tape falling off a truck or a laptop being left behind at an airport. Data is at high risk in the former example, while it is at low risk of being comprised in the latter, he says. "You have to have two different strategies to attack these two types of problems," Costa says. Assessing the risk For starters, companies should figure out which information they hold is most important to them. Examples might be an employee's Social Security number, direct deposit account numbers and passwords. Information relating to partners and customers also needs to be examined. "Now comes the hard part. You have to say: Where does it exist?" Costa says. "You'll be amazed when you start peeling the onion back You need to understand where the physical borders are, where the electronic borders are and where all that data is going back and forth." The next step is looking at high-level risks, which Costa lists as forced entries, such as hacking; interception of transmissions, including "snail mail" and faxes; and the insider threat. On the insider threat, he suggests companies should take a very hard look at their human resources groups, where low-level people can have access to lots of sensitive employee data. "We're far too trusting of insiders," Costa says. Companies also need to examine how they think people might steal data. Underestimated are techniques such as people just walking into supposedly secure areas of a building on the tails of others, Costa says. Companies tend to spend more energy protecting themselves against new or sensational risks (He relates this to people fearing sharks more than pigs even though the farm animals kill more people yearly. "There's no 'Jaws' about pigs. There's no 'Snout.'") Process management tools can help companies get organized in addressing much of this, but companies also need to bring in a wide cross-section of people, from IT to HR to business process owners, Costa says. Reducing the risk The most important step is getting rid of sensitive data that you don't need at your company. "I'm shocked and amazed at how many organizations still use Social Security numbers for employee numbers," Costa says. "It means you're putting your Social Security number everywhere." Companies should also consolidate high-risk vendors, such as marketing or mail firms and institute a layered but uncomplicated security system that includes access controls through identity management, Costa says. Encryption is key, too. "Encryption is important here not [just] because it lets you protect the data, but [also because] it allows you to say, 'We lost the backup tape but it's encrypted so there's no damage' - even though some states will still require you to make an announcement about it," he says. The best thing to come out of all the attention brought to this issue of late is that companies are addressing problems more quickly, which greatly lessens the threat of damage, Costa says. [1] http://www.networkworld.com/news/2006/051206-cio-forum-biometrics-grid-voip.html From isn at c4i.org Tue May 16 05:11:46 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:46 -0500 (CDT) Subject: [ISN] Hi-tech taskforce nets first cyber criminal Message-ID: http://english.vietnamnet.vn/tech/2006/05/570395/ 14/05/2006 VietNamNet - The first hacker to be arrested in Vietnam was taken into custody last week, sending a clear message to cyber criminals.As the nation railroads in IT networks and other solutions, hackers are being told to buck up and obey the law by ending their destructive and illegal attacks on networks and individual machines. The hi-tech crime investigators from the Ministry of Public Security worked with the Bach Khoa Information Securities Centre (BKIS) to trace a distributed denial of service attack back to Nguyen Thanh Cong in Dak Lak province. The attack was launched against e-commerce company Viet Co on March 12. The subsequent investigation also showed Cong had issued himself a fraudulent credit card number for online purchases. Distributed denial of service, or DDoS, uses multiple compromised systems to target a single system, causing a denial of service attack or DoS. In a distributed attack, damage is not limited to the end target system, and cripples all systems controlled by the hacker in the distributed attack. Cong is believed to have written a trojan that masqueraded as a benign application. Unlike viruses, trojans do not replicate themselves but can be just as destructive. As the historical name suggests, a trojan is a shell programme that introduces viruses onto host machines. As the programme spreads, the hacker is able to establish a botnet of any quantity of computers infected with the trojan. Multiple bots can then join on a single channel to flame a targeted network, launching huge numbers of DoS attacks against a target server, causing it to shut down. A hi-tech crime investigator said Cong had pleaded guilty and was out on bail, pending investigation by the People's Supreme Procuracy and impending trial. "This arrest will send a message to hackers that their illegal computer operations must come to an end and that this investigation department will ensure network security in Vietnam," he said. This is the first public move by hi-tech crime investigators in Vietnam, despite the establishment of the unit more than a year ago. "Hackers and criminals now know that there is a unit investigating them inside Vietnam, and they must be cautious, instead of acting as freely as before," the official added. Local hackers have lauded Cong's DDoS attack, and claim his arrest as a victory. They claim the publicity of the attack gives their work credence, as the attack destroyed a commercial server that did not cater for "study purposes", a common, if misguided allegation among Vietnamese hackers. "We are scaring the hi-tech crime investigation unit now," a hacker in Ho Chi Minh City said in response to the arrest. Nguyen Tu Quang, director of the investigation unit, said there have been many instances of attacks on domestic e-commerce websites, and in some instances hackers have used their security breeches for extortion. "Botnets are a real risk to network security in Vietnam, and hackers are using a large number of trojan infected computers to launch DDoS attacks, spread spam and steal financial information. Most people are not aware of the risks and often overlook computer security," said Quang. Meanwhile, the Vietnam Computer Emergency Response Team Coordination Centre is set to start operations this year, after training personnel. The centre will focus on protecting financial and banking, government networks and e-commerce sites which are vulnerable to online and system attacks. From isn at c4i.org Tue May 16 05:11:58 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:58 -0500 (CDT) Subject: [ISN] DoD Offers Free Anti-Spyware for Personal Use Message-ID: http://www.news.navy.mil/search/display.asp?story_id=23639 By Journalist 2nd Class (SW/AW) Jennifer Goulart, Naval Network Warfare Command Public Affairs 5/13/2006 NORFOLK, Va. (NNS) -- The Defense Information Systems Agency (DISA) has licensed free anti-spyware software for all government employees and armed forces personnel for use on personal computer systems. According to the Federal Trade Commission's Web site at www.ftc.gov, Spyware is software that monitors or controls the use of your computer. It could send pop-up ads, redirect browsers to certain Web sites, or even record your keystrokes. A pop-up ad could even try to trick someone into typing in bank account information, leading to identity theft. Users may also be able to get the software through their respective Automated Data Processing offices. "ADP can burn the software to a CD for the user to take home," said Information Systems Technician 1st Class (SW) Eric Rucker, an information security officer for Navy Computer Defense Operations Command (NCDOC). "Once the software is downloaded at home, it will automatically update periodically. With the amount of people that use e-mail and zip drives to bring work home and back, the risk of bringing spyware to work is much greater, and that could create weakness that may exploit DoD computers." Steve Saunders, a Network Security Analysts for the NCDOC, said that spyware infection throughout 2005 has become one of the pre-eminent security threats to computer systems. He said that spyware is even able to masquerade as security software while actually doing damage. Saunders expressed caution should be exercised when visiting Web sites if pop-ups start appearing, or if a user's computer starts showing constant or required requests to install browser components and other applications. "Any offer for free software, or 'upgrades' by big names is another thing to watch out for," Saunders said. "The best thing to do is to go to a company's registered Web site to get the legitimate downloads available." "Professional analysts have found that survival time of a brand new computer, just connected to the Internet, is 18 minutes,?" added Saunders. "Out of 6 trillion IP addresses out there, that is like a blink of an eye." To download the free anti-spyware software, go to the DISA Web site at https://iase.disa.mil/sdep, or the Navy's Information Assurance Web site at https://infosec.navy.mil. At the INFOSEC site, click on the COMPUSEC tools tab and scroll down to the anti-spyware link, second from the top. The software can then be saved a local hard drive for writing on a CD-ROM or other portable media for home use. Users must be on a ".mil" workstation to download the software. For more information about spyware and other computer security threats, go to https://infosec.navy.mil, or call the NCDOC 24/7 hotline at 1-888-NAVCDOC. NCDOC is part of NETWARCOM, the Navy's type commander for Information Operations, FORCEnet, networks and Space. Based in Norfolk, Va., the command is the central operational authority responsible for providing ready Information Warfare forces, which are fully trained, properly manned, interoperable, well maintained and supported within the Navy. For related news, visit the Naval Network Warfare Command Navy NewsStand page at www.news.navy.mil/local/nnwc/. From isn at c4i.org Tue May 16 05:12:12 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:12:12 -0500 (CDT) Subject: [ISN] Security is about people Message-ID: http://www.smh.com.au/news/technology/security-is-about-people/2006/05/15/1147545264723.html By PATRICK GRAY May 16, 2006 Australia's foremost private IT security organisation says throwing money at technology problems will not fix them. AusCERT is bringing the world's most influential data security experts to meet executives at a conference on the Gold Coast to find better solutions. Representatives from Qantas, government, banking and an energy company are to attend. The open forum to take place next Monday - the first day of AusCERT's annual conference - aims to educate senior executives on their responsibilities and personal liabilities concerning information security, says AusCERT program manager Mark McPherson. "We're trying to provide a forum for a different style of audience, it's an experiment," Mr McPherson says. So-called techno-philosopher Richard Thieme - one time seminarian, now IT visionary, speaker and author - will speak on the role of propaganda, public relations, illusion, misdirection and ridicule in the world of information security. Bread and butter issues, such as teaching students to write secure software, will also be covered. AusCERT consultant Richard Forno says security is not just a technology issue, "it's a cultural issue". "We're in the habit of throwing technology and money at a problem instead of looking at the people and why we do things a certain way," he says. Mr Forno, who also works for Washington DC-based consultancy KRVW, will deliver a two-day seminar on secure software design. He will also deliver a presentation on the incident-response capability he built for the US House of Representatives in the mid-1990s before incident handling strategies were in vogue. He says that a lack of accountability is a grave concern for security conscious corporations. "The industry focuses on the technology, because frankly it's easier," he says. "There's little accountability. We've got HIPAA (the health records and standards act) and Sarbanes-Oxley (which covers the financial and accounting sectors) but there's no incentive to do more than meet the minimum criteria." Steve Manzuik, of eEye Digital Security, intends to rattle the skeletons he says are in Microsoft's closet. Mr Manzuik says the rate of technological change transforming the security industry has slowed. "People are starting to realise that signature-based stuff is a waste of time," he says. "When it comes to having to deal with new threats I don't think it's slowing down but as protection technologies go things are becoming a little more focused." Generic protection mechanisms built into operating systems are a good start but the "people factor" can never be underestimated, he says. "No matter how well we do with fixing operating systems it will always come down to how aware people are." Copyright ? 2006. The Sydney Morning Herald. From isn at c4i.org Wed May 17 01:45:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:45:21 -0500 (CDT) Subject: [ISN] Ways Google is shaking the security world Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000540 Sarah D. Scalet May 16, 2006 CSO Ask Google anything--what's happening to GE's stock price, how to get to 881 Seventh Ave. in New York, where Mission Impossible 3 is showing, whatever happened to Brian W. after he moved away in the ninth grade--and you'll get an answer. That's the power of this $6 billion search engine sensation, which is so good at what it does that the company name became a verb. That kind of power keeps Google on the front page of the news--and sometimes under unfavorable scrutiny, as demonstrated by Google's recent clashes with the U.S. Department of Justice and also with critics displeased by the search giant's stance on Chinese government censorship. CSOs and CISOs have a different reason to think carefully about Google and the implications of having so much information online, instantly accessible by almost anyone. Although these issues relate to all search engine companies, Google gets most of the attention?--not only because of its huge share of the Web search market but because of its unabashed ambitions to catalog everything from images and libraries to Earth, the moon and Mars. "We always get enamored of a new technology, and it takes us a while to understand the price of that technology," says Robert Garigue, vice president of information integrity and chief security executive of Bell Canada Enterprises in Montreal. For security pros, the price is that Google can be used to dig up network vulnerabilities and locations of sensitive facilities, to enable fraud and cause other sorts of mayhem against the enterprise. Here, CSO examines the ways Google is shaking the security world, and what companies can do about them. 1. Google Hacking (strictly defined) What it is: Using search engines to find systems vulnerabilities. Hackers can use carefully crafted searches to find things like open ports, overly revealing error messages or even (egads) password files on a target organization's computer systems. Any search engine can do this; blame the popularity of the somewhat imprecise phrase "Google hacking" on Johnny Long. The author of the well-read book Google Hacking for Penetration Testers, Long hosts a virtual swap meet where members exchange and rate intricately written Google searches. How it works: The way Google works is by "crawling" the Web, indexing everything it finds, caching the index information and using it to create the answers when someone runs a Web search. Unfortunately, sometimes organizations set up their systems in a way that allows Google to index and save a lot more information than they intended. To look for open ports on CSO's Web servers, for instance, a hacker could search Google.com for INURL:WWW.CSOONLINE.COM:1, then INURL:WWW.CSOONLINE.COM:2, and so on, to see if Google has indexed port 1, port 2 and others. The researcher also might search for phrases such as "Apache test page" or "error message", which can reveal configuration details that are like hacker cheat sheets. Carefully crafted Google searches sometimes can even unearth links to sloppily installed surveillance cameras or webcams that are not meant to be public. Why it matters: Suppose someone is scanning all your ports. Normally, this activity would show up in system logs and possibly set off an intrusion detection system. But search engines like Google have Web crawlers that are supposed to regularly read and index everything on your Web servers. (If they didn't, let's face it--no one would ever visit your website.) By searching those indices instead of the systems themselves, "you can do penetration testing without actually touching the victims' sites," points out consultant Nish Bhalla, founder of Security Compass. What to do: Beat hackers at their own game: Hold your own Google hacking party (pizzas optional). Make Google and other search engines part of your company's routine penetration testing process. Bhalla recommends having techies focus on two things: which ports are open, and which error messages are available. When you find a problem, your first instinct may be to chase Google off those parts of your property. There is a way to do this--sort of--by using a commonly agreed-upon protocol called a "robots.txt" file. This file, which is placed in the root directory of a website, contains instructions about files or folders that should not be indexed by search engines. (For a notoriously long example, view the White House's file at www.whitehouse.gov/robots.txt.) Many companies that run search engines heed the instructions in this file. Notice we said "many"? Some search engines ignore robots.txt requests and simply index everything anyway. What's more, the robots.txt file tips off hackers about which public parts of your Web servers you'd prefer to keep quiet. Meanwhile, the information that your pen testers found through Google is already out there. Sure, you can contact search engines individually and ask them, pretty please, to remove the information from their caches. (Visit www.google.com/webmasters for instructions.) But you're better off making the information useless. "The persistence of these caches is impossible to manage, so you have to assume that if it's there, it's going to be there forever," says Ed Amoroso, CISO of AT&T. His solution? Simple. "Let's say you found a file with a bunch of passwords. Change those passwords." Then, fix the underlying problem. Eliminate or hide information that shouldn't be publicly available. Long term, you'll have to do the heavy lifting too, by closing unnecessary ports or fixing poorly written applications. Shock waves: 4 (highest). It's up to you to make sure your company isn't accidentally publishing instructions on how to hack its systems. 2. Google Hacking (loosely defined) What it is: Using search engines to find intellectual property. It's Google intel: The researcher uses targeted Web searches to find bits and pieces of information that, when put together, form a picture of an organization's strategy. Unlike, say, launching a SQL injection attack, doing competitive intelligence using public sources is quite legal (and may in fact be good business). How it works: The researcher scours the Web for information that might include research presented at academic conferences, comments made in chat rooms, r?sum?s or job openings. "Companies leave bread crumb trails all over the place on the Web," says Leonard Fuld, founder of Fuld & Co. and author of the forthcoming book The Secret Language of Competitive Intelligence. One common tactic is using search queries that reveal only specific file types, such as Microsoft Excel spreadsheets (filetype:xls), Microsoft Word documents (filetype:doc) or Adobe PDFs (filetype:pdf). This kind of search filters out a lot of noise. Say you want information about General Motors. Searching for "GENERAL MOTORS" "FINANCIAL ANALYSIS" one day in February yielded 56,400 results. Searching for "GENERAL MOTORS" "FINANCIAL ANALYSIS" FILETYPE:XLS brought up only 34 documents. One of those documents was a spreadsheet from a recruiting agency that contains the current jobs and work history (though not the names) of executives at numerous companies (including GM) who may be on the job market. Another common approach is searching for phrases that may indicate information that wasn't intended to be public. For this, keywords such as "personal", "confidential" or "not for distribution" are invaluable. These targeted searches don't always hit pay dirt, but they can be fascinating. For instance, on that same day in February, the top hit on a search for "GENERAL MOTORS" "NOT FOR DISTRIBUTION" was a PDF from a credit-rating company with poorly redacted information that could be easily viewed by pasting the text into another document. (Oops!) A final tactic is to target the organization's site itself for information, such as phone lists, that could be useful for social engineering scams. Researchers might use the site search function and look for the phrase "phone list" or "contact list". (An actual search might be SITE:CSOONLINE.COM "PHONE LIST", and if you run that particular search, you'll find stories CSO has published about why your company's phone directory is better kept under wraps.) Why it matters: "If it's on Google, it's all legal," says Ira Winkler, information security consultant and author of Spies Among Us. Competitive intelligence of this sort is illegal espionage only when it involves a trade secret--and if something is public enough to appear in Google, can you really argue that it was protected like a trade secret? What to do: That Google hacking party we mentioned earlier should involve a few site searches for sensitive files, such as financial records and documents labeled "not for distribution." Beyond your own borders, it's a good idea to know what people are saying about your organization, even if there's little you can do about it. "Using search engines to figure out what your public-facing view looks like has become a de facto element in any corporate security program," Amoroso says. Brand protection companies such as MarkMonitor and Cyveillance will work the beat for you, if you'd prefer. Creating (and enforcing) good policies about employee blogging or the use of message boards and chat rooms can also limit your exposure. Shock waves: 3 (significant). This kind of competitive intelligence has been going on forever, and it is damaging. The Web means more information gets out, and it's easier to find. 3. Google Earth What it is: A software download that provides highly navigable satellite and aerial photography of the entire globe. (The same images are also available through Google Maps at http://maps.google.com.) The scope and resolution of the photos are eye-popping enough that Google Earth drew ire even as a beta product in 2005. Some people feel threatened that a photo of, say, their backyard is only a few clicks away, and others fear that terrorists will use the images of landmarks or pieces of the critical infrastructure to plot attacks. How it works: After the user installs the software (the basic version is free at http://earth.google.com), she can zoom to any spot on the planet, often with enough detail to see driveways, if not cars. The virtual globe can be overlaid with information on roads, train tracks, coffee shops, hotels and more. Enterprising researchers are also overlaying Google Maps with everything from locations of murders to public rest rooms that have baby-changing tables. Images are up to three years old and come from commercial and public sources, with widely varying resolution. Why it matters: The privacy implications of having this information so readily available are certainly worth discussing as a society, but the security risks to U.S.-based companies are low. Much of the information was already available anyway. For instance, Microsoft stitched together images from the U.S. Geological Survey a decade ago with its Terraserver project It just doesn't work as smoothly. Not only have these types of images long been available online, but they can also be easily purchased from government and private sources, says John Pike, director of the military think tank Global?security.org. There are only a couple of legal restrictions. First, the images must be at least 24 hours old. Second, the U.S. military has what Pike calls "shutter control": the ability to tell commercial satellite companies not to release imagery that might compromise U.S. military operations. To the best of Pike's knowledge, the U.S. military has never invoked this power, nor have the regulations governing satellite imagery changed during the Bush administration's war on terrorism. "If Rummy's not worried about it," Pike says, referring to Secretary of State Donald Rumsfeld, "it's hard for me to see how anyone can lose much sleep over it." What to do: If your organization's security plan is based on no one being able to obtain aerial or satellite photography of a facility, then it probably ain't much of a plan. "Anybody who has the capacity to constitute a threat that rises much above graffiti is going to have it in their power to get imagery of a facility," Pike says. "If security managers have something that they don't want to be seen, they need to put a roof on it." Beyond that, be prepared for cocktail party banter about the risks and rewards of Google Earth and Google Maps. At the U.S. Food and Drug Administration, for instance, CISO Kevin Stine finds Google Earth personally fascinating, and he likes to muse about its potential for use in, say, disaster planning. "From a CISO perspective, I think we need to be aware of these kinds of tools," he says. But for his security group, the only impact he thinks Google Earth might eventually have, if it begins to encompass more business applications, is a drain on bandwidth. In other words, it's a concern about as big as your lawn chairs seen from space. Shock waves: 1 (minimal). Security by obscurity is so 20th century. Google Earth just illustrates why. 4. Click Fraud What it is: The act of manipulating pay-per-click advertising. Perpetrators inflate the number of people who have legitimately clicked an online ad, either to make money for themselves or to bleed a competitor's advertising budget. How it works: With pay-per-click advertising, an advertiser pays each time someone clicks an ad hosted on a website. Google, Yahoo and other search engine companies make their money by selling advertisers the right to have their text-only ads appear when someone searches for a particular keyword. There are two ways to manipulate pay-per-click advertising: competitor click fraud and network click fraud. First, the competitor variety: Let's suppose a company that sells life insurance wants to advertise on Google. The company might bid for and win rights to the phrase "life insurance". Then, when someone runs a Google search for that exact phrase, the company's ad appears next to the search results as a sponsored link. (How close to the top of the list depends on both the price per click and the superpowered algorithms that constitute Google's secret sauce.) Each time someone clicks the sponsored link, Life Insurance Co. pays the agreed-upon price? to Google -- say $5. With competitor click fraud, an unscrupulous competitor tries to run up Life Insurance Co.'s advertising bill by clicking the link. A lot. Network click fraud, on the other hand, cashes in on the fact that Google isn't the only company that hosts Google advertising. Suppose someone has a blog about insurance. She can sign up as a Google advertising affiliate and have ads for insurance run on her site. If Life Insurance Co. is paying Google $5 per click, Ms. Insurance Blogger might pocket $1 for each click her site generates. Network click fraud is when an affiliate generates fraudulent traffic in order to boost its revenue. Google insists it is trying to keep the problem in check. Shuman Ghosmajumder, product manager for trust and safety at Google, says the company monitors for all kinds of what it dubs "invalid clicks," and that it routinely issues refunds to advertisers and closes down fraudulent affiliates. In 2005, Google even won a lawsuit against an affiliate it charged with click fraud. But some advertisers say that Google isn't doing enough to prevent and monitor for fraud because it profits from the fraud. Google faces a class-action lawsuit led by AIT, a Web-hosting company, and is in the midst of reaching a $90 million settlement with Lane's Gifts & Collectibles, a mail-order store. (At press time, the proposed settlement was before a judge.) Why it matters: Click fraud is following a trajectory that will be familiar to any CSO, and it's a telling example of how sophisticated and profitable electronic crime has become. First, the good guys started looking at server logs to find IP addresses in patterns that indicated fraud. The bad guys responded by creating automated bots that simulated different IP addresses and had varying time stamps. Then, the good guys improved their click-fraud detection tools, with a cottage industry sprouting up that specializes in helping online advertisers monitor for fraud. Queue up "click farms," where the bad guys hire people in other countries to do the clicking in a way that looks more realistic. "It's a cat-and-mouse game," says Chris Sherman, executive editor of SearchEngine-Watch.com. What to do: The first step is to put tracking measures in place. In a recent survey done by the Search Engine Marketing Professional Organization (Sempo), a trade group, 42 percent of respondents said they had been victims of click fraud, but nearly one-third of respondents said they weren't actively tracking fraud. "The way you monitor it is you look for something that doesn't make sense," explains Kevin Lee, chair of the group's research committee. "If you spent $100 every day last week, and then this week you spent $130 every day and didn't get any more conversions, or whatever your success metrics are," then you might have a problem, he says. "Usually the engines will catch the obvious fraud, and they won't even bill you for it," Lee continues. But if you have a larger problem, you may need to gather information about why you believe some of the clicks are fraudulent and ask the company hosting the ads for a refund. Ghosmajumder says Google devotes significant resources to a team of investigators who proactively monitor for fraud and also do research about possible fraud reported by advertisers. Google also has engineers working on technical means to identify invalid clicks. According to the Sempo survey, 78 percent of advertisers that have been victims of click fraud have received credit from a paid search provider, and 40 percent of the time it was based on their request. The question, of course, is whether to bother making a request. Who better than the CSO to help the advertising department figure out whether it would cost more for the company to tamp down on the problem or simply to pay for the fraud? Shock waves: 2 (moderate). For companies using pay-per-click, this is one to watch. Click fraud has the potential to dramatically reduce the effectiveness of online advertising. But with more than 90 percent of Google's revenue coming from advertising, the company has a serious incentive to keep the problem in check so that advertisers don't lose faith in the pay-per-click model. 5. Google Desktop What it is: A free tool offered by Google that allows users to quickly search the contents of their hard drives. (Similar tools are offered by MSN, Yahoo and others.) The latest version can also be used to share files between computers. How it works: After the user downloads the tool, it works in the background to index everything on his hard drive, much like Google indexes the Web. All fixed drives are indexed by default, but the user can specify folders to exclude or extra drives to add. The software can be set to return results on text files, spreadsheets, PDFs, Web history, e-mail and more. Once the indexing is done, when the user runs a Google search, items from his own computer appear at the top of the results. Alternately, he can use the tool by itself by opening it on his desktop; he doesn't even need to be connected to the Web. A new version also has a controversial feature that allows a user to share files between computers. With this setting enabled, Google indexes the files on one computer, pulls them up on its servers, then pushes them down onto another computer (which is similarly configured with the software). Then, a search done on one computer returns results from both. Why it matters: It's easy to see why people get all prickly about this one. Once the tool is installed and files are indexed, a snoop needs only a coffee break, rather than a lunch hour, to search someone's hard drive for files about, say, Bob Jones's salary. To make matters worse, freewheeling users may not pay attention or understand how to make sure that sensitive documents aren't indexed. To its credit, Google has tried to improve the standard configuration of the tool. An early version automatically returned results with password-protected files and secure HTTP pages; now, those types of files aren't indexed unless the user changes a setting. "People screamed about that, and Google changed it very quickly," SearchEngineWatch.com's Sherman says. Even so, setting up appropriate exclusions can get complicated. Some companies--as well as many individuals who are concerned about their personal privacy--are also leery of making so much information available to Google. The new Search Across Computers feature only heightens these concerns. With this feature, Google says, copies of users' personal files can sit on Google's servers for up to 30 days. Google downplays this time frame. Says Matthew Glotzbach, product manager for Google Enterprise, "If both of your computers are on and syncing, [the files are on Google's servers] only a matter of minutes"--the time it takes for Google to pull up the information and push it back down onto the second computer. But having the information saved on Google's servers at all is troubling, given that search engine companies are routinely subpoenaed by prosecutors. (Google's privacy policy states: "We may also share information with third parties in limited circumstances, including when complying with legal process, preventing fraud or imminent harm, and ensuring the security of our network and services.") In one especially charged case, Google fought a subpoena from the U.S. Department of Justice, which wanted search results to help analyze its enforcement of the Children's Online Privacy Protection Act. A judge reduced the amount of information Google must turn over, and the ensuing debate raised awareness about the amount (and nature) of information that Google has in its stores. The fact that the software is relatively untested raises additional questions. Last November, an Israeli researcher reported that he had found a vulnerability in Microsoft Internet Explorer that allowed him to illicitly access information in Google Desktop. Google fixed the problem, but legitimate concerns linger. "Anytime you install software from a third party directly on a hard drive of a particular machine, you're potentially opening up holes in the security of that machine," says Matt Brown, a Forrester senior analyst. What to do: It's time to catch up--something that Brown says is especially important given the fact that Sarbanes-Oxley requires companies to keep tabs on where and how long their information is retained. Consider whether your users actually need desktop search for their jobs. If they do, you'll want to have a hand in how it's configured and used. (Bonus points go to the CSO who makes sure that users understand the privacy implications of all these tools, beyond just telling them to read the privacy policy.) At the FDA, Stine is in the early stages of looking at the tool. "There have been some requests [for desktop search] here and there, but there hasn't been a user outcry," he says. If (or when) there comes a point when a lot of users have a legitimate need for desktop search, Stine says he'll look carefully at how the technology identifies, indexes and presents information. "We'd have to ensure that we still maintain complete control--at least as complete as possible--over the information," he says. Fortunately, he'd have plenty of options. Several companies have enterprise desktop search tools that help CISOs keep tabs on the information. Google Desktop 3 for Enterprise, currently in beta, allows administrators to completely disable features such as the Search Across Computers feature. Google says it is working make future versions of this tool easier to manage. "I don't think we anticipated such a concerned or negative response," Glotzbach says. "We've taken to heart the feedback on the Search Across Computers feature, especially in the enterprise context, and we're actively working on making it even easier for the companies to use" in a secure manner, he says. X1 Technologies, which has partnered with Yahoo, offers a competing enterprise search tool that Brown says is more manageable from an IT perspective. "Part of the problem with these technologies is they get announced and people immediately start downloading," Brown says. "It takes companies a little while to catch on to what's happening." Shock waves: 4 (highest). Desktop search is an untested technology with a wide potential for misuse. If your users don't need it, don't let them use it; if they do need it, consider enterprise tools that can be centrally managed and controlled. Future Shocks Google has shaken us, by holding up a mirror and forcing us to look at what we've put online. "Google provides a lot of capability that can do you harm as well as providing you search capabilities," Winkler says. "What makes it its strength makes it its danger." The future will make search technology only more dangerous. Bell Canada's Garigue points out that search technology is still in its very infancy, barely scratching the surface of what he calls the shallow Web. "The shallow Web is everything that's public on Web servers," he says. "The deep Web is what's hidden inside databases." >From the Library of Congress to Lexis-Nexis' legal and news archives, to Medline's medical databases, the great bulk of information that people access online is still available only to subscribers, not to Google. "Google is the first generation of tools," Garigue says. As those tools get more sophisticated, the shock waves will only grow stronger. This story is reprinted from CSO Online.com, an online resource for information executives. Story Copyright CXO Media Inc., 2006. From isn at c4i.org Wed May 17 01:44:37 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:44:37 -0500 (CDT) Subject: [ISN] The four domains of data security Message-ID: http://www.computerweekly.com/Articles/2006/05/16/215898/The+four+domains+of+data+security.htm By Avinash W Kadam 16 May 2006 Security professionals are expected to be proficient with a range of security techniques, but which qualifications do you need to progress your career? Knowing which qualifications you need to progress your career is a dilemma faced by every information security professional. With a myriad of certificates to choose from which one will help you prove that you can do your job better? Which one will be valued by employers? A security professional has to be proficient with a range of security techniques. These include operating system security, network security, application security, penetration testing and incident management techniques. Many suppliers offer certificates that are restricted to specific products. These are appropriate when IT security professionals need to be familiar with specific infrastructure or systems. But you should also consider acquiring certificates that are product independent. The Sans Institute, for example, offers some excellent certificates under the name "global information assurance certification". Information security management is a fast growing discipline, and security professionals are expected to have good exposure to various security management approaches. Many organisations are planning to have their information security management system certified to the ISO 27001 standard. Such organisations look for information security officers with security management qualifications such as the CISSP (certified information systems security professional), offered by the International Information Systems Security Certification Consortium (ISC)2. Organisations also look for business continuity management certification, and the Disaster Recovery Institute offers the CBCP (certified business continuity professional) certificate. Information security governance is another focus area for organisations. This ensures that the efforts and direction of information security programmes are in line with the business goals of the organisation. To this end, it is worth considering the CISM (certified information security manager) certificate from the Information Systems Audit and Control Association (Isaca). Security auditing is another qualification much sought-after by employers. Possessing a good understanding of security audit principles is a prerequisite to ensure that systems comply with audit requirements. Isaca offers the CISA (certified information systems auditor) for security auditors. The different types of certificates complement each other, and IT professionals need to have adequate knowledge of each of the domains if they are to perform a full security role. An IT manager may be required to perform many security-related functions, so acquiring certificates in security management and security governance will definitely be valuable. A security audit certificate will prepare the IT manager to face security audits with more confidence. Certified knowledge of security techniques will improve confidence in technical matters. An information security auditor may start their career with the CISA qualification, but to gain deeper insight, they will have to acquire sufficient experience in security techniques, security management and security governance. Getting the certificate should be a by-product of gaining knowledge and experience. Preparing for the certification examination makes one focus on improving understanding of the subject. All the examinations have objective-type questions that test a candidate on basic understanding of the subject. Since the certificates are independent of any products, testing is for conceptual clarity. So does this mean that information security professionals need to get all the certificates? The fact is that security professionals have to perform all these roles in their career. They will be using various security techniques, be responsible for security management and security governance, and may even be performing security audits. An information security professional needs to acquire adequate knowledge, understanding and experience in each of these areas. Getting this knowledge certified is the best way to convey your expertise to the employer and gain credibility in the workplace. -=- CV: AVINASH W KADAM Avinash W Kadam holds a CISA, CISM, CISSP, CBCP and GSEC. He has been president of the Mumbai Chapter of the Information Systems Audit and Control Association, lead instructor at (ISC)2, mentor for the Sans Institute and is director of MIEL e-Security. ? 2006 Reed Business Information Limited. All Rights Reserved. From isn at c4i.org Wed May 17 01:44:51 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:44:51 -0500 (CDT) Subject: [ISN] New charges expected in defense data theft ring Message-ID: http://www.washtimes.com/national/20060515-110139-9264r.htm By Bill Gertz THE WASHINGTON TIMES May 16, 2006 Federal prosecutors are expected to add new charges against several people in Los Angeles linked to a covert program to provide China with Navy defense technology and at least one will be charged with espionage, U.S. government officials said. Defense contractor Chi Mak and his wife, Rebecca Laiwah Chiu, along with brother Tai Mak were arrested last year and charged with failing to register as Chinese government agents after a yearlong counterespionage probe. Documents obtained after the Oct. 28 arrests provided investigators with new clues about the technology theft ring that included proprietary corporate information and embargoed defense technology related to Navy warships, officials said. Investigators think the spy ring passed the sensitive data to Beijing. The charges, which will be made public as early as this week, will include a new indictment against Chi Mak, Tai Mak, Mrs. Chiu and a fourth Mak relative. All four will be charged with conspiracy to export defense articles and attempted unlawful export of defense articles. Additionally, Chi Mak, an electrical engineer with the Los Angeles defense contractor Power Paragon, will be indicted on charges of unlawful export of defense articles and gathering defense information, an espionage charge, the officials said. Chi Mak is thought to have supplied China with sensitive information about the electrical systems of U.S. warships and submarines, including details of the Virginia-class submarine, and information on a new electromagnetic catapult to launch jets from aircraft carriers. A spokesman for the U.S. attorney in Los Angeles declined to comment, but Assistant U.S. Attorney Gregory Staples said in court last week that the government is expected to seek a new indictment in the case. He did not specify the new charges. Senior Justice Department officials have approved the new charges, which prosecutors will announce in Los Angeles, said the officials, who spoke on the condition of anonymity. Chi, Tai and Rebecca Mak have pleaded not guilty to the original charges in the case. "We presented evidence throughout this case that undermines the government's conclusion that these individuals were involved in espionage," Ronald Kaye, Chi Mak's attorney, said in an interview. An attorney for Mrs. Chiu, Stanley Greenberg, said he is confident that his client will be found not guilty. An attorney for Tai Mak could not be reached for comment. U.S. officials described Tai Mak, an engineer with Phoenix Television, as an intelligence courier for the Chinese military who was carrying an encrypted computer disk holding defense technology data when he was arrested. Tai Mak also will be charged with aiding and abetting and possession of property to aid a foreign government. He and his wife were arrested at Los Angeles International Airport as they were about to fly to Hong Kong. Tai Mak was carrying an encrypted disk that FBI officials said contained data on a new technology for destroyers known as quiet electric drive. Earlier charges that Chi Mak, Tai Mak and Rebecca Mak failed to register as Chinese government agents will be kept in the new indictment. Chi and Tai Mak were born in Guangzhou, China. The new charges were based on thousands of pages of documents found at the home of Chi Mak, officials said. Copyright 2006 The Washington Times From isn at c4i.org Wed May 17 01:45:34 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:45:34 -0500 (CDT) Subject: [ISN] Symantec CEO advocates fair play and Macs Message-ID: http://news.com.com/2100-7355_3-6072540.html By Tom Krazit Staff Writer, CNET News.com May 15, 2006 CORONADO, Calif.--It doesn't appear that Symantec CEO John Thompson's next computer will run Windows. "We think more people ought to buy them," Thompson said of Apple's Macintosh computers, in response to a question from the audience at the Future in Review conference on Monday. The "target-rich" environment created by Windows vulnerabilities means that virus writers and hackers have set their sights on Windows PCs, he said. However, Thompson noted that if more and more people did go out and buy Macs, virus writers might change their tactics. And many attacks are increasingly of the phishing or identity theft variety, which targets computer users independently of their operating system, he said. "We shouldn't assume that any one technology at any layer is sufficient to protect our notion of a connected world," Thompson said. Computer users and network operators need to take many steps to ensure their data will be protected, regardless of which products they use, he said. All of Symantec's computers are standardized on Microsoft's Windows operating system, a company representative said. Security problems haven't gotten as much attention from the U.S. government as Thompson had hoped, although things have improved compared with four years ago, he said. Still, computer "security has fallen off the (government's) radar screen with budget issues and the war in Iraq," he said. However, Microsoft's move into the security software market has clearly gotten Thompson's attention. "We are concerned (whether) they will play fairly. If they do something that is unfair, then that will be something that is difficult to compete against, but we'll have other venues for making our point," he said. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed May 17 01:45:49 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:45:49 -0500 (CDT) Subject: [ISN] FBI special agent recounts outsourcing horror story Message-ID: http://www.networkworld.com/news/2006/051606-fbi-outsourcing-horror.html By Bob Brown NetworkWorld.com 05/16/06 The CAD/CAM company thought it was protecting itself, having employees of the Indian outsourcing company that was debugging its source code sign non-disclosure agreements. But when a disgruntled outsourcing employee swiped a copy of the code a few years back and tried to sell it to the CAD/CAM vendor's competitors, the vendor found out that the NDAs were of little use when it came to prosecuting the alleged thief in India. "They weren't worth the paper they were written on," says Nenette Day, an FBI special agent out of Boston who did double duty as both the case agent and undercover agent investigating this crime against software maker SolidWorks. "The employees would have had to sign the agreement with the Indian company, not the American one." Day, who has worked in computer crime for 8 years and calls herself "a geek with a gun," told attendees at last week's CIO Forum that their companies need to do serious research about the laws of any country to which they outsource work. CIO Forum is a unique conference during which IT vendors and 300 potential customers unite on a cruise ship out of New York City. (Other discussions at the event focused on topics such as identity theft and biometrics and grid computing.) A handful of FBI agents were on board to consult with IT pros about cybercrime threats, a topic that FBI agents say companies are often reluctant to talk about. As for protecting yourself when outsourcing to other countries, Day advises IT executives to assume that you have no legal rights. "It should not start with your understanding of American law," she says. In India, for example, there is no theft of trade secret law, Day says. India does have an IT act, she says, but it is mainly focused on copyright violations. Day says that despite the fact that "there was not a shred of evidence that we did not have" against the alleged SolidWorks thief, prosecutors in India have failed to convict the suspect and he continues to work. The FBI initially tried to lure the suspected thief out of India to simplify prosecution, but he was too smart for that, Day says. Indian police nabbed the suspect in 2002 when he allegedly tried to sell the code to Day while she was undercover (she says he initially tried to sell the code for about $250,000, not realizing it was probably worth $300 million). Fortunately, she says, the original source code was recovered and copies were not believed to have been sold. In the wake of that case, Indian software developers have formed a lobby to push for stronger intellectual property protection laws, concerned that companies won't outsource to India if they aren't better protected, Day says. Outsourcing firms, like the one SolidWorks worked with, have also tightened their own security policies considerably in recent years, she says. Another thing to consider when outsourcing to other countries is not just whether there are laws to protect intellectual property, but whether the laws are enforced. "No criminal law exists if the police will not enforce it," she says, noting that the FBI received an unprecedented amount of cooperation from its counterpart in India on the SolidWorks case (after threatening to expose India's laissez-faire attitude toward the case). Questions companies should ask when outsourcing to other nations, Day says, include the following: * Can my company risk loss of this data? * What are my liabilities if I do lose it? * What are your notification requirements if you lose customer data? (She notes that if your data is encrypted, you might not have to report it missing.) * Will the company you are outsourcing to go the distance if you need its help to chase down a criminal? * How long could a prolonged legal battle in a foreign country cost? ("You could lose all your outsourcing savings there," Day says.) "This is all risk analysis," she says. "We're not saying don't outsource. We're saying learn the risk points and add that to your analysis when choosing the country or company wherever you're outsourcing." Mobile computing worries Mobile computing is the other area of networking that has Day very concerned on the cybercrime front. This involves both stolen and lost mobile systems. "Laptops. I don?t even know how to get on this soapbox and scream loud enough," says Day, citing third-party market research about tens of thousands of cell phones and portable computers being left in Chicago taxis during a six-month period last year. "Universities, companies, government. Where could I not go and not tell you a story about the laptop that went missing and did not have the information encrypted." Day points out that even the FBI encrypted its laptops when she joined 8 years ago. "And we are behind the curve in every way electronically, except that," she quips. It's "mind boggling" that information is being kept in the clear on portable devices and that companies aren't being held responsible, Day says. Though she says that companies are starting to pay the price, as a credit card processing company recently settled a compromised data case for big bucks. Cases so far have mainly been civil ones, though she says criminal charges won't be far behind given the emergence of new data protection laws. Day also discussed the dangers of cell phones, which she described as potential monitoring devices, given that so many have cameras and audio recording capacity on them. They can also threaten security by being tapped, through techniques such as someone asking to borrow your phone and downloading a tracking program, she says. The FBI requires members to shed all electronic devices during certain of its top-secret meetings. "We understand how easy these things are to compromise," Day says. "You might want to consider in your own company a no electronics area." This includes devices such as iPods, which can be used to swipe info via "pod slurping," a technique that involves simply sticking an iPod into a USB port on a computer. "They don't even need access to the keyboard," she says. Day urges IT pros to contact the FBI if their intellectual property is stolen, noting that even if criminal charges are brought against someone, civil charges can also be made. All contents copyright 1995-2006 Network World, Inc. From isn at c4i.org Wed May 17 01:46:04 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:46:04 -0500 (CDT) Subject: [ISN] Under Attack, Spam Fighter Folds Message-ID: http://www.wired.com/news/technology/0,70913-0.html By Ryan Singel May, 16, 2006 A startup whose aggressive antispam measures drew a blistering counterattack from spammers two weeks ago that brought down the company's servers along with a wide swath of the internet is shuttering its program that targets junk e-mailers. In an interview with Wired News, Blue Security CEO Eran Reshef said the Israel-based company was closing its service Wednesday since he did not want to be responsible for an ever-escalating war that could bring down internet service providers and websites around the world and subject its users to denial-of-service attacks from a well-organized group in control of a massive army of computer drones. "Our community would very much like us to continue on the fight against spam, and our community has grown over the last week," Reshef said. "But at the end of the day if we continue doing so, within a few days, major websites will go down. I don't feel that this is something I can be responsible for. I cannot go ahead and rip up the internet to make Blue Security work. This is not the decision a commercial entity can make." The abrupt decision ends a high-profile standoff between spammers and a tiny startup whose unorthodox methods had seemingly stymied some of the most prolific purveyors of junk e-mail in the world, if only temporarily. For a few intense days, the fight showed with shocking clarity the lengths to which some spammers will go to protect their businesses, and the devastating arsenals at their command. The lesson to be learned, Reshef said, is that large ISPs and governments need to recognize that spammers are connected to criminal syndicates and that they, not a small startup, are the only ones who can shut down these networks. Blue Security's 500,000 users had been successful in convincing six of the top 10 spam operations in the world to use its open-source mailing-list scrubber, which Reshef said proved that Blue Security's technology and approach was effective. But other spammers responded differently. Starting May 2, a spammer known as PharmaMaster used a massive network of zombie computers to flood Blue Security's database servers with fake traffic and hijacked a little-known Cisco Systems router feature known as "blackhole filtering" to block anyone outside Israel from accessing Blue Security's homepage. The spammer also unleashed a torrent of spam targeted to a subset of Blue Security users, which the spammer had likely gotten by scrubbing an e-mail list and then comparing the old list with the new list. Any addresses removed from the old list could be identified as Blue Security users. The distributed-denial-of-service attack brought down the databases, and the collateral damage included hundreds of thousands of websites and mail servers hosted by Tucows, according to Elliot Noss, president and CEO of Tucows, the internet's largest domain registrar. "Just in terms of pure scale, it's pretty safe to call it massive," Noss said. "I think that really the most interesting observation was how distributed it was. We sampled IP addresses and over 70 percent were unique." Blogging software provider Movable Type's hosted service, TypePad, also fell victim to PharmaMaster's bot network, after Blue Security realized that no one could reach its homepage and posted a message to its users on its old blog. Thirty minutes later, PharmaMaster started an attack that brought down thousands of blogs. Blue Security's Blue Frog antispam tool worked by having customers install a small piece of software in their browsers that they used to report spam. After aggregating the reports, Blue Security would try to contact the spammers, the websites of companies being advertised and their ISPs to try to convince the spammers to clean their lists of e-mail accounts on the company's Do Not Intrude list. If that did not work, Blue Security would write a custom script that spam recipients could use to send an opt-out request to the advertised website. In practice, that meant that hundreds of thousands of Blue Frog users could attempt to opt out at once. In addition, the software would fill in online order forms with the opt-out request if there was no other way to communicate with a spammer-advertised website. This tactic, which Blue Security says is legal under the Can-Spam Act, was controversial with spammers and some antispammers alike. Spammers complained in internet forums that the opt-out requests were simply a denial-of-service attack. Anne P. Mitchell, president and CEO of the Institute for Spam and Internet Public Policy, is also a vocal critic of Blue Security's tactics who thinks the company was breaking computer crime laws by having its members fill in order forms with opt-out requests. "Do you think Blue Frog cares if they are knowingly causing customers to break the law of their own home country?" Mitchell asked. "They don't care because they are sitting in Israel." But Peter Swire, a law professor and former head privacy official for the Clinton administration, looked into the company's operations, found them legitimate and innovative, and signed onto the company's advisory board earlier this year. "I get one spam e-mail and my computer sends one opt-out request," Swire said. "That is exactly what Can-Spam gives me the right to do." Swire says he understands why Reshef has decided to shutter the service, because these levels of attacks are too much for a small company to withstand. But he says the company showed that this tactic can work. "If little Blue Security can affect 25 percent of spam, then this approach shows great promise if the big boys get involved," Swire said. "If there is a concerted effort by the big ISPs or by the government, the Can-Spam Act provably is the basis for reducing spam." Eric Benhamou, chairman and CEO of Benhamou Global Ventures and one of Blue Security's lead investors, said he knew going in that Blue Security's task was difficult. Benhamou is not writing off Blue Security, whose technology he says has other uses, but he supports the company's decision to shut down in order to avoid more collateral damage. "We knew it would get really serious when the adversary was wounded," he said. "There were no surprises on my part. When I first did my due diligence, Eran and Amir (Hirsch) told me clearly that they knew how to build the technology to accomplish this but weren't sure of the overall business proposition. I said that's fine, because I want to explore something that hasn't been done before and before there were only clever filters. This was totally innovative." From isn at c4i.org Wed May 17 01:46:16 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:46:16 -0500 (CDT) Subject: [ISN] Power plant security info leaked onto Net Message-ID: http://search.japantimes.co.jp/cgi-bin/nn20060515a3.html The Japan Times May 15, 2006 NAGOYA (Kyodo) Security data on a thermal power plant has been leaked onto the Internet from a virus-infected personal computer, the company in charge of the plant's security said Sunday. The information was passed onto the Internet through a file-sharing program called Share. The data includes the locations of various facilities in Chubu Electric Power Co.'s thermal power plant in Owase, Mie Prefecture, including the control room, instrument panel room and boilers, officials of the security company, a Chubu affiliate, said. Also leaked were manuals on how to deal with unconfirmed reports of intruders in the plant, as well as a list of the names and home addresses of the security firm's employees and other personal data on guards, they said. The data made its way to the Net from a computer belonging to a 40-year-old employee of the security firm, the officials said. He compiled the data on his PC around 2000. He started to use Share in March, the officials said. Chubu Power, based in Nagoya, operates five nuclear power reactors in Shizuoka Prefecture. From isn at c4i.org Thu May 18 05:02:07 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:02:07 -0500 (CDT) Subject: [ISN] Auditors: DHS should spur use of critical infrastructure data Message-ID: http://www.gcn.com/online/vol1_no1/40809-1.html By Wilson P. Dizard III GCN Staff 05/17/06 The Homeland Security Department should work to increase use of sensitive information it receives from private companies about vulnerable assets like utilities, private IT networks, energy production and distribution facilities, and transportation assets, the Government Accountability Office said in a report unveiled today. The report [1], titled "DHS Should Take Steps to Encourage More Widespread Use of its Program to Protect and Share Critical Infrastructure Information," describes how the department has been carrying out the Critical Infrastructure Information Act. That law was a response to the frequently repeated fact that more than 85 percent of the essential facilities that terrorists could target are in private hands. The law sought to encourage private companies to submit information about the critical infrastructure assets to DHS by creating special shields against the public release of the data. In particular, the law bars release of the information under the federal Freedom of Information Act. Once the information is gathered and protected, the department is responsible for sharing it with appropriate agencies so they can help protect the assets from terrorist attacks. GAO reported that the department has set up a program office to establish requirements for gathering, protecting, sharing and using the infrastructure information. As of January 2006, the program office had received 260 submissions of critical infrastructure information from various sectors. The office has publicized the program to government agencies and private companies, and trained about 750 potential users in DHS and other federal, state and local agencies to handle the specially protected information. However, according to the report, DHS must overcome challenges in defining government needs for the information, deciding how it will be used, protecting the information and controlling access to it as well as convincing the private companies that they will gain by submitting the information. "If DHS were able to surmount these challenges, it and other government users may begin to overcome the lack of trust that critical infrastructure owners have in the government's ability to use and protect their sensitive information," the report said. The auditing agency added that DHS officials concurred with the report findings in oral comments. [1] http://www.gao.gov/new.items/d06383.pdf From isn at c4i.org Thu May 18 05:02:19 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:02:19 -0500 (CDT) Subject: [ISN] GAO: IRS procedural flaws leave taxpayer materials vulnerable Message-ID: http://www.govexec.com/story_page.cfm?articleid=34101 By Jenny Mandel jmandel @ govexec.com May 17, 2006 Taxpayer receipts and other sensitive materials were left open and vulnerable to loss or theft, and it was common to find problems with financial and security procedures at Internal Revenue Service facilities visited by auditors during an annual review. As part of a fiscal 2005 audit, Government Accountability Office employees visited a sampling of service centers, taxpayer assistance centers, field offices, financial institutions serving as agents of the government and a finance center, to evaluate how they followed financial and internal controls designed to ensure the appropriate handling of materials. In a report (GAO-06-543R) [1] released last week, GAO described a litany of security problems. At a taxpayer assistance center, auditors repeatedly entered secure areas without challenge by walking from public into controlled areas through an unmarked, unlocked door. At assistance centers newly reconfigured to incorporate security features, reviewers found the same open access and were told that unauthorized people occasionally appeared in secure areas. At service centers where tax returns were opened and processed, reviewers found that procedures for candling envelopes -- passing them over a light source or using other methods to ensure the contents had been removed -- were not routinely followed before the envelopes were marked to be destroyed. At a bank that processed tax remittances, procedures calling for the immediate deposit of large checks were not routinely followed. In one case, reviewers found six checks totaling $1.25 million that had not been processed before a shift change, and new shift leaders were not aware of their existence. GAO also found that references were not verified when individuals under age 18 were hired to handle taxpayer receipts and information. Underage employees routinely had access to taxpayer information beyond what they were cleared to handle, and those who were no longer in school, but without a work history, were not required to submit a standard character assessment form. The report recommended that the IRS improve its procedural guidelines, enhance periodic facility reviews, enforce existing rules and monitor adherence to regulations. In response to a report draft, IRS officials accepted all but one of GAO's recommendations, which they said the agency had already met. "The issues you presented in your report will help us to take the necessary steps to strengthen our controls over property and equipment, safeguarding tax receipts, and improving financial management," Commissioner Mark Everson wrote. He noted that the IRS had acted on and closed 33 outstanding recommendations during fiscal 2005, and developed corrective action plans for others. [1] http://www.gao.gov/cgi-bin/getrpt?GAO-06-543R From isn at c4i.org Thu May 18 05:02:31 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:02:31 -0500 (CDT) Subject: [ISN] The Ultimate Net Monitoring Tool Message-ID: http://www.wired.com/news/technology/0,70914-0.html By Robert Poe May, 17, 2006 The equipment that technician Mark Klein learned was installed in the National Security Agency's "secret room" inside AT&T's San Francisco switching office isn't some sinister Big Brother box designed solely to help governments eavesdrop on citizens' internet communications. Rather, it's a powerful commercial network-analysis product with all sorts of valuable uses for network operators. It just happens to be capable of doing things that make it one of the best internet spy tools around. "Anything that comes through (an internet protocol network), we can record," says Steve Bannerman, marketing vice president of Narus, a Mountain View, California, company. "We can reconstruct all of their e-mails along with attachments, see what web pages they clicked on, we can reconstruct their (voice over internet protocol) calls." Narus' product, the Semantic Traffic Analyzer, is a software application that runs on standard IBM or Dell servers using the Linux operating system. It's renowned within certain circles for its ability to inspect traffic in real time on high-bandwidth pipes, identifying packets of interest as they race by at up to 10 Gbps. Internet companies can install the analyzers at every entrance and exit point of their networks, at their "cores" or centers, or both. The analyzers communicate with centralized "logic servers" running specialized applications. The combination can keep track of, analyze and record nearly every form of internet communication, whether e-mail, instant message, video streams or VOIP phone calls that cross the network. Brasil Telecom and several other Brazilian phone companies are using Narus products to charge each other for VOIP calls they send over one another's IP networks. Internet companies in China and the Middle East use them to block VOIP calls altogether. But even before the product's alleged role in the NSA's operations emerged, its potential as a surveillance tool was not lost on corporate America. In December, VeriSign, also of Mountain View, chose Narus' product as the backbone of its lawful-intercept-outsourcing service, which helps network operators comply with court-authorized surveillance orders from law enforcement agencies. A special Narus lawful-intercept application does this spying with ease, sorting through torrents of IP traffic to pick out specific messages based on a targeted e-mail address, IP address or, in the case of VOIP, phone number. "We needed their fast packet-detection and inspection capability," says VeriSign Vice President Raj Puri. "They do it with specialized software that can isolate packets for a specific target." Narus has little control over how its products are used after they're sold. For example, although its lawful-intercept application has a sophisticated system for making sure the surveillance complies with the terms of a warrant, it's up to the operator whether to type those terms into the system, says Bannerman. That legal eavesdropping application was launched in February 2005, well after whistle-blower Klein allegedly learned that AT&T was installing Narus boxes in secure, NSA-controlled rooms in switching centers around the country. But that doesn't mean the government couldn't write its own code to do the dirty work. Narus even offers software-development kits to customers. "Our product is designed to comply (with) all of the laws in all of the countries we ship to," says Bannerman. "Many of our customers have built their own applications. We have no idea what they do." From isn at c4i.org Thu May 18 05:01:53 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:01:53 -0500 (CDT) Subject: [ISN] Gossip lands Education hacker in jail Message-ID: http://www.fcw.com/article94547-05-17-06-Web By Michael Arnone May 17, 2006 An Education Department auditor who hacked his boss' computer and told his co-workers about it will spend five months in jail, Justice Department officials said. Kenneth Kwak, formerly an information technology systems auditor at Education's Office of the Inspector General, pleaded guilty in March to one count of intentionally gaining unauthorized access to a government computer and extracting information from it, Justice spokesman Drew Wade said. Kwak admitted he installed software on his supervisor's computer that gave him access to his boss' e-mail messages and Internet activity, Wade said. Kwak then shared the information with his co-workers. He was prosecuted under the U.S. Attorney's Office's new zero-tolerance policy for breaking into federal computer systems, Justice officials said. Once Kwak has served his time, he will spend another five months confined to his home with his movements electronically monitored, Justice officials said. U.S. District Judge Royce Lamberth ordered Kwak to pay $40,000 in restitution to the federal government and spend three years under supervised release, including the five months at home, Wade said. The Computer Crime Investigation Division of Education's Office of the IG conducted the investigation, Justice officials said. Attorneys from the Computer Crime and Intellectual Property Section of Justice's Criminal Division prosecuted the case. "This unfortunate incident demonstrates that accountability applies to everyone," said John Higgins Jr., Education's IG. "We will continue to work with department and law enforcement officials to ensure the integrity of the department's computer systems." From isn at c4i.org Thu May 18 05:02:45 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:02:45 -0500 (CDT) Subject: [ISN] WBAB radio signal hijacked Message-ID: http://www.newsday.com/news/local/longisland/ny-libab0518,0,569247.story?coll=ny-li-bigpix BY BART JONES Newsday Staff Writer May 18, 2006 A popular morning program on WBAB radio was "hijacked" Wednesday, station officials said, by someone who broke in on its broadcast -- apparently by using an illegal transmitter -- and played an offensive song that repeated a racial epithet several times. Station managers, already immersed in controversy over the Roger and JP morning show's airing last week of a "Wetback Steakhouse" fake commercial, said they were angered by the two-minute takeover and contacted the Federal Communications Commission to investigate. "I'd like to find out who did it," program director John Olsen said. "I'm not happy about it." A similar incident occurred with WBAB's sister station WBLI about two weeks ago with the same song, he said. The stations share a studio on Sunrise Highway in Babylon. Wednesday, the pirate broke into WBAB's broadcast about 7:15 a.m., interrupting "Hey You" by Pink Floyd and playing part of a country music-style song that in addition to using the "n word" suggests killing blacks. It also refers to blacks getting welfare checks and includes an offensive reference to Martin Luther King Jr. The show's stunned hosts, John Parise and Roger Luce, and the station's technicians were unable to block the pirate transmission, Olsen said. After the intruder's song ended, several seconds of empty air space followed until regular broadcasting resumed with the end of the Pink Floyd song. Parise and Luce explained to listeners that the transmission had been taken over and stressed they had no part in playing the song. Olsen said the station's engineers were investigating what happened Wednesday, but he had one possible explanation. He said that from its studio in Babylon, WBAB sends a high-frequency microwave signal to its transmitting tower about six miles away in Dix Hills near the Long Island Expressway. "Somebody using an illegal transmitter and small antenna we believe overtook our signal between the studio and the transmitter and that's how they got in," he said. He added that the pirate would have to be near the signal but not necessarily at the transmission tower. "You have to be technologically pretty proficient in order to know how to do it," he said. "The equipment is probably readily available and if you know how to put the equipment together ... then it's something that's possible." He added that the station was taking steps Wednesday to ensure its broadcast isn't hijacked again. One listener said his jaw dropped Wednesday when he heard the song come on, and he pulled over in his car to listen. "At first I thought these guys were looking for a whole bunch of trouble," said Frank Carpenter of Bohemia. But "clearly they were a victim here." One communications security expert, Johannes Ullrich of the SANS Institute in Jacksonville, Fla., said pirate invasions of radio or television stations were rare, although he has heard of some cases such as the Falun Gong religious group hijacking a Chinese television station for about 15 minutes. WBAB, which bills itself as "Long Island's No. 1 Rock Station," reaches all of the Island and operates with two frequencies: 102.3 covers from the Queens border to around the Riverhead area, while 95.3 covers the rest of the East End. Last week, Parise and Luce apologized for the "Wetback Steakhouse" spot, and the station pulled it off the air. Copyright 2006 Newsday Inc. From isn at c4i.org Fri May 19 03:15:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:15:14 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-20 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-05-11 - 2006-05-18 This week: 54 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Steve Wiseman has reported a vulnerability in RealVNC, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the handling of VNC password authentication requests. This can be exploited to bypass authentication and allows access to the remote system without requiring knowledge of the VNC password. Additional details are available in the referenced Secunia advisory below. Reference: http://secunia.com/SA20107 -- Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. All users of QuickTime are advised to check for available updates. Reference: http://secunia.com/SA20069 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20069] QuickTime Multiple Code Execution Vulnerabilities 2. [SA20107] RealVNC Password Authentication Bypass Vulnerability 3. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 4. [SA20077] Mac OS X Security Update Fixes Multiple Vulnerabilities 5. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 6. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 7. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 8. [SA20083] Linux Kernel "lease_init()" Denial of Service Vulnerability 9. [SA20082] Symantec Firewall Products Internal IP Addresses Disclosure 10. [SA20084] AliPAGER "ubild" Cross-Site Scripting and SQL Injection ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20136] FreeFTPd SFTP Key Exchange Algorithm String Buffer Overflow [SA20114] FortressSSH SSH_MSG_KEXINIT Logging Buffer Overflow [SA20107] RealVNC Password Authentication Bypass Vulnerability [SA20146] LiveData ICCP Server Buffer Overflow Vulnerability [SA20112] Azboard Multiple SQL Injection Vulnerabilities [SA20102] DUbanner Insecure File Upload Vulnerability [SA20086] FileZilla Unspecified Buffer Overflow Vulnerability [SA20132] Sun Java JRE Large Temporary File Creation Vulnerability UNIX/Linux: [SA20123] Nagios Content-Length Integer Overflow Vulnerability [SA20117] SUSE Updates for Multiple Packages [SA20094] Empire Server "client_cmd()" Denial of Service Vulnerability [SA20139] Novell eDirectory iMonitor Unspecified Buffer Overflow Vulnerability [SA20124] Debian update for phpldapadmin [SA20137] Ubuntu update for Quagga [SA20127] Sun N1 System Manager Password Disclosure Vulnerability [SA20108] Debian update for webcalendar [SA20116] Quagga bgpd Denial of Service Vulnerability Other: [SA20109] AdderLink IP Unspecified VNC Vulnerability [SA20085] ClamXav freshclam suid Permissions Security Issue Cross Platform: [SA20135] DeluxeBB Multiple File Extensions File Upload Vulnerability [SA20128] NewsPortal Cross-Site Scripting and File Inclusion [SA20121] Squirrelcart "cart_isp_root" File Inclusion Vulnerability [SA20120] Quezza "quezza_root_path" File Inclusion Vulnerability [SA20119] TR Newsportal "file_newsportal" Parameter File Inclusion Vulnerability [SA20115] Php Blue Dragon CMS "vsDragonRootPath" File Inclusion [SA20103] ezUserManager "ezUserManager_Path" File Inclusion Vulnerability [SA20099] Genecys Buffer Overflow and Denial of Service [SA20098] Outgun Multiple Vulnerabilities [SA20097] Raydium Multiple Vulnerabilities [SA20092] phpBB foing Module "phpbb_root_path" File Inclusion [SA20090] Unclassified NewsBoard "ABBC[Config][smileset]" Local File Inclusion [SA20087] PopPhoto "cfg[popphoto_base_path]" File Inclusion Vulnerability [SA20133] RadLance Gold "popup.php" Local File Inclusion Vulnerability [SA20131] Sphider Multiple Vulnerabilities [SA20129] PHP-Fusion "srch_where" SQL Injection Vulnerablility [SA20125] Caucho Resin Two Disclosure of Sensitive Information Vulnerabilities [SA20106] Hitachi EUR Unspecified SQL Injection Vulnerability [SA20104] DeluxeBB "name" SQL Injection Vulnerability [SA20096] GNUnet Empty UDP Datagram Denial of Service Vulnerability [SA20089] e107 "e107_cookie" Parameter SQL Injection Vulnerability [SA20088] phpCOIN E-Mail Address Disclosure of Arbitrary Messages [SA20084] AliPAGER "ubild" Cross-Site Scripting and SQL Injection [SA20144] Sun Java System Directory Server Authentication Bypass [SA20141] phpRemoteView Multiple Cross-Site Scripting Vulnerabilities [SA20130] BEA WebLogic Server/Express Multiple Security Issues [SA20118] Directory Listing Script "dir" Cross-Site Scripting Vulnerability [SA20113] phpMyAdmin "theme" and "db" Cross-Site Scripting Vulnerabilities [SA20111] phpODP "browse" Cross-Site Scripting Vulnerability [SA20110] Jax Guestbook "guestbook.admin.php" Cross-Site Scripting [SA20105] Confixx Pro "login" Parameter Cross-Site Scripting Vulnerability [SA20101] FlexChat "username" Parameter Cross-Site Scripting [SA20095] GPhotos Cross-Site Scripting and Disclosure of Arbitrary Directories [SA20091] OZJournals "vname" Parameter Cross-Site Scripting [SA20093] phpBB "Upload Avatar from a URL" Remote HTTP Request Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20136] FreeFTPd SFTP Key Exchange Algorithm String Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-17 A vulnerability has been reported in FreeFTPd, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20136/ -- [SA20114] FortressSSH SSH_MSG_KEXINIT Logging Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-16 Gerry Eisenhaur has discovered a vulnerability in FortressSSH, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20114/ -- [SA20107] RealVNC Password Authentication Bypass Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass Released: 2006-05-15 Steve Wiseman has reported a vulnerability in RealVNC, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20107/ -- [SA20146] LiveData ICCP Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-17 A vulnerability has been reported in LiveData ICCP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20146/ -- [SA20112] Azboard Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-16 x90c has reported some vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20112/ -- [SA20102] DUbanner Insecure File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-16 Dj ReMix has discovered a vulnerability in DUbanner, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20102/ -- [SA20086] FileZilla Unspecified Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-15 A vulnerability has been reported in FileZilla, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20086/ -- [SA20132] Sun Java JRE Large Temporary File Creation Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-05-16 Marc Schoenefeld has discovered a vulnerability in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20132/ UNIX/Linux:-- [SA20123] Nagios Content-Length Integer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-16 A vulnerability has been reported in Nagios, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20123/ -- [SA20117] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2006-05-15 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to cause files to be extracted to arbitrary locations on a user's system, bypass certain security restrictions, conduct cross-site scripting attacks, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20117/ -- [SA20094] Empire Server "client_cmd()" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-15 Luigi Auriemma has reported a vulnerability in Empire Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20094/ -- [SA20139] Novell eDirectory iMonitor Unspecified Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-18 A vulnerability has been reported in in Novell eDirectory, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20139/ -- [SA20124] Debian update for phpldapadmin Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-16 Debian has issued an update for phpldapadmin. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20124/ -- [SA20137] Ubuntu update for Quagga Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of system information, DoS Released: 2006-05-16 Ubuntu has issued an update for Quagga. This fixes two security issues and a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to bypass certain security restrictions, and to disclose system information. Full Advisory: http://secunia.com/advisories/20137/ -- [SA20127] Sun N1 System Manager Password Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-05-18 A vulnerability has been reported in Sun N1 System Manager, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20127/ -- [SA20108] Debian update for webcalendar Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-05-15 Debian has issued an update for webcalendar. This fixes a weakness, which can be exploited by malicious people to identify valid user accounts. Full Advisory: http://secunia.com/advisories/20108/ -- [SA20116] Quagga bgpd Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-05-15 Fredrik Widell has reported a vulnerability in Quagga, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20116/ Other:-- [SA20109] AdderLink IP Unspecified VNC Vulnerability Critical: Highly critical Where: From remote Impact: Unknown Released: 2006-05-16 A vulnerability with unknown impact has been reported in AdderLink IP. Full Advisory: http://secunia.com/advisories/20109/ -- [SA20085] ClamXav freshclam suid Permissions Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-05-15 Kevin Finisterre has reported a security issue in ClamXav, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20085/ Cross Platform:-- [SA20135] DeluxeBB Multiple File Extensions File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-17 rgod has discovered a vulnerability in DeluxeBB, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20135/ -- [SA20128] NewsPortal Cross-Site Scripting and File Inclusion Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-05-17 Some vulnerabilities have been reported in NewsPortal, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20128/ -- [SA20121] Squirrelcart "cart_isp_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-16 OLiBekaS has reported a vulnerability in Squirrelcart, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20121/ -- [SA20120] Quezza "quezza_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-17 Mustafa Can Bjorn has reported a vulnerability in Quezza, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20120/ -- [SA20119] TR Newsportal "file_newsportal" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-16 Kacper has discovered a vulnerability in TR Newsportal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20119/ -- [SA20115] Php Blue Dragon CMS "vsDragonRootPath" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-15 Kacper has discovered a vulnerability in Php Blue Dragon CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20115/ -- [SA20103] ezUserManager "ezUserManager_Path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-16 OLiBekaS has discovered a vulnerability in ezUserManager, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20103/ -- [SA20099] Genecys Buffer Overflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-15 Luigi Auriemma has reported two vulnerabilities in Genecys, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20099/ -- [SA20098] Outgun Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-15 Luigi Auriemma has reported some vulnerabilities in Outgun, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20098/ -- [SA20097] Raydium Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-15 Luigi Auriemma has reported some vulnerabilities in Raydium, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20097/ -- [SA20092] phpBB foing Module "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-15 Kurdish Security has discovered some vulnerabilities in the foing module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20092/ -- [SA20090] Unclassified NewsBoard "ABBC[Config][smileset]" Local File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-05-12 rgod has reported a vulnerability in Unclassified NewsBoard, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20090/ -- [SA20087] PopPhoto "cfg[popphoto_base_path]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-15 VietMafia has reported a vulnerability in PopPhoto, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20087/ -- [SA20133] RadLance Gold "popup.php" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-16 Mr.CrackerZ has reported a vulnerability in RadLance Gold, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20133/ -- [SA20131] Sphider Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-17 Some vulnerabilities have been discovered in Sphider, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20131/ -- [SA20129] PHP-Fusion "srch_where" SQL Injection Vulnerablility Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-17 rgod has discovered a vulnerability in PHP-Fusion, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20129/ -- [SA20125] Caucho Resin Two Disclosure of Sensitive Information Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-17 Two vulnerabilities have been reported in Caucho Resin, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20125/ -- [SA20106] Hitachi EUR Unspecified SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-17 A vulnerability has been reported in EUR, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20106/ -- [SA20104] DeluxeBB "name" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-16 KingOfSka has discovered a vulnerability in DeluxeBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20104/ -- [SA20096] GNUnet Empty UDP Datagram Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-15 Luigi Auriemma has reported a vulnerability in GNUnet, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20096/ -- [SA20089] e107 "e107_cookie" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-15 socsam has discovered a vulnerability in e107, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20089/ -- [SA20088] phpCOIN E-Mail Address Disclosure of Arbitrary Messages Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-12 A vulnerability has been reported in phpCOIN, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20088/ -- [SA20084] AliPAGER "ubild" Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-11 Hamid Ebadi has discovered a vulnerability in AliPAGER, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20084/ -- [SA20144] Sun Java System Directory Server Authentication Bypass Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2006-05-17 A security issue has been reported in Sun Java System Directory Server, which can be exploited by malicious people to gain unauthorised access. Full Advisory: http://secunia.com/advisories/20144/ -- [SA20141] phpRemoteView Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-17 Soot has discovered some vulnerabilities in phpRemoteView, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20141/ -- [SA20130] BEA WebLogic Server/Express Multiple Security Issues Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2006-05-16 Multiple security issues and a vulnerability have been reported in WebLogic Server / Express, which can be exploited by malicious people to disclose system and sensitive information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20130/ -- [SA20118] Directory Listing Script "dir" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 Kiki has discovered a vulnerability in Directory Listing Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20118/ -- [SA20113] phpMyAdmin "theme" and "db" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 Two vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20113/ -- [SA20111] phpODP "browse" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 Kiki has discovered a vulnerability in phpODP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20111/ -- [SA20110] Jax Guestbook "guestbook.admin.php" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 Kiki has discovered a vulnerability in Jax Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20110/ -- [SA20105] Confixx Pro "login" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-16 LoK-Crew has reported a vulnerability in Confixx Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20105/ -- [SA20101] FlexChat "username" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 r0t has discovered a vulnerability in FlexChat, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20101/ -- [SA20095] GPhotos Cross-Site Scripting and Disclosure of Arbitrary Directories Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-05-15 Moroccan Security has discovered some vulnerabilities and a weakness in GPhotos, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20095/ -- [SA20091] OZJournals "vname" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-12 Kiki has discovered a vulnerability in OZJournals, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20091/ -- [SA20093] phpBB "Upload Avatar from a URL" Remote HTTP Request Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-05-16 rgod has discovered a weakness in phpBB, which can be exploited by malicious people to use it for making HTTP requests to other sites. Full Advisory: http://secunia.com/advisories/20093/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri May 19 03:15:27 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:15:27 -0500 (CDT) Subject: [ISN] ACSAC 22 (Miami Beach, FL) - June 4 submission deadline Message-ID: Forwarded from: ACSAC Distribution Manager Dear colleague. Apologies if you receive multiple copies of this announcement. PDF versions at http://www.acsac.org/2006/cfp_2006.pdf http://www.acsac.org/2006/cfp_2006-a4.pdf --------------------------- Call For Participation --------------------------- Submission deadline approaching! 22nd Annual Computer Security Applications Conference December 11-15, 2006 Miami Beach, Florida http://www.acsac.org Submission Acceptance Deadline Notification Technical Track June 4, 2006 Aug. 13, 2006 Panels June 4, 2006 Aug. 13, 2006 Tutorials June 4, 2006 Jul. 20, 2006 Workshop June 4, 2006 Jul. 20, 2006 Case Studies June 4, 2006 Aug. 15, 2006 Works in Progress Sep. 8, 2006 Oct. 1, 2006 See http://www.acsac.org/cfp for detailed submission information! Please submit blinded papers, at most 10 pages in length at 11pt. ------------------------------------a--------------------------------------- ACSAC is presented by a group of professionals who are working to facilitate information sharing among colleagues. We're an all-volunteer not-for-profit organization. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at http://www.acsac.org/list. We have moved to a new web host and are trying to remove duplicates from our mailing lists. If you receive duplicate messages, or simple want to be removed from our list, please reply with the word REMOVE in the subject. From isn at c4i.org Fri May 19 03:15:40 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:15:40 -0500 (CDT) Subject: [ISN] Not for sale: Military clampdown on stolen computer drives turns market cold Message-ID: http://www.signonsandiego.com/news/military/20060508-1009-afghan-us-stolenintelligence.html By Jason Straziuso ASSOCIATED PRESS May 8, 2006 BAGRAM, Afghanistan - Computer storage devices containing sensitive military information stolen from the U.S. base here and widely available in shops last month are now hard to come by. The U.S. military has increased security measures to prevent Afghan workers from slipping the small portable flash drives into their pockets in order to sell them to shops near the main American base in Afghanistan, a U.S. spokesman and shopkeepers said Monday. One shopkeeper said Afghan workers on the Bagram base are now scrutinized carefully on their way out. "They even look in their shoes," said the 40-year-old shopkeeper, who would only give his first name, Amruddin. In April, dozens of used flash drives were available in markets here. Drives viewed by The Associated Press had the Social Security numbers of hundreds of soldiers, including four generals, and lists of troops who completed nuclear, chemical and biological warfare training. The Los Angeles Times, which broke the story, reported that some drives had classified military secrets, including maps, charts and intelligence reports concerning the Taliban and al-Qaeda. Soon after those stories, the military went from shop to shop and bought all the drives they could find, concentrating on the used devices, which would be more likely to contain military information. Most shopkeepers said Tuesday they no longer had any used drives for sale. Lt. Col. Paul Fitzpatrick, a military spokesman, said the majority of the drives the military bought were unused or had unclassified information on them. He said the investigation into the thefts was ongoing. The military now has measures in place to better protect the storage devices, particularly the ones with classified information on them, Fitzpatrick said. He would not provide specifics. "Could there still be stuff out there? Yes, there could be," he said, noting there were 2,000 Afghan employees on the U.S. base. "But we will continue to monitor the situation. Gray and black market business is common in this country". Shopkeepers said they still received goods from inside the U.S. base, but not at the rate they once did. One shopkeeper, who gave his name as Mohammed Agha, showed the AP three used drives Monday that he said came from the base, though that was impossible to verify. One of the drives had no information on it, and the other two were password protected. Agha said that last month he had dozens of used drives. Agha did, however, show the AP a brand new Toshiba laptop computer he said came from the base. It had most of its original packaging, and scrawled in black marker on the outside of the computer box was: "Mouse keeps freezing." He would not let the AP review the hard drive. Also available at Agha's shop was a used iPod he said came from the base and telephone calling cards from AT&T that said "military exchange" on them. Amruddin said shopkeepers "did a very good business" when the American soldiers came through to buy their goods last month. He said he hasn't had a used flash drive to sell since. "A few people still bring small things from the base, but not like before," he said. From isn at c4i.org Fri May 19 03:14:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:14:56 -0500 (CDT) Subject: [ISN] Zimbabwe to introduce legislation on cyber crime Message-ID: http://english.peopledaily.com.cn/200605/18/eng20060518_266621.html Xinhua May 18, 2006 The Zimbabwean government plans to come up with legislation to curb cyber crime in the country in view of its increasing threat to world economies, Transport and Communication Minister Christopher Mushowe said on Wednesday. He said this in a speech read on his behalf during the commemorations to mark World Telecommunications Day under the theme of "Promoting Global Cybersecurity". "Given the threats that are posed to global economies by cyber crime, there is need to come up with measures to combat this crime, " he said. Most countries, including Zimbabwe, had laws and regulations outdated for protecting networked information, he said. On the contrary, he said, perpetrators were always updating their technologies making it difficult for the laws to catch up. "Most of the existing statutes do not have sufficiently deterrent penalties on cyber crime," he said, adding that the government would work with stakeholders including Parliament, in formulating consensus on the way forward in combating cyber crime. Cyber crime takes various forms, including Spam, which disrupts networks, cuts productivity and spreads viruses. It also involves distribution of offensive material like racist propaganda, electronic money laundering, electronic vandalism, terrorism, extortion, hacking and illegal interception of telecommunications, which violates individual privacy. The minister said Zimbabwe would soon come up with measures to curb this crime, including raising awareness through the country's education system, cooperating with other countries in the exchange of technical information and communication network security. Other measures included building capacity of cyber space users and joining forces with the private sector in combating the crime through Public Private Partnerships (PPP). Zimbabwe's telecommunications regulatory body, Potraz said cyber security could be strengthened through development of a national framework that involves public and private sectors. It said lack of adequate security hindered the use of information and communication technologies that rely on the protection and confidentiality of sensitive data. "Unless these security and trust issues are addressed, the benefits of the information society to citizens, business and governments cannot be fully realized," said Potraz. From isn at c4i.org Fri May 19 03:15:54 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:15:54 -0500 (CDT) Subject: [ISN] Blue Security Kicked While It's Down Message-ID: http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html By Brian Krebs May 17, 2006 Hours after anti-spam company Blue Security pulled the plug on its spam-fighting Blue Frog software and service, the spammers whose attack caused the company to wave the white flag have escalated their assault, knocking Blue Security's farewell message and thousands more Web sites offline. Just before midnight ET, Blue Security posted a notice on its home page that it was bowing out of the anti-spam business due to concerted attacks against its Web site that took millions of other sites and blogs with it. Within minutes of that online posting, bluesecurity.com went down and remains inaccessible at the time of this writing. According to information obtained by Security Fix, the reason is that the attackers were hellbent on taking down Blue Security's site again, but had trouble because the company had signed up with Prolexic, which specializes in protecting Web sites from "distributed denial-of-service" (DDoS) attacks. These massive assaults harness the power of thousands of hacked PCs to swamp sites with so much bogus traffic that they can no longer accommodate legitimate visitors. Prolexic built its business catering to the sites most frequently targeted by DDoS extortion attacks -- chiefly, online gambling and betting houses. But the company also serves thousands of other businesses, including banks, insurance companies and online payment processors. For the past nine hours, however, most of Prolexic's customers have been knocked offline by an attack that flanked its defenses. Turns out the attackers decided not to attack Prolexic, but rather UltraDNS, its main provider of domain name system (DNS) services. (DNS is what helps direct Internet traffic to its destination by translating human-readable domain names like "www.example.com" into numeric Internet addresses that are easier for computers to understand.) UltraDNS is the authoritative DNS provider for all Web sites ending in ".org" and ".uk," and also markets its "DNS Shield" service designed to help sites defend against another, increasingly common type of DDoS -- one that targets weaknesses inherent in the DNS system. (Incidentally, UltraDNS was recently acquired by Neustar, which in turn is responsible for handling all ".biz" domain registrations, and for overseeing the nation's authoritative directory of telephone numbers.) In this case, at least, it does not appear that the DNS Shield service worked as advertised. Earlier today, I spoke with Prolexic founder Barrett G. Lyon, who told me the attack on UltraDNS had knocked about 80 percent of his company's clients offline, or roughly 2,000 or so Web businesses. Most of those businesses also remain offline as of this writing. According to Lyon, the unknown attackers hit a key portion of UltraDNS's network with a flood of spoofed DNS requests at a rate of around 4 to 5 gigabits per second, which is enough traffic to make just about any Web site on the Internet fall over (many Internet routers can handle only a few hundred megabits of traffic before they start to fail). But this was no normal DDoS attack-- it was a kind of DDoS on the DNS system that security experts say has become alarmingly more common over the past six to eight months. Known as DNS amplification attacks or "reflected DNS attacks," these kinds of DDoS assaults increase the traffic hurled at a victim by orders of magnitude. In a nutshell, the attackers find a whole bunch of poorly configured DNS servers and use them to create and send spoofed DNS requests from systems they control to the DNS servers they want to cripple. Because the DNS requests appear to be coming from other trusted DNS servers, the target servers have trouble distinguishing regular, legitimate DNS lookups from ones sent by the attackers. Sustained for long enough, the attack eventually overloads the victim's DNS servers with queries and knocks them out of commission. To put the raw power of DNS amplification into perspective, consider the attack that knocked Akamai offline in the summer of 2004. For anyone unfamiliar with this company, Akamai sells a rather pricey service that lets deep-pocketed companies like FedEx, Microsoft and Xerox mirror their Web site content at thousands of different online servers, making DDoS attacks against their sites extremely difficult. Akamai was for a long time considered the gold standard until one day in June 2004, when a DDoS attack knocked the company's services offline for about an hour. Akamai never talked publicly about the specifics of the attack, but several sources close to the investigation told me later that the outage was the result of a carefully coordinated DNS amplification attack -- one that was stopped when the attackers decided they had made their point (which was no doubt to demonstrate to would-be buyers of their DDoS services that they could knock just about anyone off the face of the Web.) So where am I going with all of this? Well, UltraDNS marketed its DNS Shield as a protection against exactly these same types of amplification attacks. Only in this case it doesn't appear to have worked -- though, to be fair I haven't heard UltraDNS's side of the story since they have yet to return my calls. No doubt they are busy putting out fires. At any rate, score another one for the spammers, I suppose. -=- Update, 7:46 p.m. ET: I heard back from Neustar. Their spokesperson, Elizabeth Penniman, declined to discuss anything about today's attacks, saying only that "we have a handle on the situation and continue to work with service providers to ensure the best possible level of service to our customers." From isn at c4i.org Fri May 19 03:16:05 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:16:05 -0500 (CDT) Subject: [ISN] Cyber crooks dip into Frost accounts Message-ID: http://www.mysanantonio.com/business/stories/MYSA051906.01E.frosttheft.216bbd06.html William Pack Express-News Business Writer 05/19/2006 Hackers dipped into the accounts of about 100 Frost Bank customers after they took Visa debit card information from the database of an unnamed national retailer and went on a spending spree, Frost officials said Thursday. The information system breach compromised credit card accounts with banks across the nation, Frost Bank officials said, although Frost was apparently the only one to acknowledge that it was advising affected customers of the incident. The bank restored funds to accounts that sustained losses. "We want our customers to know they have no liability," said Senior Vice President Sharion Scott. Frost, which is contacting affected customers by letter or phone, did not divulge the amount lost. A statement from Visa USA said a domestic merchant had notified the company that a data security breach may have compromised Visa card account information. Visa said it alerted affected financial institutions. The credit-card company did not reveal the number of affected institutions, the retailer involved or the time of the thefts. In a letter to affected customers, Frost said Visa had advised bank officials that Visa, MasterCard, and other debit and credit card numbers from banks across the country could have been compromised. Officials at Bank of America, Citigroup and Wachovia said they did not have enough information to comment Thursday. The incident is lumped in with the burgeoning wave of identity theft that financial institutions are combating. A 2004 Justice Department study said about three of every 100 U.S. households had been recent victims of identity theft. But in this case, no names, Social Security numbers or other personal identification were taken, Scott said. Visa told the bank that personal identification numbers of credit card customers and account numbers were stolen when a national retailer's database was breached. The cyber intruders gained access to about 9,300 Frost debit card accounts but used less than 1 percent of them, Scott said. She emphasized that the break-in affected another company's data system, not Frost Bank's. From isn at c4i.org Fri May 19 03:16:21 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:16:21 -0500 (CDT) Subject: [ISN] OMB official: Too soon to judge computer security law Message-ID: http://www.govexec.com/story_page.cfm?articleid=34111 By David Perera dperera @ govexec.com May 18, 2006 The Federal Information Security Management Act isn't old enough for its most effective provisions to prompt great cybersecurity improvements, an Office of Management and Budget official said Thursday. The act, known as FISMA, took effect in 2002. It called for agencies, over a period of as long as two years, to identify and categorize their information technology systems according to the level of risk that a compromise would pose. The second phase is implementing security controls based on those risks, a process that's been going on for only 18 to 24 months, said Glenn Schlarman, OMB branch chief for information policy and technology. He spoke Thursday on a breakfast panel sponsored by Government Executive. The controls phase "is new, and that has never been done anywhere by anyone," Schlarman said. The federal government has "some very strong pockets of security, and some really weak pockets of security," he added. FISMA lately has been criticized as a paper-based exercise divorced from the real needs of cybersecurity. The law "measures the wrong things, and it measures the wrong things the wrong way," said Bruce Brody, also a panelist at the breakfast. He is a former federal cybersecurity chief and recently became a vice president at INPUT, a Reston, Va.-based government market analysis firm. The federal government is making little headway in tackling cybersecurity problems, said Alan Paller, the third breakfast panelist and director of research at the SANS Institute, a nonprofit cybersecurity research organization. "In order to make progress, you actually [have] to reduce the problem a little bit, [but] the problem is being made harder," he said. A chief information security officer in the audience, who asked not to be identified, said FISMA can be effective, depending on how it is implemented. The official cited the process of certification and accreditation of IT systems, saying, "if you want to do C&A the [Defense Department] way, you will not succeed." The process requires agencies to account for all their systems, implement risk-based technical controls and formally authorize systems' continued operation. Although the certification and accreditation process predates FISMA by decades, it is a key measurement that Congress uses in its annual score card assessing compliance with the law. But the process heavily contributes to the ineffectiveness of FISMA, Brody and Paller contended. Nobody reads the accompanying reports, Paller said, and the money spent on paying contractors to prepare those reports would be better used on real-time monitoring. The Defense Department follows a particularly burdensome and paper-filled certification and accreditation process, the federal official said. But, "if you're doing this right, you're doing this smart; you're not doing this as a paper exercise," the official said. Continuous testing and monitoring of IT systems is part of FISMA compliance, Schlarman said. "If it isn't being done that way, then we have an implementation issue." The law has called attention to the serious problem of cybersecurity, Brody said. But "there are some evolutionary possibilities that could take FISMA and the regulatory environment to another level," he said. "Benjamin Franklin said the definition of insanity is doing the same thing over and over and expecting different results." From isn at c4i.org Fri May 19 03:16:34 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:16:34 -0500 (CDT) Subject: [ISN] WBAB offers $10K reward for radio hijacker Message-ID: http://www.newsday.com/news/local/longisland/ny-liwbab0519,0,5192460.story?coll=ny-editorials-headlines By BART JONES Newsday Staff Writer May 19, 2006 WBAB radio executives asked the Federal Communications Commission Thursday to investigate who hijacked their radio signal and broadcast racial slurs, and offered a $10,000 reward for information leading to an arrest. The station said it was immediately implementing steps to prevent another hijacking after it lost control of its broadcast Monday at 7:10 a.m. for a couple of minutes and the hacker transmitted a country and western-style song attacking blacks. "This was not a child's prank. This was a federal offense," station programmer John Olsen said at a news conference. "Clearly someone has a bone to pick with WBAB." The station at 102.3 FM on the radio dial was rocked by controversy last week after the hosts of the popular Roger and JP morning show, Roger Luce and John Parise, played a fake commercial that contained ethnic slurs targeting the Latino community. At the news conference Thursday, Luce and Parise urged anyone with information on the hacker to come forward. Parise suggested checking Long Island and New York City radio message boards. "The technical types tend to be the ones that chime in on those message boards," he said. John Shea, the station's general manager, said the hacker used an illegal transmitter and a small antenna to intercept the high frequency microwave signal the station sends between its studios in Babylon and its transmitting tower 6 miles away in Dix Hills. Luce said that when a Pink Floyd song was replaced suddenly by static Monday morning, he initially thought it might have been the weather playing havoc. Then, when the country and western-style song came on, he thought a Rhode Island station might have been overlapping with WBAB. When he heard the song's lyrics, he said he knew they'd been hijacked. He and Parise tried to turn off the transmitter, but couldn't because the hacker had taken over the signal, Shea said. The station regained control when the hacker cut out. "I've been in this business 26 years," Shea said, "and it's the first time I've seen it." From isn at c4i.org Mon May 22 04:40:39 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 22 May 2006 03:40:39 -0500 (CDT) Subject: [ISN] Inside Windows IT Security UPDATE Message-ID: ======================= This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows IT Security UPDATE. Symantec http://list.windowsitpro.com/t?ctl=2B1FD:4FB69 St. Bernard Software http://list.windowsitpro.com/t?ctl=2B1F9:4FB69 Websense http://list.windowsitpro.com/t?ctl=2B1FF:4FB69 ======================= What's in the June 2006 Issue of Windows IT Security - Feature: Reaping the Benefits of WPA and PEAP - Access Denied - Toolbox: Nmap 4.0 Does Windows ======================= ==== Sponsor: Symantec ==== A multi-tier approach to email security prevents unauthorized access and can stop spam, viruses, and phishing attacks. Learn to implement one today, and protect your network security and business systems! http://list.windowsitpro.com/t?ctl=2B1FD:4FB69 ======================= What's in the June 2006 Issue of Windows IT Security Focus: The Benefits of WPA and PEAP Learn how to secure your WLAN with WPA and PEAP, how to craft an effective password policy, how to use free tools to audit your Web applications, how to use Nmap 4.0 to scan for rogue applications, and more. The following article is available at no charge to nonsubscribers for a limited time: Reaping the Benefits of WPA and PEAP Learn about the benefits and configuration steps for securing your wireless networks by using WPA or WPA2 technology. --John Howie http://list.windowsitpro.com/t?ctl=2B201:4FB69 Nonsubscribers now have access to the Access Denied and Toolbox columns: Access Denied --Randy Franklin Smith Preventing Users with Administrator Authority from Installing Software Although no measure is completely effective, here are some methods you can use to make it harder for users to load unauthorized applications on their computers. http://list.windowsitpro.com/t?ctl=2B207:4FB69 Defending Against Rootkits Prevention is the best medicine against rootkits, which are deployed the same way as other malware but are harder to detect once they're on your computer. http://list.windowsitpro.com/t?ctl=2B205:4FB69 Auditing Folder Permission Changes Here's how to configure Windows to record alterations of folder permissions in the Security log. http://list.windowsitpro.com/t?ctl=2B206:4FB69 Toolbox: Nmap 4.0 Does Windows This essential open-source network port scanner can help you quickly identify applications running on your network and easily test firewalls and IDSs. --Jeff Fellinge http://list.windowsitpro.com/t?ctl=2B200:4FB69 Subscribers have access to the entire contents of the June 2006 issue. For a list of the other articles available in this issue, go to http://list.windowsitpro.com/t?ctl=2B202:4FB69 Windows IT Security is a monthly, paid, print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. In addition to receiving the monthly print newsletter, subscribers can access all the newsletter content, including the most recent issue, at the Windows IT Security Web site. http://list.windowsitpro.com/t?ctl=2B20D:4FB69 Subscribe today and access all the issues online! http://list.windowsitpro.com/t?ctl=2B203:4FB69 ======================= ==== Sponsor: St. Bernard Software ==== Examine the threats of allowing unwanted or offensive content into your network and learn about the technologies and methodologies to defend against inappropriate content, spyware, IM, and P2P. http://list.windowsitpro.com/t?ctl=2B1F9:4FB69 ======================= ==== Events & Resources ==== (from Windows IT Pro and its partners) Use virtual lab automation solutions to address special challenges in pre- production and staging environments, such as virtual server file library management, provisioning, configuration, and remote access concerns. Live Event: Thursday, May 18 http://list.windowsitpro.com/t?ctl=2B1FA:4FB69 Mark Joseph Edwards discusses emerging spyware threats, including rootkits and keyloggers, and spyware distribution methods. Live Event: Tuesday, May 30 http://list.windowsitpro.com/t?ctl=2B1FB:4FB69 Maximize your VoIP environment by integrating FoIP technology to increase ROI and streamline processes. http://list.windowsitpro.com/t?ctl=2B204:4FB69 Learn the advantages of running SQL Server 2005 and its BI subsystems on the x64 platform; the performance benefits the x64 architecture provides for Analysis Services, Integration Services, and Reporting Services; and how to migrate to the new 64-bit x64 platform. http://list.windowsitpro.com/t?ctl=2B1FC:4FB69 ==== Featured White Paper ==== Determining effective permissions on Windows can be incredibly challenging. In this must-have white paper, you'll learn why it's essential to determine effective permissions; how to determine who has access to critical information in Windows; how to resolve overlapping permissions for network access, shared hierarchies, and local machine rights; and how entitlement reporting can overcome the challenges with an automated solution. http://list.windowsitpro.com/t?ctl=2B1FE:4FB69 ======================= ==== Hot Release ==== Combat phishing and pharming with complete protection against complex internet threats by filtering at multiple points on the gateway, network, and endpoints. http://list.windowsitpro.com/t?ctl=2B1FF:4FB69 ==== Announcements ==== (brought to you by Windows IT Pro) Windows IT Pro Master CD--SAVE 50%! Subscribe today and get portable, high-speed access to the entire Windows IT Pro article database on CD. This searchable library includes every Windows IT Pro issue ever published. The newest issue also includes BONUS Windows IT Tips. Order now and save: http://list.windowsitpro.com/t?ctl=2B208:4FB69 May Exclusive--Get $100 off the Windows IT Security Newsletter For a limited time, order the Windows IT Security newsletter and SAVE up to $100! In addition to 12 helpful issues loaded with solutions you won't find anywhere else, you'll get FREE access to the entire Windows IT Security online article database. Subscribe now: http://list.windowsitpro.com/t?ctl=2B209:4FB69 ======================= ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2B20E:4FB69 About product news -- products at windowsitpro.com About your subscription -- securityupdate at windowsitpro.com About sponsoring UPDATE -- salesopps at windowsitpro.com ======================= Make sure your copy of Inside Windows IT Security UPDATE doesn't get mistakenly blocked by antispam software! Be sure to add Inside_WindowsITSecurity_Update at list.windowsitpro.com to your list of allowed senders and contacts. This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and internal users. Subscribe today! http://list.windowsitpro.com/t?ctl=2B20B:4FB69 View the Windows IT Pro Privacy policy at http://list.windowsitpro.com/t?ctl=2B20C:4FB69 Windows IT Pro is a division of Penton Media Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All Rights Reserved. From isn at c4i.org Mon May 22 04:39:49 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 22 May 2006 03:39:49 -0500 (CDT) Subject: [ISN] WBAB offers $10K reward for radio hijacker Message-ID: Forwarded from: security curmudgeon : http://www.newsday.com/news/local/longisland/ny-liwbab0519,0,5192460.story?coll=ny-editorials-headlines : : By BART JONES : Newsday Staff Writer : May 19, 2006 : : WBAB radio executives asked the Federal Communications Commission : Thursday to investigate who hijacked their radio signal and broadcast : racial slurs, and offered a $10,000 reward for information leading to an : arrest. http://www.newsday.com/news/local/longisland/ny-libab134740236may13,0,2053575.story WBAB jocks apologize for racist bit BY BART JONES Newsday Staff Writer May 13, 2006 Under threat of suspension or firing, two WBAB radio hosts Friday apologized profusely for a fake commercial they aired called "Wetback Steakhouse," said they would undergo cultural sensitivity training and channel more of the charitable donations they raise to Latino groups. John Parise and Roger Luce of the Roger and JP morning show also said the station would invite Latinos onto its public affairs programs to discuss issues affecting their community. The minute-long "ad," which aired several times last week, featured a narrator imitating a Spanish accent inviting "landscapers" and "dishwashers" to the "Wetback Steakhouse" in Farmingville to enjoy dishes such as "the lawnmower - beef with rice and beans." [..] From isn at c4i.org Mon May 22 04:40:05 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 22 May 2006 03:40:05 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - May 19th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 19th, 2006 Volume 7, Number 21n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were releaed for Mozilla Firefox, webcalendar, phpLDAPadmin, and awstats. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Packet Sniffers One of the most common ways intruders gain access to more systems on your network is by employing a packet sniffer on a already compromised host. This "sniffer" just listens on the Ethernet port for things like passwd and login and su in the packet stream and then logs the traffic after that. This way, attackers gain passwords for systems they are not even attempting to break into. Clear-text passwords are very vulnerable to this attack. Example: Host A has been compromised. Attacker installs a sniffer. Sniffer picks up admin logging into Host B from Host C. It gets the admins personal password as they login to B. Then, the admin does a su to fix a problem. They now have the root password for Host B. Later the admin lets someone telnet from his account to Host Z on another site. Now the attacker has a password/login on Host Z. In this day and age, the attacker doesn't even need to compromise a system to do this: they could also bring a laptop or pc into a building and tap into your net. Using ssh or other encrypted password methods thwarts this attack. Things like APOP for POP accounts also prevents this attack. (Normal POP logins are very vulnerable to this, as is anything that sends clear-text passwords over the network.) >From the Linux Security HowTo by Dave Wreski: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ --- EnGarde Secure Linux v3.0.6 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.6 (Version 3.0, Release 6). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and a couple of new packages available for installation. The following reported bugs from bugs.engardelinux.org are fixed in this release: Read Article: http://www.linuxsecurity.com/content/view/122648/65/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Mozilla Firefox packages fix arbitrary code execution 11th, May, 2006 Updated package. http://www.linuxsecurity.com/content/view/122741 * Debian: New webcalendar packages fix information leak 15th, May, 2006 Updated package. http://www.linuxsecurity.com/content/view/122766 * Debian: New phpLDAPadmin packages fix cross-site scripting 15th, May, 2006 Several cross-site scripting vulnerabilities have been discovered in phpLDAPadmin, a web based interface for administering LDAP servers, that allows remote attackers to inject arbitrary web script or HTML. http://www.linuxsecurity.com/content/view/122768 * Debian: New awstats packages fix arbitrary command execution 18th, May, 2006 Updated package. http://www.linuxsecurity.com/content/view/122799 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 22 04:40:55 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 22 May 2006 03:40:55 -0500 (CDT) Subject: [ISN] Commerce signs up for security training Message-ID: http://www.gcn.com/online/vol1_no1/40834-1.html By Patience Wait GCN Staff 05/19/06 The Commerce Department has awarded a task order to the International Information Systems Security Certification Consortium, or (ISC)2, to provide an expanded information security education program for the department's information security employees. The consortium will provide on-site, classroom-based courses for its Certified Information Systems Security Professional, Systems Security Certified Professional, and Certification and Accreditation Professional credentials. Commerce will provide vouchers valid for one year that its employees may use in (ISC)2 classes. Nancy DeFrancesco, the chief information security officer for Commerce, said that she hopes this education and training program will develop into a center of excellence within the security line of business established by the Office of Management and Budget. For the past two years, IT security professionals in the department had been using the Office of Personnel Management.s online learning center. But DeFrancesco said she wanted a broader course offering than that run by OPM, and she wanted to give employees different ways to access materials. "Our component [agencies] were interested in instructor-led training, and, of course, people learn in different ways," she said. "We also have a need, with Commerce personnel worldwide, [for a] delivery capability that reaches around the world... We just saw this as another outlet that provided more diverse, well-rounded service". While courses initially will be classroom-based, DeFrancesco said, the plan is to make them available at the Commerce headquarters in Washington, for the vouchers to be used by employees around the country at (ISC)2 venues, and to include Web-based classes. Classes will begin this month. The first course, for 25 students, is going to be for CISSP, with the others rolled out over a year. DeFrancesco said she is already fielding calls from security personnel asking to enroll. As for expanding the program into a center of excellence, DeFrancesco said she had served on the task force for the information security LOB and became quite familiar with that initiative. "The secretary of Commerce has imparted the importance of striving for excellence," she said. "We are, by [the Federal Information Security Management Act], directed to establish a training program, and if so, why not one that sets us out as a center of excellence for other agencies?" From isn at c4i.org Mon May 22 04:41:36 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 22 May 2006 03:41:36 -0500 (CDT) Subject: [ISN] The Fight Against V1@gra (and Other Spam) Message-ID: http://www.nytimes.com/2006/05/21/business/yourmoney/21spam.html By TOM ZELLER Jr. The New York Times May 21, 2006 TO the antispam researchers at MessageLabs, an e-mail filtering company, each new wave of a recent stock-pumping spam seemed like a personal affront. The spammers were trying to circumvent the world's junk-mail filters by embedding their messages - whether peddling something called China Digital Media for $1.71 a share, or a "Hot Pick!" company called GroFeed for just 10 cents - into images. In some ways, it was a desperate move. The images made the messages much bulkier than simple text messages, so the spammers were using more bandwidth to churn out fewer spams. But they also knew that, to filters scanning for telltale spam words in the text of e-mail messages, a picture of the words "Hot Stox!!" is significantly different from the words themselves. So the bulk e-mailers behind this campaign seemed to calculate that they had a good chance of slipping their stock pitches past spam defenses to land in the in-boxes of prospective customers. It worked, but only briefly. Antispam developers at MessageLabs, one of several companies that essentially reroute their clients' e-mail traffic through proprietary spam-scrubbing servers before delivering it, quickly developed a "checksum," or fingerprint, for the images, and created a filter to block them. Advances in spam-catching techniques mean that most computer users no longer face the paralyzing crush of junk messages that began threatening the very utility of e-mail communications just a few years ago. But spammers have hardly given up, and as they improve and adapt their techniques, network managers must still face down the pill-pushers, get-rich-quick artists and others who use billions of unwanted e-mail messages to troll for income. "For the end user, spam isn't that much of a problem anymore," said Matt Sergeant, MessageLabs' senior antispam technologist. "But for the network, and for people like us, it definitely is." Shortly after MessageLabs created a filter to catch the stock spams, the images they contained changed again. They were now arriving with what looked to the naked eye like a gray border. Zooming in, however, the MessageLabs team discovered that the border was made up of thousands of randomly ordered dots. Indeed, every message in that particular spam campaign was generated with a new image of the border - each with its own random array of dots. "That was kind of cool and kind of funny," said Mr. Sergeant, a soft-spoken British transplant who spends his days helping to douse spam fires from his home office outside Toronto. During a recent meeting at the company's New York office, in Midtown Manhattan, Mr. Sergeant and a colleague, Nick Johnson, an antispam developer visiting from MessageLabs' headquarters in Gloucester, England, expressed both amusement and respect over the sheer creativity of the world's most prolific spammers, who continue to dump hundreds of millions of junk messages into the e-mail stream each day. "It was almost like they knew what we were doing," Mr. Sergeant said. SEVERAL surveys - from AOL, the Pew Internet and American Life Project and others - have indicated that the amount of spam reaching consumer inboxes has at least stabilized. That is true for users whose networks are protected by off-site, third-party filtering services like MessageLabs', as well as those protected by network software or in-house equipment that filters messages before they hit a company's e-mail server. If individual users also have personal spam filters installed on their computers, their in-box spam count can be reduced to a trickle. But spam continues to account for roughly 70 percent of all e-mail messages on the Internet, despite tough antispam laws across the globe (including the Can-Spam Act in the United States), despite vigorous lawsuits against individual junk-mail senders and despite the famous prediction, by Bill Gates at the World Economic Forum in 2004, that spam would be eradicated by 2006. The continuing defiance of spammers was demonstrated last week when one of them forced Blue Security, an antispam company based in Israel, to shut down its services. The company gave customers the power to enact mob justice on spammers by overloading them with requests to be removed from mailing lists. A spammer in Russia retaliated by knocking out Blue Security's Web site and threatening virus attacks against its customers. Blue Security said it would back off rather than be responsible for a "cyberwar." While there are some indications that the growth rate of spam has plateaued or even slowed, experts say that spikes are always looming. That is partly because spammers can hide themselves or their operations in countries where law enforcement is lax, from Russia and Eastern Europe to China and Nigeria. Because some spammers can churn out 200 million or more messages a day, and because less than 1 percent of those need to bring responses from na?ve, click-happy users to turn handsome profits, there is little incentive to stop. "That's really just the daily battle," said Mr. Sergeant, who routinely shares intelligence on individual spammers with other antispam organizations and with the F.B.I. and other law enforcement agencies. "That 1 percent is the wall, really - it's the spammers creating something new that we just haven't seen before. And for us it's a matter of how quickly we can deal with it." There is plenty to deal with. Most spam is still just, well, spam: low-rent pitches for stocks and penis-enlargement pills. But there are also the more immediate menaces, including attempts to trick consumers into giving up bank and credit card information - or the use of spam to deliver viruses and other malicious software. From an industry perspective, antivirus and antispam scanning are virtually inseparable, and MessageLabs is among many companies jockeying to position themselves as full-service contractors, offering to filter, scan, scrub and archive both incoming and outgoing mail. It's a lucrative strategy. IDC, the research firm, estimates that the global market for "messaging security" will grow to $2.6 billion by 2009, from $675 million in 2004. The category consists mostly of antispam services, but also covers outbound filtering - something that employers now demand and all vendors include, according to Brian Burke, an IDC analyst. IDC estimates that the larger market for "secure content management," which folds in virus protection, Web filtering and spyware protection, will grow to $11.4 billion by 2009 from $4.8 billion in 2004. In 2005, about 60 percent of businesses were using software to combat spam, with the rest split between using managed services and antispam hardware, according to Osterman Research, which conducts market analysis on the messaging industry. But the percentage of businesses moving to managed services is expected to double, to almost 40 percent, during the next two years. In that context, it may not be surprising that Microsoft recently acquired FrontBridge, the third-largest provider of managed e-mail services. MessageLabs and Postini, based in San Carlos, Calif., have long been the leaders in the category. While much growth in this field will be driven by the threat of viruses and other bugs attached to messages, the wave of simple but inventive marketing spam remains a big concern - and, in many ways, is the harder thing to catch. Consider the stock spam using random dots in the borders. "We actually developed some technology to detect borders in images and figure out the entropy - that is, to figure out if the border was random," Mr. Sergeant said. "So that was fine." Of course, shortly afterward, "they decided to stop using the borders," he added. >From there, the senders began placing a small number of barely perceptible and, again, randomly placed dots - a pink one here, a blue one there, a green one near the bottom - throughout the images. Then they shifted to multiple images, with words spelled partially in plain text and partially as images, so that the content, when viewed on a common e-mail reader like Outlook or AOL, would look like an ordinary message. "There are loads of different kinds of obfuscation," Mr. Johnson said. "They've realized that people are looking for V1agra spelled with a '1' and st0ck with a 'zero' and that sort of thing, so they might try some sort of meaning obfuscation, like just referring to a watch as a 'wrist accessory' or something like that. So they say something like, 'Drape your wrist with this elegant accessory.' "Any way not to say 'Rolex,' " he added, "so it's quite cryptic." Sitting in a windowless conference room, Mr. Sergeant alternated his gaze between the conversation at hand and the streams of filtered e-mail subject lines slithering down his laptop screen. The lines were feedback from the company's "radar" system, which allows team members to test a new "rule" or "signature" that they have devised on a slice of the incoming torrent of spam. If the rule is too broad and general, legitimate e-mail messages - dreaded "false positives" in the parlance of spam assassins - will begin showing up on the radar. Mr. Johnson plugs into the radar himself and highlights a common obfuscation technique he calls "gappy text": words with spaces between the letters, to fool filters designed to look only for whole words. The example was in a message advertising a work-at-home opportunity out of "T u l s a , O k l a h o m a ." "That's something that we might consider signaturing, that whole line there, with the spaces," he said, "because it's not very common behavior for someone to want to write like that." Mr. Johnson began reading from a customer testimonial included in the same message: "I was skeptical at first. I made money. I couldn't believe it!" Mr. Sergeant erupted in laughter. "It's a classic joke in our office," Mr. Johnson said. "If it's advertised in spam, it must be true." MR. JOHNSON described another trick that a spammer had recently deployed so that messages peddling Viagra would move into recipients' in-boxes. By default, most modern e-mail software can display messages that are written with the same text formatting code used to create Web pages - known as hypertext markup language, or HTML. Like viewers of Web pages, e-mail users never actually see the underlying code, or "tags" used to make some words appear, say, bold or italicized. But spam filters scan this code, too, looking for "spammy behavior," as Mr. Johnson put it. In this instance, a clever spam writer slipped a Viagra message past many filters by spelling the word with several I's, then using HTML code to shove all of the I's together. "Whenever you view this in your e-mail program," Mr. Johnson said, "the letter spacing is set to minus-3 pixels, so it will show all these I's on top of each other, and it will look like one I. "That was quite an impressive one, actually," he said. And vexing, Mr. Sergeant added. Without a special rule created by the team, it would have been virtually impossible for a machine to examine the source code of a message and determine that this was the word "Viagra." "The word appears on screen as it should," Mr. Sergeant said. "But if you actually are examining the HTML, you just couldn't pull out a word from it. So while a computer can't figure out what the words are in the e-mail, the human eyes can." A company like MessageLabs tries to avoid examining messages at this level. Instead, it prefers to stop much of the junk at the door, using what is called I.P. blocking. This prevents the receipt of messages from a particular Internet protocol address already identified as a spamming source. This technique is sometimes frowned upon by Internet purists, because it can punish innocent users by blacklisting a whole range of addresses from a single host. But Mr. Sergeant said that I.P. blocking had become more refined since the early days of spam fighting. "It's very, very important to us," he said. "It's our first line of defense, really." Still, spammers can often get around this by turning to zombie bots. These are vast networks of personal computers that have been surreptitiously infected with malicious software, permitting a spammer to use their computing power, without the owners' knowledge, to spew or relay spam, viruses, keyloggers, phony "update your bank account" messages and other dark payloads. Zombies now deliver half to three-quarters of all spam, according to a Federal Trade Commission report to Congress in December on the state of the spam problem. Among the zombies' many advantages is an ever-shifting collection of I.P. addresses. Another trump card was handed to spammers just over a year and a half ago, when VeriSign, the security and services company that controls the dot-com and dot-net network domains, unveiled a quicker way to update domain names. Although a boon to people setting up their own sites, the new system decreased the time needed for a newly registered domain name to be activated, to 5 minutes from about 12 hours. That put spammers, armed with stolen credit cards and a willingness to buy and quickly abandon domain names, at a new advantage. VeriSign updates its domain information every 12 hours. "But a spammer can register a new domain and have it live within 5 minutes," Mr. Sergeant said. "So he's got a big window where nobody has any information about his domain. They make use of that window." MESSAGELABS' filtering database tries to discover new zombie bots by studying the behavior of e-mail messages from new addresses. Normally, for instance, a machine looking to deliver a message to another machine essentially says "hello" by passing an identifying string of code. Most legitimate mail servers will say "hello" with the same string over and over, for every message. "When a machine communicates with us in two, three, four different ways within a small time frame," Mr. Sergeant said, "that makes the sending machine look kind of weird." That behavior can indicate "it's not a real machine, it's just one of these drone armies." Some low-end spamming software, too, may leave characteristic fingerprints - for instance, the telltale way in which it forges the header information - that spam fighters gradually add to their cumulative antispam wisdom. For all the algorithmic derring-do, however, sooner or later the game turns not on I.P. addresses or software fingerprints, but on the content of the message. It's the approach that MessageLabs researchers like least, but one that spammers constantly force on them. Nigerian e-mail scams are a particular nuisance in this regard. Familiar to any e-mail user, these are the ones seeking an advance payment from the recipient to help rescue a deposed prince or to collect a percentage on some elaborately portrayed fortune. They are difficult to weed out because the senders often use Web-based e-mail services like Yahoo or Gmail, so I.P. blocking is impractical. The language used in the e-mail messages, too, is often common enough that no particular string lends itself to safe rule-making; the risk of filtering out legitimate communications would be high. MessageLabs has spent a year compiling a database, "Scam DNA," of 15,000 Nigerian scam messages, and used pattern analysis to build a family tree of the scams. It has found that most of the pitches are derived among a few hundred templates. "Scam DNA basically codifies this into an algorithm," Mr. Sergeant said, "where, hopefully, we can detect this going on and find new scams based on the old scams." But even if it works, the amount of spam it would eliminate from the overall deluge would be negligible by almost any measure, and Mr. Sergeant and his team will still be forced into encounters with "C i a l i s" and "st0x" and "Viiiiagra." The researchers are certain that the last, with multiple I's shoved together, is the handiwork of Leo Kuvayev. Mr. Kuvayev is No. 3 on the list of the world's most prolific and notorious spammers, maintained at Spamhaus.org, a London-based watchdog group. The listing is not undeserved. In Massachusetts last October, a Suffolk Superior Court judge, D. Lloyd MacDonald, levied $37 million in penalties on Mr. Kuvayev and six other people after deciding against them - in absentia - in a lawsuit brought by the state's attorney general, Tom Reilly. The suit contended that the defendants, who once worked out of Newton, Mass., and Boston, used "a complicated web of Internet sites and domain names selling a variety of illegal products," including counterfeit drugs, pirated software, pornography and phony designer watches. Spam watchers say they believe Mr. Kuvayev is now in Russia - still very much in business and employing a team of spam writers to continue poking holes in the world's filters. "They must be pretty good HTML gurus," Mr. Sergeant said, "who must really know their stuff." Mr. Sergeant said that just two men - Mr. Kuvayev and Alex Blood, a Ukrainian who is rated the No. 1 junk mailer by Spamhaus - hammer the world's e-mail systems with five million messages an hour. "You're talking about being responsible for something like 10 percent of all e-mail on the Internet," Mr. Sergeant said, "from just two guys." Two guys who, along with plenty of others, may keep antispam outfits like MessageLabs in business. "A lot of people would say, 'Why would you want to have these spammers prosecuted and why give information to the F.B.I., because surely you want there to be more spam?' " Mr. Sergeant said. "But with the volumes these guys are sending, it would actually help us more if there were less of it. "We're just not going to kid ourselves and say we believe that spam is ever going to go away," he added. "It's always going to be a prob- lem." Copyright 2006 The New York Times Company From isn at c4i.org Mon May 22 04:41:52 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 22 May 2006 03:41:52 -0500 (CDT) Subject: [ISN] UWS grad heads for prestigious computer security program Message-ID: http://www.duluthsuperior.com/mld/duluthsuperior/news/local/14627475.htm By STEVE KUCHERA NEWS TRIBUNE STAFF WRITER May. 20, 2006 Peter Goetsch of Iron River, Wis., will receive his college diploma today and the opportunity to protect America's computers. Goetsch, 31, not only graduates from the University of Wisconsin-Superior with a degree in computer science, but he also has been accepted into a highly selective national computer security scholarship program. He will spend two years at the University of Tulsa in Oklahoma learning to safeguard our country's computers. In exchange for the federally funded education, Goetsch will work as a computer security expert for the government for at least two years after he receives his master's degree. "I'm pretty happy about it," the South Shore High School graduate said. "It's a great opportunity for me. I am going to get paid to get my master's. I am just about guaranteed a job when I am done." Goetsch is the third UWS graduate accepted into the program in four years. UWS computer science professor Victor Piotrowski isn't surprised that another UWS student has won a Federal Cyber Service Scholarship for Service (commonly called Cyber Corps) award. "It's more like a confirmation that we are on the right track than a surprise," he said. At UWS, Goetsch set up security for the university's advanced computer lab, and worked with another student on a computer security research project. He carried a 4.0 grade point average while at the university. "I look for people who have a passion for the subject," said Sujeet Shenoi, professor of computer science at Tulsa. "Grades are important, but grades are not the only thing. Peter is one of those guys who struck me as being passionate about this stuff and well trained. "Another thing is I've had two very good students from UWS. I know what UW-Superior teaches." The two UWS alumni who attended the Tulsa program -- Lucas Hendrickson, class of 2004, of Poplar and Mike Swanson, class of 2003, of Hibbing, both work in computer security for the federal government. Shenoi directs the Cyber Corps program at Tulsa. Every year about 1,000 people apply for a spot there. About 35 are accepted, he said. Nationwide, only about 150 students are accepted into the Scholarship for Service program each year, said Kathy Roberson, program manager. The federal government created the program to increase the nation's number of highly trained computer experts, most of whom work with computer security. The program graduated its first nine students in 2002. "We believe it's a real success," Roberson said. "We've had 416 students who have graduated." Goetsch is looking forward to joining the ranks. "I'll be right on the cutting edge," he said. "There will always be something new coming up. We'll have to come up with ideas faster than the hackers can or at least be able to shut them down shortly after they start." Attacks on the Internet and computers have become common. According to the Computer Emergency Response Team/Coordination Center at Carnegie Mellon University, there were six such attacks reported in 1988. There were 137,529 attacks in 2003. Because of the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that the center no longer publishes the number of reported incidents. Protecting against such attacks is a vital job, Shenoi said. "I tell my students, 'Make a difference, then make a buck,' " Shenoi said. "They can serve their country a few years, then join Microsoft or a beltway bandit. I tell them, 'Our enemies are willing to die for their cause, can't we at least work hard?' " ? 2006 Duluth News Tribune From isn at c4i.org Mon May 22 04:42:09 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 22 May 2006 03:42:09 -0500 (CDT) Subject: [ISN] Army pilot program graduates students Message-ID: Forwarded from: William Knowles http://www.leavenworthtimes.com/articles/2006/05/19/news/news03.txt By JOHN RICHMEIER Times Staff Writer May 19, 2006 Often referred to as the intellectual center of the Army, Fort Leavenworth is home to a new education program that focuses on looking at things from different perspectives. The University of Foreign Military and Cultural Studies held a graduation ceremony Thursday for its first red team leader's course. Red team is a term used to describe a group that looks at something critically and objectively, according to UFMCS Director Greg Fontenot. He said red teaming provides commanders alternative viewpoints of plans and concepts including in the context of partners and adversaries. George Hethcoat, UFMCS operations officer, said the program is about looking at the world through a different set of eyes. Speaking at Thursday's ceremony, Lt. Gen. John F. Kimmons, Army deputy chief of staff for intelligence, said the military has left the era of simple cause and effect analysis. "This is not point and shoot," he said. "We are behind that." He told the graduates they have to hold assumptions and truisms up to a bright light. He said understanding things in the proper context becomes an issue of life and death on the battlefield. Eighteen people graduated from the pilot course. Only 16 attended Thursday;s ceremony because two students graduated early. The inaugural class included active duty military personnel from the Army, Navy and Marines as well as members of the Texas Army National Guard and civilian employees of the Department of Army. One student was said to be with the Defense Intelligence Agency. One of the Army officers who graduated Thursday is attending the School of Advanced Military Studies at Fort Leavenworth and took the red team leader's course as an elective, Hethcoat said. The UFMCS, an organization of the Army Training and Doctrine Command, was established at the fort last year. The pilot red team leader?s course began in January. During Thursday's ceremony, Fontenot called the UFMCS a "university without an athletic director, without a stadium but with high ambitions." Another 18-week course is scheduled to begin in July. "This is graduate-level study," Fontenot said after Thursday's ceremony. He said UFMCS also is planning a nine-week "stop-gap" course for people who already have some red team skills. He also spoke of plans for future years for a six-week members' course for people who will be part of red teams but not leaders as well as what he called a practitioner's course. Instructors for the red team leader's course are referred to as seminar facilitators. Hethcoat said classes are give and take exchanges. "We don't have anything related to lectures," he said. He said the program periodically will have panels. The inaugural course featured a terrorism panel that included representatives of the Department of Army, the FBI, local law enforcement and the DIA as well as a former terrorist. During the first 18-week course, officials looked at areas of the program that need to be tweaked, Hethcoat said. "You provided us the feedback that we needed to improve the program and we thank you for that," Robert Reuss told the graduates during Thursday's ceremony. Reuss is TRADOC's assistant deputy chief of staff for intelligence. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon May 22 04:42:24 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 22 May 2006 03:42:24 -0500 (CDT) Subject: [ISN] Whatever happened to PGP? Message-ID: http://www.theregister.co.uk/2006/05/21/pgp_update/ By Mary Branscombe 21st May 2006 PGP is often thought of as an encryption system, but your private key is a digital signature that can prove who your message comes from, as well as showing that it hasn't been tampered with. The reason a Public Key Infrastructure doesn't look like a widespread identity system is that it needs a web of trust; if somebody you know has signed my PGP key, then you take their word that I am who I say I am. That works well for close groups of friends - or for the corporations and government departments around the world who rely on PKIs based on the commercial PGP offerings or the OpenPGP SDK [1] that's now available. That's where PGP has really made its mark, says Jon Callas (now the CTO of PGP Corporation [2]; and part of the team that shepherded the commercial side of PGP out of the wilderness where Network Associates left it). "We thought it would be a grass roots system. But now it's really corporations setting up PKIs for their own business reasons. The entities are organisations like BMW or Siemens rather than individuals." Some of the companies who failed to sell PKIs in the past had bad business models that were too expensive: "it was like buying a camera and having to buy 1,000 rolls of film at the same time" The OpenPGP [3] standard is one of the things that's helped PGP become more widespread; the other is the rise of systems that need to identify people on many different platforms. But PGP doesn't solve all of the problems for that. The Friend of a Friend project (FOAF) uses digital signatures to attach PGP key IDs that verify the email of the address of the author to documents; you still have to decide for yourself if you trust the author which the PGP key identifies. There's a PKI at the heart of Skype, for example, to make sure you're talking to the person you want to call. But that tells you nothing about anything else to do with their identity. PGP software is mature and the technology is both tested and flexible; you can use an LDAP server as a PGP keyserver or use the PGPticket protocol to issue secure authorisations instead of vulnerable passwords for access to a network service. What many people want to do with identity now means making those identities work more widely. That comes down to the architecture of the systems that will accept identities, and the ways those identities are secured will include PGP (read more about PGP Identity Management here) [4]. Identity management is changing into claims management and different claims will come from different systems, bringing together claims like your Skype ID, your age and your eBay ranking only when someone needs to know you're old enough to buy what they're selling before they call you. Some of those claims will be secured and verified by PGP. Instead of building up as much information about your users as possible - something marketing departments are happier about than the users themselves - you can think about the smallest pieces of information you need for a specific authorisation or transaction. Whether it's issues of liability or commercial advantage, businesses don't want to share more of their customer database than they have to, Callas points out. Ironically, their commercial interests are turning out to enable our desire for privacy. ? [1] http://openpgp.nominet.org.uk/cgi-bin/trac.cgi [2] http://www.pgp.com/ [3] http://www.openpgp.org/ [4] http://www.pgp.com/library/ctocorner/identitymgmt.html From isn at c4i.org Tue May 23 01:22:35 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 23 May 2006 00:22:35 -0500 (CDT) Subject: [ISN] IM worm installs 'safe' Web browser Message-ID: http://news.com.com/IM+worm+installs+safe+Web+browser/2100-7349_3-6075401.html By Joris Evers Staff Writer, CNET News.com May 22, 2006 A new instant messaging worm installs a rogue Web browser called "Safety Browser" and hijacks the user's Internet Explorer home page, experts have warned. The worm, dubbed "yhoo32.explr" by FaceTime Security Labs, was found two weeks ago on the Yahoo instant messaging network and was still active as of Friday, Tyler Wells, senior director of research at FaceTime, a seller of instant messaging security products, said in an interview. The worm drops the "Safety Browser" on the target's machine. The rogue browser uses the same icon as Microsoft's IE Web browser and, when opened, takes users to a site that installs spyware on the PC, FaceTime said. "This is the first recorded incidence of malware installing its own Web browser on a PC," the company said in a statement. The pest also sets the victim's IE home page to Safety Browser's Web site and plays looped music that cannot be stopped, FaceTime said. Additionally, when installed the worm sends itself to all of the infected user's contacts, the security company said. The new threat arrives as a link in a message box on the target's PC. The link may also say "Goat_Ensem Bot" with a smiley. After someone clicks the link, at least one warning will be displayed to tell the user that software is about to be downloaded or installed and that this may be malicious, Wells said. Researchers at Foster City, Calif.-based FaceTime discovered the pest after it hit on one of their test machines. These PCs are connected to instant messaging networks and typically logged in to chat rooms, which often are the starting point for new IM worms. IM users can protect themselves against this and many other IM threats by not clicking unexpected or unsolicited links. Copyright ?1995-2006 CNET Networks, Inc From isn at c4i.org Tue May 23 01:22:52 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 23 May 2006 00:22:52 -0500 (CDT) Subject: [ISN] Thieves steal personal data of 26.5M vets Message-ID: http://seattlepi.nwsource.com/national/1152AP_Veterans_Disk.html By HOPE YEN ASSOCIATED PRESS WRITER May 22, 2006 WASHINGTON -- Thieves took sensitive personal information on 26.5 million U.S. veterans, including Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday. The information involved mainly those veterans who served and have been discharged since 1975, said VA Secretary Jim Nicholson. Data of veterans discharged before 1975 who submitted claims to the agency may have been included. Nicholson said there was no evidence the thieves had used the data for identity theft, and an investigation was continuing. "It's highly probable that they do not know what they have," he said in a briefing with reporters. "We have decided that we must exercise an abundance of caution and make sure our veterans are aware of this incident." Veterans advocates expressed alarm. "This was a very serious breach of security for American veterans and their families," said Bob Wallace, executive director of Veterans of Foreign Wars. "We want the VA to show leadership, management and accountability for this breach." Ramona Joyce, spokeswoman for the American Legion, agreed that the theft was a concern. "In the information age, we're constantly told to protect our information. We would ask no less of the VA," she said. Nicholson declined to comment on the specifics of the incident, which involved a midlevel data analyst who had taken the information home to suburban Maryland on a laptop to work on a department project. The residential community had been a target of a series of burglaries when the employee was victimized earlier this month, according to the FBI in Baltimore. Local law enforcement and the VA inspector general were also investigating. "I want to emphasize there was no medical records of any veteran and no financial information of any veteran that's been compromised," Nicholson said, although he added later that some information on the veterans' disabilities may have been taken. Nicholson said he does not know how many of the department's 235,000 employees go thorough background investigations. He said employees who have access to large volumes of personal data should be required to undergo such checks, but he does not believe the VA employee was involved in the theft. "We do not suspect at all any ulterior motive," he said. The department has come under criticism for shoddy accounting practices and for falling short on the needs of veterans. Last year, more than 260,000 veterans could not sign up for services because of cost-cutting. Audits also have shown the agency used misleading accounting methods and lacked documentation to prove its claimed savings. "It is a mystifying and gravely serious concern that a VA data analyst would be permitted to just walk out the VA door with such information," Illinois Rep. Lane Evans, the top Democrat on the Veterans Affairs Committee, said in a statement signed by other Democrats on the panel. Sen. John Kerry, D-Mass., who is a Vietnam veteran, said he would introduce legislation to require the VA to provide credit reports to the veterans affected by the theft. "This is no way to treat those who have worn the uniform of our country," Kerry said. "Someone needs to be fired." The VA said it was notifying members of Congress and the individual veterans about the burglary. It has set up a call center at 1-800-FED-INFO and Web site, http://www.firstgov.gov, for veterans who believe their information has been misused. It also is stepping up its review of procedures on the use of personal data for many of its employees who telecommute as well as others who must sign disclosure forms showing they are aware of federal privacy laws and the consequences if they're violated. Deborah Platt Majoras, chair of the Federal Trade Commission, said her task force has reached out to the three major credit bureaus to be alert to possible misuse. -=- On the Net: Information for veterans suspecting identity theft: http://www.firstgov.gov or 1-800-FED-INFO From isn at c4i.org Tue May 23 01:23:10 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 23 May 2006 00:23:10 -0500 (CDT) Subject: [ISN] OMB to agencies: Review personal data protections Message-ID: http://www.gcn.com/online/vol1_no1/40842-1.html By Mary Mosquera GCN Staff 05/22/06 The Office of Management and Budget has directed agencies' senior privacy officials to review and correct any policies and processes to ensure that they protect against misuse of or unauthorized access to personally identifiable information. The memo, dated today from OMB acting director Clay Johnson, comes on the same day the Veterans Affairs Department announced that electronic data containing the personal information of up to 26.5 million veterans was stolen from the home of a VA employee. "Because federal agencies maintain significant amounts of information concerning individuals, we have a special duty to protect that information from loss and misuse," he said in the memo. The memo re-emphasizes agencies' responsibility to safeguard sensitive personally identifiable information and to train employees on their responsibilities, especially related to provisions of the Privacy Act. The Privacy Act requires each agency to set the rules of conduct related to any system of records, to instruct each employee as to what is required to comply with them and the penalties for not adhering to them. Under the statute, agencies are required to establish administrative, technical and physical safeguards to insure the security and confidentiality of records. Agencies are to evaluate all means used to control personally identifiable information, including procedures and restrictions on its use or removal beyond agency premises or control, OMB said. Agencies will include the results in their next report in the fall detailing compliance with the Federal Information Security Management Act. Within the next 30 days, agencies are to remind their employees of their specific responsibilities for safeguarding personally identifiable information, the rules for acquiring and using such information, and the penalties for violating these rules. Under FISMA and related policy, agencies are to "promptly and completely" report security incidents to proper authorities, including the inspector general, law enforcement authorities and, under some circumstances, the Homeland Security Department. From isn at c4i.org Tue May 23 01:23:25 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 23 May 2006 00:23:25 -0500 (CDT) Subject: [ISN] eBay security chief slams online crime 'hype' Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39257210,00.htm By Munir Kotadia ZDNet Australia 23 May 2006 The head of eBay Australia's IT security has slammed the wider security community for making it difficult for users to learn about using the Internet safely, because they sensationalise online crimes and keep changing the names of potential threats. Speaking at the AusCERT 2006 conference in the Gold Coast today, Alistair MacGibbon, Australian director of trust and safety at eBay, told delegates that Internet-based crimes are no different to crimes in the real world. "There is nothing new about the Internet crimes we see and there is nothing new in the ways we have to fight them," said MacGibbon. "Hacking is breaking into someone's computer system and tampering with data or stealing it. Is it any different from so long ago when people would break into the store room and steal the files of a company?". MacGibbon said that in the online space there is obviously an issue with jurisdiction and also what the victim experiences, but essentially he said they were exactly the same crimes with the same motivations as in the offline world. One prime example of what confuses users is the constant name-changing when it comes to potential threats - such as phishing. "Phishing is about tricking someone into giving out details online -- like their password or their personal credentials when we know they shouldn't. Social engineering was about exactly the same thing. "We have phishing one day, spear phishing the next, deep sea phishing and puddle phishing. All of them are variations on a theme and none of them different to the other crime," said MacGibbon. "We sensationalise those crimes and make it much harder to educate consumers," he added. Even without the added hype, fighting crimes and educating the public on how to go about their business safely is not an easy task, said MacGibbon, who is a 15 years veteran of the police force and an ex-director of the Australian High Tech Crime Centre. As an example, MacGibbon cited murder rates, of which he said criminologists spend years trying to collect accurate data so it can be analysed and checked for trends. "Even with something as simple as counting murders we have spent years trying to do it. Why? Because the definition in the legislation is different. The definition in the forms that get ticked in the various agencies are different. So our ability to count that crime in the offline space is difficult," said MacGibbon. Munir Kotadia travelled to the Gold Coast as a guest of AusCERT. From isn at c4i.org Tue May 23 01:31:02 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 23 May 2006 00:31:02 -0500 (CDT) Subject: [ISN] Shop owner arrested for cybercrime Message-ID: http://www.thejakartapost.com/detailcity.asp?fileid=20060523.C02&irec=2 The Jakarta Post Jakarta May 23, 2006 The owner of a small computer shop in Mangga Dua shopping mall, Central Jakarta, was able to get through the electronic defense system of one of the city's major banks, police said Monday. The man, identified only as TL, entered fictitious credit card transactions into the system of the city's second largest bank in terms of assets, Bank Central Asia (BCA). The suspect did not use any sophisticated technology. He just used seven cards to authorize 12 transactions totaling Rp 425 million (US$47,222). Most of the Visa and Mastercard cards were issued by foreign banks, including Prudential, Westpac and ANZ. Police suspect TL got the credit card numbers from recording the details of customers' past transactions, though there is also a possibility he broke into the bank's computer system. "He made all the transactions within an hour, which aroused the suspicions of BCA, as the card claimer," said the chief of the Jakarta Police's fiscal and monetary crimes unit, Adj. Sr. Comr. Aris Munandar. BCA later contacted the card holders, who are mostly non-nationals living abroad. They had no knowledge of the transactions. The bank canceled the transactions and reported the case to police in March. The suspect was arrested last week, police said. The vice chairman of the Indonesian Telecommunications Community, Mas Wigrantara, told The Jakarta Post that at least 1,000 incidents of e-banking fraud, virus uploads and hacking activities had been reported in the last six months. "Although the number is significant, banks are reluctant to report cases to police or the government because they are worried it will affect their reputation and the public will no longer trust e-banking," he said, adding that they preferred to report cases to their own security consultants. Wigrantara said the country already had the Indonesia Computer Security Incident Response Team, but it was not having much of an impact because of the limited number of cases reported to it. (06) From isn at c4i.org Tue May 23 01:20:44 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 23 May 2006 00:20:44 -0500 (CDT) Subject: [ISN] Want To Pass Your Next Security Audit? New Standard May Be The Answer Message-ID: http://www.informationweek.com/security/showArticle.jhtml?articleID=188100480 By Larry Greenemeier InformationWeek May 22, 2006 Much has been made of our inability to prevent cyberattacks. New technology at best slows attackers, forcing them to find other ways of terrorizing victims. Now some tech pros are pointing to an ISO security standard as the answer. ISO 27001 was approved in October, replacing British Standard 7799-2 as a way to position companies to pass security audits. In certifying to it, companies are in a position to move quickly when they identify a potential problem. Consulting firm Churchill & Harriman worked with the Federal Reserve Bank of New York to bring its national incident response unit into compliance with ISO 27001, putting the bank ahead of most U.S. businesses. The national incident response unit monitors, analyzes, and escalates information about security threats to the business. Out of necessity, financial services companies lead the way in technology adoption, particularly in security, says Ken Peterson, CEO of the consulting firm. Of the 2,546 businesses worldwide certified to BS7799-2 or ISO 27001, only 120 operate in the United States. By contrast, 1,517 of the certifications have gone to Japanese companies, the most in any country. ISO 27001 may help businesses secure cybersecurity insurance, says Barry Kouns, the Churchill & Harriman VP who led his firm's work with the Federal Reserve Bank of New York. "This type of insurance would pay if there was a denial-of-service attack or data theft," he says. To qualify for such insurance, companies must demonstrate that they have security measures and processes in place. Of course, standards will never be more than a foundation; they don't predict the next bug in Windows or an attacker's ability to exploit that bug. ISO 27001's detractors say it's an expensive process with little guarantee of success in combating the next threat. Standards primarily organize a company's security strategy so that security professionals know what to do to address a particular problem. Process frameworks such as ISO 27001 are built by committee, "but not all of these ideas are good or have been tested," says Gene Kim, CTO at Tripwire, which makes change-auditing software. "Management has to do something, so they go with what's most popular." Based on his research of successful companies, top performers address specific problems rather than overhauling their entire organization. Says Kim, "It's best to do 20% and get 80% of the results." From isn at c4i.org Tue May 23 01:22:19 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 23 May 2006 00:22:19 -0500 (CDT) Subject: [ISN] Reporting Vulnerabilities is for the Brave Message-ID: http://www.cerias.purdue.edu/weblogs/pmeunier/policies-law/post-38/ By Pascal Meunier May 22nd, 2006 I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn't have access to the source code or configuration information). As luck would have it, the web site got hacked. I had to talk to a detective in the resulting police investigation. Nothing bad happened to me, but it could have, for two reasons. The first reason is that whenever you do something "unnecessary", such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn't have? It's normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems. A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof. This got Eric McCarty in trouble - the proof is automatically a proof that you breached the law, and can be used to prosecute you! Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time. We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing. I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it..). Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means. If there had been an overlap in time, we could have become suspects. The second reason that bad things could have happened to me is that I'm stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism. Why anonymously? Because student vulnerability reporters are akin to whistleblowers. They are quite vulnerable to retaliation from the administrators of web sites (especially if it's a faculty web site that is used for grading). In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem. Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don't yet either). They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions. Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities. So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized? Thankfully, the student bravely decided to step forward and defused the situation. As a consequence of that experience, I intend to provide the following instructions to students (until something changes): 1. If you find strange behaviors that may indicate that a web site is vulnerable, don't try to confirm if it's actually vulnerable. 2. Try to avoid using that system as much as is reasonable. 3. Don't tell anyone (including me), don't try to impress anyone, don't brag that you're smart because you found an issue, and don't make innuendos. However much I wish I could, I can't keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice. We all want to do the right thing, and help people we perceive as in danger. However, you shouldn't help when it puts you at the same or greater risk. The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer - you're a student!) is just too high. Moreover, this is a web site, an application; real people are not in physical danger. Forget about it. 4. Delete any evidence that you knew about this problem. You are not responsible for that web site, it's not your problem - you have no reason to keep any such evidence. Go on with your life. 5. If you decide to report it against my advice, don't tell or ask me anything about it. I've exhausted my limited pool of bravery - as other people would put it, I've experienced a chilling effect. Despite the possible benefits to the university and society at large, I'm intimidated by the possible consequences to my career, bank account and sanity. I agree with HD Moore, as far as production web sites are concerned: "There is no way to report a vulnerability safely". From isn at c4i.org Tue May 23 01:33:12 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 23 May 2006 00:33:12 -0500 (CDT) Subject: [ISN] Asian security meet warns of terrorist assault via Internet Message-ID: http://www.taipeitimes.com/News/world/archives/2006/05/23/2003309631 KUALA LUMPUR AP May 23, 2006 Southeast Asia will inevitably face an Internet-based attack by terrorists against key institutions, even though militant groups lack the technical savvy so far, security experts said yesterday. Developing nations remain especially vulnerable to a cyber assault because they haven't built up defenses for their computer, banking and utility systems, said Yean Yoke Heng, deputy director general of the Kuala Lumpur-based Southeast Asian Regional Center for Counterterrorism. "The threat is real," Yean told reporters at the start of a regional cyber security meeting. "Definitely, we are vulnerable .... It's not a question of how or what; it's a question of when. So we better get our act together and be prepared for this eventuality." Regional authorities currently have no specific information about possible threats, which could include the hacking of public networks or the spread of a computer virus, but "it's always good to be one step ahead of this terrorist threat," Yean said. The five-day conference, which brings together security officials and analysts from Malaysia, the US, Japan, Cambodia, the Philippines, Singapore and Thailand, will discuss how governments can prevent terrorists from exploiting information technology. So far, Southeast Asian militant groups such as the al-Qaeda-linked Jemaah Islamiyah network have mainly used the Internet to channel propaganda, recruit members, raise funds and coordinate bomb attacks, said Rohan Gunaratna, a Singapore-based militant expert. "It will take a very long time for Southeast Asian terrorist groups to develop the capability to attack the Internet," Gunaratna said. "For now, groups such as Jemaah Islamiyah are using the Internet as a medium to create a new generation of radicalized Muslims." There are more than 1,000 jihadist Web sites in Southeast Asia, Gunaratna said. He said captured Jemaah Islamiyah suspected leader Riduan Isamudin, or Hambali, used the Internet to communicate with operatives involved in the 2002 Bali bombings that killed 202 people in Indonesia. Despite no evidence of an imminent cyber attack, Southeast Asian authorities should still study how technologically advanced governments in the US, Europe and Australia are safeguarding digital assets from terrorist exploitation, Gunaratna said. Copyright ? 1999-2006 The Taipei Times. All rights reserved. From isn at c4i.org Wed May 24 03:04:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 24 May 2006 02:04:10 -0500 (CDT) Subject: [ISN] Public Safety reports computer security breach Message-ID: http://www.udel.edu/PR/UDaily/2006/may/breach052306.html May 23, 2006 A recent security breach involving a University of Delaware Department of Public Safety computer server has resulted in the possible exposure of names, Social Security Numbers and driver's license numbers. James J. Flatley, UD director of public safety, said the breach consisted of an intrusion into the server that hosts the department's main records management system. It appears that the intruders were interested in copying at least some of the information in the database, Flatley said, and therefore it is possible that information that could lead to identity theft is in the hands of an unauthorized person. Flatley said the security breach was discovered April 8, and the department immediately implemented its cyber incident response plan. Also, the department is conducting a full criminal investigation of the incident that involves the Delaware State Police and the FBI. The University's policy is to notify all individuals if their personal information may have been compromised following such incidents, and a letter has been sent to everyone whose personal information may have been compromised. The letters inform them of the breach and share information on how to combat identity theft. It is unknown whether any personal information was actually acquired in this case. In all, 1,076 letters have been sent, Flatley said. Individuals with concerns about identity theft may visit a special web site prepared by Information Technologies at [www.udel.edu/security/identitytheft.html]. UD's Office of Information Technologies has conducted a campuswide campaign to help departments protect sensitive personal nonpublic information (PNPI), such as Social Security and credit card numbers. Every University department was visited and advised about proper security for stored PNPI. Information Technologies staff also stressed collecting such information only when required and reiterated the responsibility of each employee to follow UD policy, Delaware laws and federal laws and regulations for the processing and safekeeping of confidential, personal information. "In every department, those individuals who are responsible for maintaining records must understand that they are responsible for assuring compliance with the Family Educational Rights and Privacy Act (FERPA) and other laws that govern the use of PNPI," Susan Foster, vice president for information technologies, said. "This includes not only the proper use of PNPI but the responsibility to secure systems in which it resides," she said. Although the University has moved away from using Social Security Numbers as identifiers, some older databases that University departments and units set up in the past may still have such information. Information Technologies has posted guidelines aimed at helping departments secure PNPI and make sure they are in compliance with the University policy and the law. Those can be found at [www.udel.edu/ssn/guid.html]. The guidelines direct departments to ensure the privacy of PNPI by encrypting electronic transmissions, not storing PNPI locally and protecting PNPI when working from home or outside the University. Members of the University community with questions about uses of PNPI should call the Information Technologies Help Center at (302) 831-6000 or send email to [consult at udel.edu]. Additional information is available at these sites: Protecting Personal Non-Public Information [www.udel.edu/ssn/]; UD Computer Security [www.udel.edu/security/]; and Responsible Computing: A Manual for Staff [www.udel.edu/ecce/staff.htm]. From isn at c4i.org Wed May 24 03:04:30 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 24 May 2006 02:04:30 -0500 (CDT) Subject: [ISN] NASA outer space communications in peril Message-ID: http://www.fcw.com/article94619-05-23-06-Web By Aliya Sternstein May 23, 2006 NASA's extraterrestrial communications system could encounter a major service disruption if managers do not keep a closer eye on the deteriorating network's needs, according to federal auditors. In a Government Accountability Office report released May 22, officials doubted that the current system can provide adequate coverage for the growing number of missions under the new vision for space exploration. "The potential exists for the loss of scientific data that would be difficult, if not impossible, to replace," the report states. "In addition, new users will find that, aside from competing for network capacity with each other, they must also compete with legacy programs that have been extended far beyond their intended lifetimes but still return science data and thus take up considerable network time." For example, the 1977 Voyager mission still requires network support. The system, called the Deep Space Network, consists of three antennae, located in Goldstone, Calif.; Madrid, Spain; and Canberra, Australia. Some crucial components are more than 40 years old. NASA provided some examples of service disruptions that have occurred as a result of the aging infrastructure. In November 2005, a prime network server failed, leaving space missions without coverage for several hours. The Stardust, Mars Reconnaissance Orbiter, Mars Odyssey and Mars Global Surveyor missions lost a considerable amount of data. The network also suffers from confusion about program management. NASA does not have a space communications management entity that weighs the investment needs of each program and directs funding accordingly. In addition, the agency does not have formal oversight to ensure that program managers' investment decisions are in line with broader agency requirements. "As a result of this mismatch between agency-level requirements and investment decisions for the programs that support those requirements, NASA has limited ability to prevent competing programs from making investments that, while supporting individual program requirements, undercut broader agency goals," the report states. For instance, NASA officials reported that Deep Space Network and Ground Network programs recently almost developed separate array technologies to support redundant requirements for the same lunar missions. NASA agreed with the GAO's recommendations, which include: * Identifying program requirements for deep space communications capabilities for the near and long term. * Determining the extent to which the program?s current capabilities can support those requirements. * Developing a plan to address any gap between those capabilities and requirements and then estimating the costs of necessary enhancements. * Appointing a NASA task group on space communications to determine priorities for program-level requirements in the broader context of agency-level goals, ensure that decision-makers understand those requirements and coordinate investments to avoid duplicate costs. From isn at c4i.org Wed May 24 03:04:42 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 24 May 2006 02:04:42 -0500 (CDT) Subject: [ISN] Cyber-crime unit at FIA planned Message-ID: http://www.dawn.com/2006/05/24/top18.htm By Our Staff Reporter May 24, 2006 ISLAMABAD, May 23: The government is establishing a cyber-crime unit in the Federal Investigation Agency headquarters, Minister of State for Interior Zafar Iqbal Warraich said on Tuesday. During his first visit to the headquarters, Mr Warraich said his ministry would help establish the unit. The minister said the FIA should prepare a database of criminals to control crimes and terrorism. "A comprehensive terrorist information system will be helpful in the international war against terrorism," he said. FIA sources said the agency planned to establish cyber crime units in each zone and the headquarters. They said the interior ministry's permission had been sought for the appointment of required staff, purchase of equipment and construction of buildings for the purpose. The FIA had demanded that special laws should be enacted and courts established to control cyber crimes, they said. At present, the FIA deals cyber crime cases under the Electronic Transaction Ordinance. It detected 26 cyber crime cases during the past year. "The ministry will help the FIA establish a cyber crime unit and special laws will be made to make it a more effective investigation agency of the federal government," the minister said. FIA Director-General Tariq Pervez apprised the minister of the agency's efforts against illegal immigration, human trafficking, infringement of intellectual property rights and terrorism. The minister appreciated the agency's performance, especially increase in the number of passengers travelling on forged documents offloaded, 26 per cent reduction in the number of deportees from Iran and Europe, decline in human smuggling cases across the Pakistan-Iran border and detecting more than 2,000 cases on the watch list for prosecution purposes. From isn at c4i.org Wed May 24 03:04:54 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 24 May 2006 02:04:54 -0500 (CDT) Subject: [ISN] Teenage Hacker Could Face Prison Time Message-ID: http://www.wxyz.com/wxyz/nw_local_news/article/0,2132,WXYZ_15924_4720282,00.html By Cheryl Chodun May 23, 2006 A hacker crippled thousands of computers at dozens of local schools, and police say a teenage student was responsible for it all. 18-year-old David Randall could go to prison for up to 5 years. There is a good chance that he won't be graduating high school because he is currently suspended. Police say he hacked into the computer system of the Wayne/Westland schools. He crashed the entire system, shutting down 5,000 computers in 29 buildings, and police say he did it dozens of times between March 6th and May 5th. Greg Baracy, Wayne/Westland Schools superintendent, told 7 Action News, "It's created total havoc amongst our staffs and the lack of availability to get out of the network and do our work. Many lost hours of manpower." When witnesses identified David Randall as a suspect, police seized his home computer and say they found a disk with revolutionary websites on it that talked about hacking. "The moral of the story is that utilize your talents in a positive way," Baracy said From isn at c4i.org Wed May 24 03:08:00 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 24 May 2006 02:08:00 -0500 (CDT) Subject: [ISN] Lenovo's Yang says US decision to reject PCs 'unfair' - report Message-ID: http://www.forbes.com/technology/feeds/afx/2006/05/23/afx2768673.html AFX News Limited 05.23.2006 SHANGHAI (AFX) - Lenovo Group Ltd Chairman Yang Yuanqing said the US State Department's fears that Lenovo's computers pose a security risk are groundless, the Shanghai Daily reported. The newspaper quoted Yang as saying: ''It is unfair to Lenovo, a market-oriented firm.' On Monday, media reported that the US State Department will not use Lenovo computers for its classified networks - those that connect US embassies and consulates - because of security concerns. The Chinese government owns 27 pct of Lenovo. 'Our products comply with CFIUS (Committee on Foreign Investments in the United States) and all suppliers' requirements,' Yang said. In March, the State Department agreed to purchase 16,000 Lenovo computers and related equipment through government contractor CDW Government Inc, Lenovo's US-based supplier. The machines will be restricted to non-classified use, reports said. In a teleconference yesterday, Yang said Lenovo's order value from the US government is only one pct of the computer maker's total revenue. Lenovo will explore business in emerging markets such as India and Brazil to avoid political obstacles, Yang was cited as saying. From isn at c4i.org Thu May 25 03:41:15 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 25 May 2006 02:41:15 -0500 (CDT) Subject: [ISN] Death of the Frog Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. SPI Dynamics http://list.windowsitpro.com/t?ctl=2BDAE:4FB69 Insight http://list.windowsitpro.com/t?ctl=2BDAB:4FB69 CrossTec http://list.windowsitpro.com/t?ctl=2BDA7:4FB69 ==================== 1. In Focus: Death of the Frog 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Swallows Whale Communications - SSL VPN Use Increasing - Reaping the Benefits of WPA and PEAP 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Secure PDAs and Smart Phones ==================== ==== Sponsor: SPI Dynamics ==== ALERT: "How a Hacker Launches a SQL Injection Attack!"--White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://list.windowsitpro.com/t?ctl=2BDAE:4FB69 ==================== ==== 1. In Focus: Death of the Frog ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Two weeks ago, I wrote about Blue Security's Blue Frog service, an incredibly effective method for fighting spam. For each spam message a Blue Frog user receives, Blue Frog sends one opt-out request to the sender of that spam. The end result is that the spammer receives millions of email messages, which probably overloads their network, but that should be an expected cost of doing spam business--people should have a right to opt out anytime they want to. Blue Security said that since the inception of Blue Frog, six of the top ten spammers had stopped sending spam to Blue Frog users. However, one spammer took serious offense and launched a Denial of Service (DoS) attack against the company that also affected other networks. All the affected networks recovered. That's the good news--now here's the bad news: Last week, Blue Security announced that it closed down its Blue Frog service. In a message posted to its Web site, the company said that the reason it ceased operation is that "After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.... We have concluded we should not take Blue Security to the full deployment stage we originally planned to achieve, but we are proud of what we have accomplished thus far as a young startup company." It's true that Blue Frog might have caused spammers to launch continued attacks that might have serious effects on other networks, and Blue Security did seem to be considering others when making its decision to close down the service. But I don't see this decision as being in the best interest of the Internet community, including Blue Security, because the news gets worse. After Blue Security decided to discontinue Blue Frog, the spammers attacked again! The second DoS attack rendered Blue Security's site inaccessible even though Blue Security made considerable technological efforts to thwart such attacks. This second attack was probably meant to send another message.The message I take from it is crystal clear but probably isn't what the attackers intended: Kowtowing to spammers isn't the solution. While closing up shop might seem like a reasonable choice, it's essentially the equivalent of handing your network over to a bunch of black hat intruders who continually break in. It gives the intruders control they don't deserve to have. I hope Blue Security changes its mind and brings back Blue Frog. If it doesn't, I hope that somebody else takes up where Blue Security left off, and quickly! Fighting back as a group has proved to be incredibly effective, and I'd hate to see momentum lost. ==================== ==== Sponsor: Insight ==== Virtual machines can host any number of operating systems on a single physical host. Learn about these features of virtualization as well as many more in this free whitepaper. http://list.windowsitpro.com/t?ctl=2BDAB:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=2BDB0:4FB69 Microsoft Swallows Whale Communications In a move designed to expand its security offerings, Microsoft announced a deal to acquire Israel-based Whale Communications. Microsoft thinks Whale's Secure Sockets Layer (SSL) VPN and application firewall technologies will complement its Windows Server and Internet Security and Acceleration (ISA) Server offerings. http://list.windowsitpro.com/t?ctl=2BDB7:4FB69 SSL VPN Use Increasing A new study indicates that Secure Sockets Layer (SSL)-based VPNs are growing in popularity and could potentially overtake IPsec VPNs as the secure connectivity solution of choice. http://list.windowsitpro.com/t?ctl=2BDB6:4FB69 Reaping the Benefits of WPA and PEAP If you still use Wired Equivalent Privacy (WEP) technology to secure your wireless networks, be aware that it has serious flaws. The Wi-Fi Protected Access (WPA) standard and subsequent WPA2 standard overcome these flaws by adding stronger authentication and encryption and should be used whenever possible in preference to WEP. Learn how to use WPA and Protected Extensible Authentication Protocol (PEAP) in this article by John Howie. http://list.windowsitpro.com/t?ctl=2BDB9:4FB69 ==================== ==== Resources and Events ==== Consolidate Windows Event Log and Unix Syslog to save money and ensure continuous compliance. Also identify 50 critical events you should be monitoring for! Live Web Seminar: Tuesday, June 6 http://list.windowsitpro.com/t?ctl=2BDAC:4FB69 Win a new iPod (for Mac or PC) Download a Windows IT Pro podcast on Windows IT Pro Radio by your favorite author, editor, or industry figure. You'll automatically be entered to win! http://list.windowsitpro.com/t?ctl=2BDBC:4FB69 Industry expert Mike Otey explains how to design high availability options for your SQL Server 2005 environment. He'll also cover Windows clustering, database mirroring, and online operations. Live Event: Wednesday, May 31, 2006; 12:00 EDT http://list.windowsitpro.com/t?ctl=2BDAA:4FB69 Learn to gather evidence of compliance across multiple systems and link the data to regulatory and framework control objectives. On-demand Web seminar. http://list.windowsitpro.com/t?ctl=2BDA9:4FB69 Learn all you need to know about code signing technology, including the goals and benefits of code signing, how code signing works, and the underlying cryptographic and security concepts and building blocks. http://list.windowsitpro.com/t?ctl=2BDAF:4FB69 ==================== ==== Featured White Paper ==== How much are you spending on IT compliance? Streamline and automate the compliance life cycle with this FREE white paper, and reduce your costs today! http://list.windowsitpro.com/t?ctl=2BDAD:4FB69 ==================== ==== Hot Spot ==== Try it Free: Access & Control PCs from your USB NetOp Remote Control provides the most complete, scalable, and secure remote control software available. Access PCs from your desktop, PocketPC or USB! NEW On Demand option provides tiny, temporary, download with no user installation or firewall configuration and NO per session charges. Free evaluation & support. http://list.windowsitpro.com/t?ctl=2BDA7:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Google Affects Information Security by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2BDBB:4FB69 Certainly you've heard of "Google hacking," which is a way of using Google searches to locate potential vulnerabilities. But how else might Google affect information security? Find out more in this blog article. http://list.windowsitpro.com/t?ctl=2BDB5:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=2BDBA:4FB69 Q: How do I enable a quota using the Windows Server 2003 R2 File Server Resource Manager (FSRM)? Find the answer at http://list.windowsitpro.com/t?ctl=2BDB8:4FB69 Security Forum Featured Thread: Securing a Server A forum participant wants to know how to secure his Windows server by using the built-in TCP/IP filtering and Windows Firewall. He also wants to know what other steps he can take. Join the discussion at http://list.windowsitpro.com/t?ctl=2BDA8:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) May Exclusive--Get $100 off the Windows IT Security Newsletter For a limited time, order the Windows IT Security newsletter and SAVE up to $100! In addition to 12 helpful issues loaded with solutions you won't find anywhere else, you'll get FREE access to the entire Windows IT Security online article database. Subscribe now: http://list.windowsitpro.com/t?ctl=2BDB2:4FB69 Memorial Day Special--Save 58% off Windows IT Pro Subscribe to Windows IT Pro today and SAVE 58%! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful articles. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=2BDB1:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Secure PDAs and Smart Phones Utimaco Safeware has extended its encryption and authentication software, SafeGuard PDA, to work with Windows Mobile 5.0 and with Integrated Information & Communication Systems' (IICS's) certgate Smart Card MMC (Multimedia Card). With SafeGuard PDA 4.10, PDA users can log on to their PDAs by inserting a small smart card into their PDA and entering a PIN. SafeGuard PDA 4.10 also automatically encrypts data on Windows Mobile 2003-based devices at runtime. SafeGuard PDA 4.10 is available for Windows Mobile 2003, Windows Mobile 5.0, Symbian OS, and Palm OS, so companies that use different mobile platforms can now implement one security solution to protect their different PDAs and smart phones. For more information, go to http://list.windowsitpro.com/t?ctl=2BDBD:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2BDBE:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=2BDB4:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu May 25 03:41:31 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 25 May 2006 02:41:31 -0500 (CDT) Subject: [ISN] FBI agent, tipster hid relationship Message-ID: http://www.washtimes.com/national/20060524-114732-4291r.htm By Jerry Seper THE WASHINGTON TIMES May 25, 2006 An FBI counterintelligence agent and his lover -- a "top asset" later accused of being a Chinese spy -- kept their relationship secret for nearly 20 years before their arrests in 2003 and after she had been paid $1.7 million for services that she provided to the United States, a report said yesterday. The Justice Department's Office of Inspector General said FBI supervisors in Los Angeles "did little or nothing" to resolve concerns about FBI Agent James J. Smith's handling of Katrina Leung, a Chinese-American, even after she had given classified information to Beijing without FBI authorization. Inspector General Glenn A. Fine said FBI supervisors responsible for oversight of Leung were "deficient," failing to provide adequate oversight of Smith, who served as the acting supervisor of counterintelligence squad. "The numerous red flags that appeared between 1990 and 1996 should have placed the FBI on notice of serious concerns about Leung's true loyalties, as well as Smith's relationship with her," Mr. Fine said, noting that FBI supervisors in Los Angeles and at the bureau's Washington headquarters "told us they did not have time to read" reports on Leung's activities. "Smith operated Leung with little oversight based primarily on his status as a top agent in Los Angeles and Leung's status as a top asset," he said. In a statement, the FBI acknowledged that the conduct in handling Leung was in violation of bureau policy and exposed weaknesses in its asset program, but said it "has made significant progress in reforming and strengthening its management and oversight of human sources." Mr. Fine, in a 235-page report, said bureau officials also discovered that Leung had been romantically involved with FBI Agent William Cleveland Jr., who also worked counterintelligence cases at the bureau's San Francisco field office. He retired in November 2000 and was not charged in the case. Smith and Leung were arrested in April 2003. Smith pleaded guilty in May 2004 to one count of making false statements to the FBI and was sentenced in July 2005 to three years' probation. He also was fined $10,000. Leung initially was charged with unauthorized copying of national defense information with intent to injure the United States and spent three months in jail after her arrest and 48 months in home detention. In January 2005, U.S. District Judge Florence-Marie Cooper in Los Angeles dismissed the case against Leung for prosecutorial misconduct. In December, the wealthy Los Angeles-area businesswoman and active Republican Party fundraiser pleaded guilty to lying to the FBI and filing a false federal tax return and was sentenced to three years' probation, 100 hours of community service and a $10,000 fine. Known under the code name "Parlor Maid," Leung was a frequent visitor to China and reportedly was seen on numerous occasions with high-ranking Chinese government officials. Prosecutors said she provided the Chinese with information from FBI files about Chinese fugitives, a telephone list of agents involved in an espionage case and lists of agents serving at overseas posts. Mr. Fine said the FBI discovered in 1981 that Leung was "engaged in clandestine intelligence gathering on behalf of [China] and/or may be furnishing or about to furnish sensitive technological information" to the China, although no investigation was authorized and she was never interviewed. From isn at c4i.org Thu May 25 03:41:43 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 25 May 2006 02:41:43 -0500 (CDT) Subject: [ISN] Many warned about Sacred Heart University computer security breach Message-ID: http://www.wtnh.com/Global/story.asp?S=4947217 By News Channel 8's Annie Rourke WTNH May 24, 2006 A possible security breach at Sacred Heart University but is personal information at risk? That's what some people are asking tonight after receiving a letter from Sacred Heart University stating some of their information may be at risk. The problem is some of the people warned aren't even students at the university. The letter turned up in some mailboxes Wednesday advising recipients that the security system of one of the university's computers may have been breeched and that things like their social security numbers may have been stolen. However, this letter has raised many more questions than is has answered. The envelope is stamped confidential and the letter is addressed to alumni and friends. But Steve Law's 18-year-old son is neither. "He is a freshman in college, he did not apply to Sacred Heart. He wasn't even interested in it," says Law, victim's father. And yet his name, address and social security number were on a computer at the university that has apparently been hacked into. The letter from Michael D. Trimble, Assistant VP for Technology, states in part,"We cannot confirm that any of the sensitive files on this computer were actually accessed but we believe that the intruder had the expertise to do so." The calls to answer their many questions and concerns have so far gone unanswered. "My wife tried to call them today, and they took a message and the are supposed to be calling back," says Law. News Channel 8 spoke with a representative at the school but they were unable to tell us how many people were affected or why the university would even have the information of someone not affiliated with them in any way. Law's son is not the exception. News Channel 8 spoke with another victim with no ties to Sacred Heart who tells us that the university told him that they got his information from the College Board when he took the SATs 8 years ago. Sacred Heart is now directing these folks back to the internet, advising them to go to the university website for answers and to contact the three credit bureaus. That too is not going down so well. "I do not understand why expect us to notify all these security companies. Why would they put the burden of that on us?" asks Law. Sacred Heart has now set up a hotline number of 866-505-7979. They say at this point they do not have any evidence that any fraud has been committed and at this stage it is just a precautionary measure. Content ? Copyright 2000 - 2006 WorldNow, WTNH, and Associated Press. From isn at c4i.org Thu May 25 03:40:09 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 25 May 2006 02:40:09 -0500 (CDT) Subject: [ISN] Microsoft advises users to switch Word to 'safe mode' Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000732 By James Niccolai May 24, 2006 ITWorldCanada Microsoft Corp. is advising Word users to run the application in "safe mode" to help guard against a Trojan program that surfaced recently, although security experts today said there still appears little cause for alarm. "The good news is that it doesn't seem to be very widespread," said Graham Cluley, a senior technology consultant with U.K. antivirus company Sophos PLC. "There have been very, very few reports." Researchers at F-Secure Corp. and Trend Micro Corp. also said the number of reported incidents remained low. Trend Micro rates the Trojan as "low risk" because, while the potential for damage is high, the impact so far has been small, said David Sancho, a senior antivirus engineer. The Trojan surfaced last Thursday and arrives buried in a Word file attached to an e-mail message (see "E-mail attacks target unpatched Word hole" ). It secretly installs software on a user's PC that could be used to execute remote commands, download other malware or monitor keystrokes and gather passwords, among other mischief. For the Trojan to do its work, however, users must first be tricked into opening the Word attachment. And the incidents reported so far suggest that hackers are still using the Trojan in a very targeted fashion rather than sending it in mass e-mail, said Erkki Mustonen, a security researcher at F-Secure. The Finnish vendor received reports from a handful of European companies affected last week that were all in the same business area, Mustonen said. He declined to name the industry. The company received a few more reports this week but "it seems to be pretty calm," he said. The number of hacker groups using the Trojan appears quite small at this point, Mustonen said. "It seems they have been written by expert people," he said. He advised businesses to monitor any suspicious traffic coming from China in their firewall. The Trojan may not have originated there, but it appears at least to be talking to a host server in that country, he said. Microsoft's Security Research Center is analyzing the vulnerability, which affects Microsoft Word XP and Word 2003. The company said it will release a patch with its next regular update, due June 13, or earlier if necessary. In the meantime,Word's safe mode won't fix the vulnerability but will prevent the vulnerable code from being exploited, Microsoft said. The first step is to disable the Outlook feature that uses Word for editing e-mails. The second involves creating a new desktop shortcut that adds "/safe" to the Word command line. Detailed instructions are available online. "For the sake of security I'd recommend doing it, even though it's a bit difficult," Sancho of Trend Micro said. In safe mode, Word ignores toolbar customizations, changes to preferences can't be saved and functions such as AutoCorrect and Smart tags are disabled. Copyright 2006 ITworldcanada.com. From isn at c4i.org Thu May 25 03:41:58 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 25 May 2006 02:41:58 -0500 (CDT) Subject: [ISN] MPAA accused of hiring a hacker Message-ID: http://news.com.com/MPAA+accused+of+hiring+a+hacker/2100-1030_3-6076665.html By Greg Sandoval Staff Writer, CNET News.com May 24, 2006 The Motion Picture Association of America hired a hacker to steal information from a company that the MPAA has accused of helping copyright violators, according to a lawsuit filed Wednesday. The lawsuit (click for PDF [1]), filed Wednesday in U.S. District Court for the Central District of California by Torrentspy.com parent Valence Media, doesn't identify the man the company says was approached by an MPAA executive. But the suit calls the man a former associate of one of the plaintiffs who was asked to retrieve private information on Torrentspy.com, a search engine that directs users to download links. Among Torrentspy's claims are that the man who the MPAA allegedly paid $15,000 to steal e-mail correspondence and trade secrets has admitted his role in the plot and is cooperating with the company. "It is a Hollywood drama, what happened here," Ira Rothken, Torrentspy's attorney, said in a telephone interview Wednesday evening. The allegations come three months after the MPAA filed suit against Torrentspy and other Torrent directories for allegedly making it easier for pirates to distribute movies over the Internet. "These claims (by Torrentspy) are false," Kori Bernards, the MPAA's vice president of corporate communications, said in an e-mail to CNET News.com. "Torrentspy is trying to obscure the facts to hide the fact that they are facilitating thievery. We are confident that our lawsuit against them will be successful because the law is on our side." The suit filed by the MPAA was a departure from the organization's previous strategy of going after Web sites that were directly involved in facilitating file sharing. By suing Torrentspy, as well as such companies as IsoHunt, BTHub.com, and TorrentBox.com, MPAA was declaring that it saw little difference between the the file-swapping networks that the studios have aggressively taken to court and those companies that direct people to works that may be protected by copyrights. One MPAA executive is quoted in Torrentspy's lawsuit saying: "We don't care how you get it," referring to the alleged assignement to retrieve information on Torrentspy. Some of the information that the man allegedly pilfered included a spreadsheet containing Torrentspy income and expenses from January to June of 2005, copies of private e-mails between Torrentspy employees, detailed information on the company's servers, and billing information, according to a copy of the filing obtained by CNET News.com. Torrentspy alleges in the suit that the man, who the company refers to as the "informant" has provided documents that prove the nature of his relationship with the MPAA, including a written agreement signed by the hacker and an MPAA executive, said Torrentspy attorney Rothken. "We have very significant proof of wrongdoing and the MPAA's involvement," Rothken said. "We think it's ironic for the MPAA to claim that they are protecting the rights of the movie studios and then go out and pirate other people's property." Rothken said that the MPAA also paid the hacker to "gather nonpublic information" about other Torrent sites. Rothken declined to specify which companies. Following this, the "informant" had a change of heart and contacted Torrentspy. "By doing that, he's mitigating the harm that he did," Rothken said. "He is also allowing us to get a remedy against the MPAA and to help us stop them from using the stolen data." Torrentspy has asked the court for unspecified damages and a jury trial. CNET News.com's Joris Evers contributed to this report. [1] http://www.techfirm.com/ts-mpaa.pdf From isn at c4i.org Thu May 25 03:42:09 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 25 May 2006 02:42:09 -0500 (CDT) Subject: [ISN] Feds Raid Home of Photo Agency Head Message-ID: http://tmz.aol.com/article2/_a/feds-raid-home-of-photo-agency-head/20060523182009990001 By TMZ.COM STAFF May 23, 2006 TMZ has learned that the FBI searched the home Tuesday of a woman who runs an LA paparazzi agency The allegation is that her computers were used to illegally hack into the computers of Us Weekly magazine to obtain information about celebrities, in particular Charlie Sheen. Sources tell TMZ the U.S. Attorney obtained the search warrant several days ago. Law enforcement went to the home of Jill Ishkanian, a partner at Sunset Photo and News, where they seized computers and other items. As of now, the official file is sealed. Ishkanian founded Sunset Photo and News last year after leaving Us Weekly, where she worked as a reporter. TMZ repeatedly called Sunset Photo and News for comment, but each time company reps immediately hung up the phone. In a related development, TMZ spoke with former Hollywood madame Heidi Fleiss, who says she was contacted by officials and accused of being involved in the alleged hacking plot. The reason? Sources say Fleiss and Ishkanian are close friends. Fleiss told TMZ the allegations against her are "ridiculous." -=- UPDATE 7:15PM ET: Ishkanian's lawyer, Glenn Feldman, contacted TMZ and says his client has been subpoenaed by Britney Spears' lawyers in her suit against Us Weekly. Spears claims that an article in Us Weekly alleging she made a sex tape with husband Kevin Federline was bogus. Feldman says he finds it "coincidental" that his client is suddenly being targeted. Feldman adds that Ishkanian "did not receive any information from Us Weekly by hacking into any computer, especially information about Charlie Sheen." From isn at c4i.org Thu May 25 03:44:42 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 25 May 2006 02:44:42 -0500 (CDT) Subject: [ISN] Agency Delayed Reporting Theft of Veterans' Data Message-ID: http://www.nytimes.com/2006/05/24/washington/24identity.html By DAVID STOUT and TOM ZELLER Jr. May 24, 2006 WASHINGTON, May 23 - The Veterans Affairs Department learned about the theft of electronic data on 26.5 million veterans shortly after it occurred, on May 3, but waited two weeks before telling law enforcement agencies, officials said Tuesday. The officials said investigators in the Justice Department and the Federal Bureau of Investigation were furious with the leaders of the veterans agency for initially trying to handle the loss of the data as an internal problem through the agency's inspector general before coming forward. Officials said the investigators in the Justice Department and F.B.I. had complained that the delay might have cost them clues to the whereabouts of the data, stored on computer disks that were stolen in a burglary on May 3 at the home of an agency employee in Maryland. A spokesman for the agency, Matt Burns, declined to comment on the timing of the announcement. The disks carried names and accompanying Social Security numbers and dates of birth, practically keys to identity in the computer age. It was not clear, in the absence of an explanation from the agency, why its officials waited for days to disclose the theft to law enforcement people and still more days to announce it to the public or what internal discussions might have prompted them to change their minds. As the department sought to reassure veterans not privy to the bureaucratic machinations here and to deal with a security lapse that was becoming a public relations disaster, some veterans were uneasy and suspicious. "Why did the V.A. wait 19 days to notify veterans?" John Rowan, president of the Vietnam Veterans of America, asked. Perhaps, Mr. Rowan suggested, the department learned that the news was about to be leaked. The wife of a disabled veteran of the gulf war, Penny Larrisey of Doylestown, Pa., expressed what countless crime victims have said. "Just right about now, the only way you can feel is you've been violated," Mrs. Larrisey said in a telephone interview. The department has emphasized that there was as yet no indication that the data, taken home without authorization by the employee, had been put to ill use. But Mrs. Larrisey, whose husband, Bob, was an Air Force sergeant, was not soothed. "This puts us in a position of one paycheck away from disaster," she said, worrying that a computer-savvy thief with access to specifics about her husband's disability payments could tap into their bank account. The authorities continued to investigate the activities of the employee, who is on administrative leave. Officials familiar with the case said that while investigators had no reason to dispute the employee's account, they were nonetheless puzzled why little else of value besides the data-laden disks were stolen. In an added twist, the officials said investigators were having trouble finding the employee but did not think that he was necessarily trying to be evasive. Several aspects remained murky, including how much communication, if any, there was between the Montgomery County police in Maryland and federal investigators about the disks. Mr. Rowan of the Vietnam veterans' group said the Veterans Affairs Department should do more than just post information on its Web site advising veterans to scrutinize their financial records and telling them what to do if they find something wrong. "The V.A. has put veterans at risk for identity theft," he said. "If this were the private sector, they would be required to provide each veteran with free credit-reporting services." A spokesman for Senator Larry E. Craig, the Idaho Republican who is chairman of the Veterans Affairs Committee, said the panel would consider just such measures when it holds a hearing on the case on Thursday morning. The spokesman, Jeff Schrade, said government agencies should treat personal data as "top secret information." Christopher Walsh, a lawyer here who specializes in security cases, said the theft conveyed a disturbing message, that "the government has paid far less attention to the issue of data security than the people think - and far less than business." Recent federal laws entitle every consumer the right to one free credit report from each major consumer credit-reporting agency ? Experian, Equifax and TransUnion ? every year. But for closer monitoring of credit status, the kind that some consumers turn to when they fear that their records have been compromised, the companies charge a fee. Ten dollars a month after a free 30-day trial is typical. If veterans feel threatened enough to enter such arrangements, "the government ought to pay for it, in my view," Mr. Walsh said. At least two companies offering identity-theft protection, LifeLock and MyPublicInfo, said they had discount packages for veterans affected by the theft. Senator Craig's spokesman, Mr. Schrade, declined to predict what would happen at the hearing on Thursday or how the security breach would be repaired. "But," he said, "I don't think we're going to get out of this on the cheap." Maureen Balleza contributed reporting from Houston for this article. From isn at c4i.org Fri May 26 05:03:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 26 May 2006 04:03:59 -0500 (CDT) Subject: [ISN] Wireless networks still wide open to attack Message-ID: http://www.vnunet.com/vnunet/news/2156945/wireless-networks-open-attack Matt Chapman vnunet.com 25 May 2006 Almost half of all UK wireless networks are open to attack, according to research from anti-virus company Kaspersky. The report found that a shocking 49 per cent of wireless networks in London were operating without any encryption. Tests in the business district in London's Canary Wharf found the area marginally safer, although 40 per cent of wireless networks were still unencrypted. Kaspersky's research was carried out between 25 and 28 April 2006 in various areas of London, and at the Infosec security conference, with data collected from more than 600 Wi-Fi access points. "You would expect a major business site and a security exhibition to be particularly security conscious, so the level of vulnerability at both of these sites is surprising," said Alexander Gostev, senior virus analyst at Kaspersky Lab. "Canary Wharf is home to multinational banks and insurance companies and would be the perfect location for a hacker wanting to steal lucrative confidential or proprietary information." Gostev warned that the fallout from an attack on these organisations could be catastrophic. Kaspersky explained said it did not attempt to connect to the networks it found, nor to intercept or decrypt traffic. The research showed that problems still exist for wireless technology. "Wireless networks and protocols have not got over their teething troubles, and can pose a serious risk in the hands of inexperienced users," the report concluded. From isn at c4i.org Fri May 26 05:04:17 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 26 May 2006 04:04:17 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-21 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-05-18 - 2006-05-25 This week: 108 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Secunia has issued a rare "Extremely Critical" Secunia advisory for a "Zero-day" vulnerability in Microsoft Word, which can be exploited by malicious people to compromise a user's system. See additional details and other references in the referenced Secunia advisory below. Reference: http://secunia.com/SA20153 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20153] Microsoft Word Malformed Object Code Execution Vulnerability 2. [SA20154] Skype URL Handling File Disclosure Vulnerability 3. [SA20107] RealVNC Password Authentication Bypass Vulnerability 4. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 5. [SA20244] Firefox Exception Handling Full Path Disclosure Weakness 6. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 7. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 8. [SA20168] Solaris in.ftpd Directory Access Restriction Bypass Vulnerability 9. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 10. [SA20158] Invision Power Board Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20233] PDF Form Filling and Flattening Tool Field Name Buffer Overflow [SA20190] Zix Forum "layid" SQL Injection Vulnerability [SA20178] Fujitsu MyWeb Products SQL Injection Vulnerability [SA20172] IntelliTamper Site Map File Buffer Overflow Vulnerability [SA20171] CodeAvalanche News "password" SQL Injection Vulnerability [SA20165] FrontRange iHEAT Host System Access Vulnerability [SA20207] BitZipper Multiple Archive Directory Traversal Vulnerability [SA20175] aspbb Cross-Site Scripting Vulnerabilities [SA20261] Cisco VPN Client Privilege Escalation Vulnerability [SA20194] Novell Client Clipboard Content Handling Weakness UNIX/Linux: [SA20275] Debian update for mpg123 [SA20247] Debian update for nagios [SA20243] UnixWare update for Sendmail [SA20240] mpg123 "III_i_stereo()" Function Buffer Overflow Vulnerability [SA20235] HP-UX Motif Applications libXpm Image Decoding Vulnerabilities [SA20215] SUSE Updates for Multiple Packages [SA20214] HP Tru64 UNIX Firefox/Mozilla Application Suite Vulnerability [SA20210] SGI Advanced Linux Environment Multiple Updates [SA20203] Debian update for phpgroupware [SA20186] Ubuntu update for awstats [SA20170] Debian update for awstats [SA20277] Tor Weakness and Multiple Vulnerabilities [SA20274] Publicist SQL Injection and Script Insertion Vulnerabilities [SA20254] Ubuntu update for dia [SA20238] Perlpodder Shell Command Injection Vulnerability [SA20237] Red Hat update for kernel [SA20232] Red Hat update for postgresql [SA20222] Red Hat update for php [SA20217] HP-UX BIND4 DNS Cache Poisoning Vulnerability [SA20208] Prodder Podcast Feed Shell Command Injection Vulnerability [SA20202] Debian update for kernel-source-2.4.18 [SA20199] Dia Multiple Format String Vulnerabilities [SA20191] Debian update for cscope [SA20188] GNU Binutils libbfd TekHex Record Handling Vulnerability [SA20185] Linux Kernel Netfilter Weakness and Two SCTP Vulnerabilities [SA20163] Debian update for kernel-source-2.4.19 [SA20162] Debian update for kernel-source-2.4.16 [SA20269] Mandriva update for php [SA20205] Debian update for popfile [SA20197] Debian update for phpbb2 [SA20168] Solaris in.ftpd Directory Access Restriction Bypass Vulnerability [SA20267] Apple Xcode WebObjects Plugin Access Control Vulnerability [SA20265] Mandriva update for hostapd [SA20253] Debian update for mysql [SA20241] Debian update for mysql-dfsg [SA20225] Linux Kernel SNMP NAT Helper Denial of Service [SA20223] Trustix update for mysql [SA20221] Debian update for quagga [SA20195] Debian update for hostapd [SA20182] Mandriva update for kernel [SA20230] HP-UX Software Distributor Privilege Escalation Vulnerability [SA20224] XScreenSaver Insecure Temporary File Creation Vulnerability [SA20206] Debian update for kernel-patch-vserver [SA20180] SAP sapdba Command Insecure Environment Variable Handling [SA20166] Debian update for fbi [SA20227] HP-UX Kernel Denial of Service Vulnerability Other: [SA20183] Sitecom WL-153 UPnP Shell Command Injection Vulnerability [SA20169] Edimax BR-6104K UPnP Shell Command Injection Vulnerability [SA20184] ZyXEL P-335WT UPnP Port Mapping Vulnerability Cross Platform: [SA20264] RWiki Script Insertion and Ruby Code Injection Vulnerabilities [SA20260] Docebo Multiple File Inclusion Vulnerabilities [SA20258] DSChat Script Insertion and PHP Code Execution Vulnerabilities [SA20257] PunkBuster WebTool Buffer Overflow Vulnerability [SA20245] PHP Easy Galerie "includepath" Parameter File Inclusion Vulnerability [SA20242] UBB.threads "thispath" Parameter File Inclusion Vulnerability [SA20236] Russcom.Ping "domain" Shell Command Injection Vulnerability [SA20219] Nucleus "GLOBALS[DIR_LIBS]" Parameter File Inclusion Vulnerability [SA20209] phpMyDirectory "ROOT_PATH" File Inclusion Vulnerability [SA20204] artmedic newsletter "log.php" PHP Code Injection Vulnerability [SA20198] phpBazar "language_dir" File Inclusion Vulnerability [SA20278] HyperStop Web Host Directory "uri" SQL Injection Vulnerability [SA20276] AlstraSoft Web Host Directory "uri" SQL Injection Vulnerability [SA20263] Diesel Joke Site "id" Parameter SQL Injection Vulnerability [SA20262] e107 Unspecified SQL Injection Vulnerabilities [SA20259] Chatty "username" Parameter Script Insertion Vulnerability [SA20252] Hiox Guestbook Script Insertion Vulnerability [SA20250] NetPanzer "setFrame()" Denial of Service Vulnerability [SA20248] Destiney Links Script Multiple Vulnerabilities [SA20246] ipLogger "User-Agent" HTTP Header Script Insertion Vulnerability [SA20239] phpwcms Cross-Site Scripting and Local File Inclusion [SA20234] SkyeBox "post.php" Script Insertion Vulnerability [SA20231] PostgreSQL Encoding-Based SQL Injection Vulnerability [SA20229] AlstraSoft E-Friends Script Insertion Vulnerabilities [SA20228] AlstraSoft Article Manager Pro SQL Injection and Script Insertion [SA20220] phpListPro "Language" Local File Inclusion Vulnerability [SA20216] Dayfox Blog "slog_users.txt" Exposure of User Credentials [SA20213] Stylish Text Ads Script "id" SQL Injection Vulnerability [SA20211] Coppermine Photo Gallery Multiple File Extensions Vulnerability [SA20201] DGBook "index.php" Multiple Vulnerabilities [SA20192] Xtreme Topsites Cross-Site Scripting and SQL Injection Vulnerabilities [SA20189] MediaWiki Script Insertion Vulnerabilities [SA20187] UseBB Cross-Site Scripting and SQL Injection Vulnerabilities [SA20181] Horizontal Shooter BOR Mod File Handling Format String Vulnerability [SA20177] Cosmoshop SQL Injection and Disclosure of Sensitive Information [SA20176] Xoops Local File Inclusion Vulnerabilities [SA20174] OpenBOR Engine Mod File Handling Format String Vulnerability [SA20173] Beats of Rage (BOR) Engine Format String Vulnerability [SA20167] 4R Linklist "cat" SQL Injection Vulnerability [SA20196] HP OpenView Storage Data Protector Arbitrary Command Execution [SA20193] HP OpenView Network Node Manager Arbitrary Command Execution [SA20251] Alkacon OpenCms "query" Cross-Site Scripting Vulnerability [SA20249] Destiney Rated Images Script Multiple Script Insertion Vulnerabilities [SA20212] JemScripts DownloadControl "dcid" Cross-Site Scripting Vulnerability [SA20266] SiteScape Forum Information Disclosure Weaknesses [SA20256] Mozilla Suite Exception Handling Full Path Disclosure Weakness [SA20255] Netscape Exception Handling Full Path Disclosure Weakness [SA20244] Firefox Exception Handling Full Path Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20233] PDF Form Filling and Flattening Tool Field Name Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-24 George D. Gal has reported a vulnerability in PDF Form Filling and Flattening Tool, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20233/ -- [SA20190] Zix Forum "layid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-22 PHP Emperor has discovered a vulnerability in Zix Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20190/ -- [SA20178] Fujitsu MyWeb Products SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-22 A vulnerability has been reported in Fujitsu MyWeb products, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20178/ -- [SA20172] IntelliTamper Site Map File Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-19 Devil00 has discovered a vulnerability in IntelliTamper, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20172/ -- [SA20171] CodeAvalanche News "password" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-19 Omnipresent has reported a vulnerability in CodeAvalanche News, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20171/ -- [SA20165] FrontRange iHEAT Host System Access Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-24 mcdanielar has reported a vulnerability in FrontRange iHEAT, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20165/ -- [SA20207] BitZipper Multiple Archive Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-05-22 Hamid Ebadi has discovered a vulnerability in BitZipper, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20207/ -- [SA20175] aspbb Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-19 TeufeL has reported two vulnerabilities in aspbb, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20175/ -- [SA20261] Cisco VPN Client Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-25 A vulnerability has been reported in Cisco VPN Client, which can be exploited by malicious, local users to gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/20261/ -- [SA20194] Novell Client Clipboard Content Handling Weakness Critical: Not critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2006-05-23 Eitan Caspi has reported a weakness in Novell Client, which can be exploited by malicious people to disclose potentially sensitive information and to manipulate certain information. Full Advisory: http://secunia.com/advisories/20194/ UNIX/Linux:-- [SA20275] Debian update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-25 Debian has issued an update for mpg123. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20275/ -- [SA20247] Debian update for nagios Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-23 Debian has issued an update for nagios. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20247/ -- [SA20243] UnixWare update for Sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-23 SCO has issued an update for Sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20243/ -- [SA20240] mpg123 "III_i_stereo()" Function Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-25 A. Alejandro Hern?ndez has reported a vulnerability in mpg123, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20240/ -- [SA20235] HP-UX Motif Applications libXpm Image Decoding Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-23 HP has acknowledged a vulnerability in HP-UX running Motif applications, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20235/ -- [SA20215] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS, System access Released: 2006-05-22 SUSE has issued updates for multiple packages. These fix some vulnerabilities, which potentially can be exploited by malicious people to conduct HTTP request smuggling attacks, cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20215/ -- [SA20214] HP Tru64 UNIX Firefox/Mozilla Application Suite Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-23 HP has acknowledged a vulnerability in HP Tru64 UNIX running Firefox/Mozilla Application Suite, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20214/ -- [SA20210] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2006-05-24 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, by malicious users to cause a DoS (Denial of Service), manipulate certain information, and compromise a vulnerable system, or by malicious people to use PHP as an open mail relay, gain knowledge of potentially sensitive information, conduct cross-site scripting attacks and script insertion attacks, cause a DoS, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20210/ -- [SA20203] Debian update for phpgroupware Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-22 Debian has issued an update for phpgroupware. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20203/ -- [SA20186] Ubuntu update for awstats Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-23 Ubuntu has issued an update for awstats. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20186/ -- [SA20170] Debian update for awstats Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-19 Debian has issued an update for awstats. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20170/ -- [SA20277] Tor Weakness and Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Released: 2006-05-25 Some vulnerabilities and a weakness have been reported in Tor, which can be exploited by malicious people to spoof log entries, disclose certain sensitive information, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20277/ -- [SA20274] Publicist SQL Injection and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-25 luny has reported some vulnerabilities in Publicist, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20274/ -- [SA20254] Ubuntu update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-24 Ubuntu has issued an update for dia. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20254/ -- [SA20238] Perlpodder Shell Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-23 RedTeam has reported a vulnerability in Perlpodder, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20238/ -- [SA20237] Red Hat update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2006-05-24 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20237/ -- [SA20232] Red Hat update for postgresql Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-05-24 Red Hat has issued an update for postgresql. This fixes two vulnerabilities and a weakness, which potentially can be exploited by malicious, local users to bypass certain security restrictions, and by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20232/ -- [SA20222] Red Hat update for php Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-05-24 Red Hat has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system, and by malicious people to conduct cross-site scripting attacks and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20222/ -- [SA20217] HP-UX BIND4 DNS Cache Poisoning Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data Released: 2006-05-23 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/20217/ -- [SA20208] Prodder Podcast Feed Shell Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-22 RedTeam has reported a vulnerability in Prodder, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20208/ -- [SA20202] Debian update for kernel-source-2.4.18 Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2006-05-23 Debian has issued an update for kernel-source-2.4.18. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, cause a DoS (Denial of Service), gain escalated privileges, and by malicious people to cause a DoS, and disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20202/ -- [SA20199] Dia Multiple Format String Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-22 Some vulnerabilities have been reported in Dia, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20199/ -- [SA20191] Debian update for cscope Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-22 Debian has issued an update for cscope. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20191/ -- [SA20188] GNU Binutils libbfd TekHex Record Handling Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-23 Jes?s Olmos Gonzalez has reported a vulnerability in GNU Binutils, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20188/ -- [SA20185] Linux Kernel Netfilter Weakness and Two SCTP Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2006-05-22 Two vulnerabilities and a weakness have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and disclose potentially sensitive information, and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/20185/ -- [SA20163] Debian update for kernel-source-2.4.19 Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2006-05-22 Debian has issued an update for kernel-source-2.4.19. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, cause a DoS (Denial of Service), gain escalated privileges, and by malicious people to cause a DoS, and disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20163/ -- [SA20162] Debian update for kernel-source-2.4.16 Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2006-05-22 Debian has issued an update for kernel-source-2.4.16. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, cause a DoS (Denial of Service), gain escalated privileges, and by malicious people to cause a DoS, and disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20162/ -- [SA20269] Mandriva update for php Critical: Less critical Where: From remote Impact: DoS, System access Released: 2006-05-25 Mandriva has issued an update for php. This fixes two vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20269/ -- [SA20205] Debian update for popfile Critical: Less critical Where: From remote Impact: DoS Released: 2006-05-22 Debian has issued an update for popfile. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20205/ -- [SA20197] Debian update for phpbb2 Critical: Less critical Where: From remote Impact: System access Released: 2006-05-23 Debian has issued an update for phpbb2. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20197/ -- [SA20168] Solaris in.ftpd Directory Access Restriction Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-05-19 Sun Microsystems has acknowledged a vulnerability in Solaris, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20168/ -- [SA20267] Apple Xcode WebObjects Plugin Access Control Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-05-25 A vulnerability has been reported in Apple Xcode, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20267/ -- [SA20265] Mandriva update for hostapd Critical: Less critical Where: From local network Impact: DoS Released: 2006-05-25 Mandriva has issued an update for hostapd. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20265/ -- [SA20253] Debian update for mysql Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information, System access Released: 2006-05-23 Debian has issued an update for mysql. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, disclose potentially sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20253/ -- [SA20241] Debian update for mysql-dfsg Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information, System access Released: 2006-05-23 Debian has issued an update for mysql-dfsg. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, disclose potentially sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20241/ -- [SA20225] Linux Kernel SNMP NAT Helper Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-05-23 A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20225/ -- [SA20223] Trustix update for mysql Critical: Less critical Where: From local network Impact: Exposure of sensitive information, System access Released: 2006-05-22 Trustix has issued an update for mysql. This fixes some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20223/ -- [SA20221] Debian update for quagga Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of system information, DoS Released: 2006-05-22 Debian has issued an update for quagga. This fixes two security issues and a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service), and by malicious people to bypass certain security restrictions and to disclose system information. Full Advisory: http://secunia.com/advisories/20221/ -- [SA20195] Debian update for hostapd Critical: Less critical Where: From local network Impact: DoS Released: 2006-05-22 Debian has issued an update for hostapd. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20195/ -- [SA20182] Mandriva update for kernel Critical: Less critical Where: From local network Impact: DoS Released: 2006-05-25 Mandriva has issued an update for kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20182/ -- [SA20230] HP-UX Software Distributor Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-24 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20230/ -- [SA20224] XScreenSaver Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-24 A vulnerability has been reported in XScreenSaver, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20224/ -- [SA20206] Debian update for kernel-patch-vserver Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-22 Debian has issued an update for kernel-patch-vserver. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20206/ -- [SA20180] SAP sapdba Command Insecure Environment Variable Handling Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-19 Leandro Meiners has reported a vulnerability in SAP, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20180/ -- [SA20166] Debian update for fbi Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-22 Debian has issued an update for fbi. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/20166/ -- [SA20227] HP-UX Kernel Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-05-23 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20227/ Other:-- [SA20183] Sitecom WL-153 UPnP Shell Command Injection Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-22 Armijn Hemel has reported a vulnerability in Sitecom WL-153, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable device. Full Advisory: http://secunia.com/advisories/20183/ -- [SA20169] Edimax BR-6104K UPnP Shell Command Injection Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-22 Armijn Hemel has reported a vulnerability in Edimax BR-6104K, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable device. Full Advisory: http://secunia.com/advisories/20169/ -- [SA20184] ZyXEL P-335WT UPnP Port Mapping Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-05-22 Armijn Hemel has reported a vulnerability in ZyXEL P-335WT, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20184/ Cross Platform:-- [SA20264] RWiki Script Insertion and Ruby Code Injection Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-05-24 Two vulnerabilities have been reported in RWiki, which can be exploited by malicious people to conduct script insertion attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20264/ -- [SA20260] Docebo Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-24 Kacper has discovered some vulnerabilities in Docebo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20260/ -- [SA20258] DSChat Script Insertion and PHP Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-05-24 Two vulnerabilities have been discovered in DSChat, which can be exploited by malicious people to conduct script insertion attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20258/ -- [SA20257] PunkBuster WebTool Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-24 Luigi Auriemma has reported a vulnerability in PunkBuster, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20257/ -- [SA20245] PHP Easy Galerie "includepath" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-23 BrEakerS has reported a vulnerability in PHP Easy Galerie, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20245/ -- [SA20242] UBB.threads "thispath" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-23 V4mu has discovered a vulnerability in UBB.threads, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20242/ -- [SA20236] Russcom.Ping "domain" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-24 Nomenumbra has discovered a vulnerability in Russcom.Ping, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20236/ -- [SA20219] Nucleus "GLOBALS[DIR_LIBS]" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-24 rgod has discovered a vulnerability in Nucleus, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20219/ -- [SA20209] phpMyDirectory "ROOT_PATH" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-22 OLiBekaS has reported a vulnerability in phpMyDirectory, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20209/ -- [SA20204] artmedic newsletter "log.php" PHP Code Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-23 C.Schmitz has discovered a vulnerability in artmedic newsletter, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20204/ -- [SA20198] phpBazar "language_dir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-22 PHP Emperor has discovered a vulnerability in phpBazar, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20198/ -- [SA20278] HyperStop Web Host Directory "uri" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-25 luny has reported a vulnerability in HyperStop Web Host (WebHost) Directory, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20278/ -- [SA20276] AlstraSoft Web Host Directory "uri" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-25 luny has reported a vulnerability in AlstraSoft Web Host (WebHost) Directory, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20276/ -- [SA20263] Diesel Joke Site "id" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-25 a_linuxer has reported a vulnerability in Diesel Joke Site, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20263/ -- [SA20262] e107 Unspecified SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data Released: 2006-05-24 Some vulnerabilities have been reported in e107, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20262/ -- [SA20259] Chatty "username" Parameter Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-24 Nomenumbra has discovered a vulnerability in Chatty, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20259/ -- [SA20252] Hiox Guestbook Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-23 luny has discovered a vulnerability in Hiox Guestbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20252/ -- [SA20250] NetPanzer "setFrame()" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-24 Luigi Auriemma has reported a vulnerability in NetPanzer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20250/ -- [SA20248] Destiney Links Script Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2006-05-23 Some vulnerabilities have been discovered in Destiney Links Script, which can be exploited by malicious people to conduct script insertion attacks, cross-site scripting attacks, and to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20248/ -- [SA20246] ipLogger "User-Agent" HTTP Header Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-24 Nomenumbra has discovered a vulnerability in ipLogger, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20246/ -- [SA20239] phpwcms Cross-Site Scripting and Local File Inclusion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, System access Released: 2006-05-23 trueend5 has discovered a vulnerability in phpwcms, which potentially can be exploited by malicious users to compromise a vulnerable system, and by malicious people to conduct cross-site scripting attacks and disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20239/ -- [SA20234] SkyeBox "post.php" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-24 Nomenumbra has discovered a vulnerability in SkyeBox, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20234/ -- [SA20231] PostgreSQL Encoding-Based SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-24 Two vulnerabilities have been reported in PostgreSQL, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20231/ -- [SA20229] AlstraSoft E-Friends Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-24 luny has reported some vulnerabilities in AlstraSoft E-Friends, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20229/ -- [SA20228] AlstraSoft Article Manager Pro SQL Injection and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2006-05-24 luny has reported some vulnerabilities in AlstraSoft Article Manager Pro, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20228/ -- [SA20220] phpListPro "Language" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-22 [Oo] has discovered a vulnerability in phpListPro, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20220/ -- [SA20216] Dayfox Blog "slog_users.txt" Exposure of User Credentials Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-22 omnipresent has discovered a security issue in Dayfox Blog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20216/ -- [SA20213] Stylish Text Ads Script "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-22 luny has reported a vulnerability in Stylish Text Ads Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20213/ -- [SA20211] Coppermine Photo Gallery Multiple File Extensions Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-22 A vulnerability has been reported in Coppermine Photo Gallery, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20211/ -- [SA20201] DGBook "index.php" Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-24 Some vulnerabilities have been discovered in DGBook, which can be exploited by malicious people to conduct script insertion attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20201/ -- [SA20192] Xtreme Topsites Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-22 luny has discovered some vulnerabilities in Xtreme Topsites, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20192/ -- [SA20189] MediaWiki Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-23 Nick Jenkins has reported some vulnerabilities in MediaWiki, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20189/ -- [SA20187] UseBB Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-22 Two vulnerabilities have been reported in UseBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20187/ -- [SA20181] Horizontal Shooter BOR Mod File Handling Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-22 Luigi Auriemma has reported a vulnerability in Horizontal Shooter BOR (HOR), which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20181/ -- [SA20177] Cosmoshop SQL Injection and Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-05-19 l0om has reported some vulnerabilities in Cosmoshop, which can be exploited by malicious users to disclose sensitive information and by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20177/ -- [SA20176] Xoops Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-05-22 rgod has reported two vulnerabilities in Xoops, which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20176/ -- [SA20174] OpenBOR Engine Mod File Handling Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-22 Luigi Auriemma has reported a vulnerability in OpenBOR Engine, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20174/ -- [SA20173] Beats of Rage (BOR) Engine Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-22 Luigi Auriemma has reported a vulnerability in Beats of Rage (BOR) Engine, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20173/ -- [SA20167] 4R Linklist "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-23 Snake_23 has reported a vulnerability in 4R Linklist, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20167/ -- [SA20196] HP OpenView Storage Data Protector Arbitrary Command Execution Critical: Moderately critical Where: From local network Impact: System access Released: 2006-05-24 A vulnerability has been reported in HP OpenView Storage Data Protector, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20196/ -- [SA20193] HP OpenView Network Node Manager Arbitrary Command Execution Critical: Moderately critical Where: From local network Impact: System access Released: 2006-05-24 A vulnerability has been reported in HP OpenView Network Node Manager (OV NNM), which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20193/ -- [SA20251] Alkacon OpenCms "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-23 Jaime Blasco has reported a vulnerability in Alkacon OpenCms, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20251/ -- [SA20249] Destiney Rated Images Script Multiple Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-23 luny has discovered some vulnerabilities in Destiney Rated Images Script, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20249/ -- [SA20212] JemScripts DownloadControl "dcid" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-23 A vulnerability has been reported in JemScripts DownloadControl, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20212/ -- [SA20266] SiteScape Forum Information Disclosure Weaknesses Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-05-25 Two weaknesses have been reported in SiteScape Forum, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/20266/ -- [SA20256] Mozilla Suite Exception Handling Full Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-05-23 A weakness has been discovered in Mozilla Suite, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/20256/ -- [SA20255] Netscape Exception Handling Full Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-05-23 A weakness has been discovered in Netscape, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/20255/ -- [SA20244] Firefox Exception Handling Full Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-05-23 A weakness has been discovered in Firefox, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/20244/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri May 26 05:02:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 26 May 2006 04:02:59 -0500 (CDT) Subject: [ISN] Black Frog hops into spam battle Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39271074,00.htm By Greg Sandoval CNET News.com May 25, 2006 The open-source project aims to replace Blue Frog's opt-out email campaign designed to crash spammers' servers Spammers beware -- avenging amphibians are once again rising against you. First there was Blue Frog, a community antispam effort that stopped operating last week after Blue Security, the company that started the project, came under a withering denial-of-service attack. Out of the ashes comes Black Frog, part of a project that is apparently willing to become a flag bearer in the fight against spam. The project, dubbed Okopipi, is developing the Black Frog antispam software and service as an open-source project, according to the group's wiki. "This project aims to become a distributed replacement of antispam software Blue Frog," the Okopipi wiki states. Blue Security waged a sort of do-it-yourself spamming campaign against the spammers. It said that more than 500,000 customers downloaded its Blue Frog software, which automatically sent replies back to mass emails. If all of these customers' systems responded, the spammers' systems would be overwhelmed. But the Web sites of Blue Security and some of the company's partners were knocked out last month by a massive distributed denial-of-service (DDoS) attack. In such an attack, scores of computers try continuously to log on to Web sites in an effort to overtax the servers. Okopipi's battle plan is to avoid depending on a centralised server, creating a target too big to be taken out by a single DDoS attack. "It will be based on a P2P network (the frognet)," according to a posting on the wiki. "On failure to connect it could still opt out given email addresses." Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers. "Only the Okopipi administrators will know their locations," the group said on its wiki. This should make a DDoS attack "very difficult", it said. The Okopipi wiki said the Black Frog software will set participants' systems to automatically click the "opt-out" or "unsubscribe" links contained within spam -- sending a response to the mailers. The software is still being developed. Richi Jennings, an analyst at security research company Ferris, said any attempts by Okopipi to duplicate Blue Security's strategy of fighting fire with fire are misguided. "The project should also take care not to cross the line from legitimate spam complaints to attacking spammers using DDoS-like techniques," Jennings wrote on a posting to Ferris's Web site. From isn at c4i.org Fri May 26 05:03:27 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 26 May 2006 04:03:27 -0500 (CDT) Subject: [ISN] ITL Bulletin for May 2006 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR MAY 2006 AN UPDATE ON CRYPTOGRAPHIC STANDARDS, GUIDELINES, AND TESTING REQUIREMENTS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce For the past thirty years, cryptography has been an important technical tool for protecting the federal government's information and information systems. Cryptographic methods have been used to maintain the confidentiality and integrity of information, to verify that information was not changed after it was sent, and to authenticate the originator of the information. During these years, NIST's Information Technology Laboratory has worked actively with other government and industry organizations to develop standards and guidelines for the cost-effective uses of cryptography. As information technology has changed and as new federal requirements have been established to strengthen information technology security, NIST has updated older methods and developed new methods for the application of cryptography. This bulletin discusses current federal requirements and the techniques that are available to help federal agencies use cryptography to protect their information and information systems. Revised NIST Special Publication (SP) 800-21, Guideline for Implementing Cryptography in the Federal Government A revised version of NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, was issued in December 2005 to replace an earlier version of the guide that had been released in 1999. The revised guide, written by Elaine B. Barker, William C. Barker, and Annabelle Lee, explains new requirements for federal agencies to protect their information systems, and points to current cryptographic standards and techniques that can provide the needed protection. NIST SP 800-21-1 focuses on cryptographic standards and guidelines that had been adopted or amended since 1999. It discusses the development of standards for cryptography, current cryptographic methods, and issues that agencies deal with in implementing cryptography in information systems. The guide covers the process for selecting and implementing cryptographic controls as part of federal agency responsibilities under the Federal Information Security Management Act of 2002. NIST's Cryptographic Module Validation Program is also discussed. The appendices contain a list of acronyms, cryptographic terms and definitions, references to standards and guidelines, and information about laws and regulations related to information security. NIST SP 800-21-1, as well as the other guidelines and standards that are referenced in this bulletin, is available at http://csrc.nist.gov/publications/index.html. Federal Information Security Management Act Requirements The Federal Information Security Management Act (FISMA) established requirements for all federal agencies to develop, document, and implement agency-wide information security programs and to provide appropriate levels of security for the information and information systems that support the operations and assets of the agency. FISMA tasked NIST to develop federal standards for the security categorization of federal information and information systems according to risk levels, and to develop minimum security requirements for information and information systems in each security category. Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, issued in February 2004, addresses the first task specified by FISMA. FIPS 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. A loss of confidentiality is the unauthorized disclosure of information. A loss of integrity is the unauthorized modification or destruction of information. A loss of availability is the disruption of access to or use of information or an information system. Agencies must assign a security category for both information and information systems. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, issued in March 2006, addresses the second task identified by FISMA. FIPS 200 specifies minimum security requirements for information and information systems in seventeen security-related areas. Federal agencies must meet the minimum security requirements through the use of the security controls in accordance with NIST SP 800-53, Recommended Security Controls for Federal Information Systems. In applying the provisions of FIPS 200, agencies categorize their systems as required by FIPS 199 and then select an appropriate set of security controls from NIST SP 800-53. Security controls are the management, operational, and technical safeguards or countermeasures that are prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Controls based on the application of cryptographic functions are fundamental to the overall security of systems and their information. All security controls, including cryptography, should be selected as part of an organization's overall information security program. Cryptographic Functions Cryptography is used to protect data that is sensitive, has a high value, or is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. NIST has developed standards, guidelines, and techniques for the application of cryptographic methods to protect the confidentiality and integrity of data, to authenticate data and users, to authorize users, and to verify the source of messages and data. For information about encryption, digital signatures, secure hashing, message (data) authentication codes, key management, entity authentication, and random number generation, see http://csrc.nist.gov/CryptoToolkit/. Encryption transforms data into ciphertext before transmission or storage, and decryption transforms the data back into plaintext. Symmetric encryption algorithms operate on blocks of data of fixed size, and the same cryptographic key that is used to encrypt the information to be protected is also used to decrypt the information. The following symmetric encryption algorithms are available for federal agency use: * The Advanced Encryption Algorithm (AEA) is a symmetric block cipher that is specified in FIPS 197, Advanced Encryption Standard (AES). The AEA encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits. * The Triple Data Encryption Algorithm (TDEA) is specified in NIST SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. The TDEA is based on the Data Encryption Algorithm (DEA), which was specified in FIPS 46-3, Data Encryption Standard. FIPS 46-3 has been withdrawn since it was no longer considered strong enough to protect sensitive, unclassified information. The DEA is still used as the primary cryptographic component of the TDEA. This latter application uses three DEA keys for encryption and decryption and is more robust than the DEA alone. Modes of operation describe how encryption algorithms can be used to provide services such as confidentiality protection or authentication of users and information. Currently, there are seven modes of operation that may be used with the approved encryption algorithms. The five modes for confidentiality, one for authentication, and one combined mode for confidentiality and authentication are described in the following publications: * NIST SP 800-38 A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques; * NIST SP 800-38 B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication; * NIST SP 800-38C, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality; and * A fourth publication (to be designated NIST SP 800-38D) dealing with the Galois/Counter Mode (GCM) for Confidentiality and Authentication has been released for public review and comments. Information on current modes of operation is available at http://csrc.nist.gov/CryptoToolkit/modes/. Message authentication codes (MACs) (also known as data authentication codes) and digital signatures are cryptographic functions that provide assurance to the receiver of data that the sender of the data is truly the sender and that the data has not been modified since it was authenticated. A MAC is a cryptographic checksum that is computed on data using a MAC algorithm and a secret key. After the MAC is computed, it is sent with the data. The authenticity of the received data can be verified by the receiver who computes a MAC on the data using the same key as the sender. FIPS 198, The Keyed-Hash Message Authentication Code (HMAC), specifies the computation of a MAC using an approved hash function and a key. NIST SP 800-38B provides for the computation of a MAC, using AES or TDEA. NIST SP 800-38C provides for the use of a mode that both authenticates and encrypts data using AES. A hash function is a one-way function that produces a short representation of a longer message. It is easy to compute the hash value from the input, but it is difficult to reverse the process from the hash value back to the input. Hash functions are used to determine whether or not data has been changed after it was transmitted. Applications of hash functions are used by MACs, digital signature algorithms, key derivation functions, and random number generators. Five hash functions are specified in FIPS 180-2, Secure Hash Standard: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. Since new attacks have indicated that SHA-1 may provide less security than originally thought, SHA-1 is not recommended for the generation of digital signatures in new systems. Digital signatures are used to prove to the recipient of data or to a third party that a message or data was signed by the originator and that the data was not changed. Digital signatures are generated and verified using asymmetric key algorithms, commonly known as public key algorithms. These algorithms use a pair of keys: a public key that may be known by anyone and a private key that must be known only by the owner of the key pair. The private key is used to generate a digital signature on the information. The signed information and the digital signature are transmitted to the receiver, who uses the public key, which corresponds to but is not the same as the private key, to verify the digital signature. If the digital signature is verified as correct, the receiver can be assured of the identity of the signer and that the signed information was received correctly. The identity of the message signer and the integrity of the data can also be proved to an independent third party, if necessary. FIPS 186-2, Digital Signature Standard (DSS), specifies three algorithms: Digital Signature Algorithm (DSA); RSA signature algorithm (American National Standard ANSI X9-31); and Elliptic Curve Digital Signature Algorithm (ECDSA) (ANSI X9-62). The security of digital signature systems is dependent upon maintaining the secrecy of users' private keys. The data to which signatures are applied are hash functions that have been implemented as specified in FIPS 180-2. Key management includes the rules and protocols for generating, establishing, and protecting keys. The security and reliability of cryptographic processes depend upon the strength of the keys, the effectiveness of the protocols associated with the keys, and the protection of the keys. NIST SP 800-57, Recommendation on Key Management, provides guidance on the generation, use, and disposal of cryptographic keys. Other topics covered include the selection of cryptographic algorithms and key sizes, and the development of policies for the uses of cryptography. A Public Key Infrastructure (PKI) is the combination of software, encryption technologies, and services that creates and manages the use of public keys used in public key cryptography. Public key (or asymmetric) cryptography allows parties that do not know each other to exchange data securely. The PKI binds public keys to entities, enables other entities to verify public key bindings, and provides the services needed for ongoing management of keys in networks. A PKI enables confidentiality, integrity, authentication, and digital signature services to be available on a broad scale to many organizations. FIPS 196, Entity Authentication Using Public Key Cryptography, specifies two protocols for entity authentication that use a public key cryptographic algorithm for generating and verifying digital signatures. One entity can prove its identity to another entity by using a private key to generate a digital signature on a random challenge. The use of public key cryptography provides strong authentication, without the requirement for authenticating entities to share secret information. Information about the federal PKI is available at http://csrc.nist.gov/pki/. Random numbers are used within many cryptographic applications to generate keys, other cryptographic values, digital signatures, and challenge-response protocols. Deterministic Random Bit Generators (DRBGs), which use cryptographic algorithms to generate random numbers, have been specified in draft NIST SP 800-90, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. The DRBGs provide random numbers for cryptographic applications. Use of Cryptography in Personal Identity Verification (PIV) FIPS 201, Personal Identification Verification (PIV) of Federal Employees and Contractors, approved in February 2005 and recently updated as FIPS 201-1, applies to the identification cards that are issued by federal agencies to their employees and contractors who require access to federal facilities and information systems. PIV cards incorporate an individual's identity credentials on smart cards. PIV components and subsystems use the electronically stored data on the cards to carry out automated identity verification of the individual. FIPS 201 was developed in response to Homeland Security Presidential Directive (HSPD) 12, which called for a federal standard for secure and reliable forms of identification for employees and contractors. Cryptographic methods support the PIV applications and the information that is stored on the smart cards. NIST SP 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, specifies the acceptable cryptographic algorithms and key sizes to be implemented in the PIV system to achieve secure and reliable means of identification. The publication discusses the infrastructure components for issuance and management of the PIV card, and the applications for security services that rely on the credentials supported by the PIV card. The cryptographic methods discussed include symmetric and asymmetric encryption algorithms, digital signature algorithms, message digest algorithms, and mechanisms to identify the algorithms associated with PIV keys or digital signatures. Algorithms and key sizes were selected to be consistent with federal standards and to ensure adequate cryptographic strength for PIV applications. Validation and Testing Requirements NIST and the Communications Security Establishment of the Government of Canada coordinate a validation program with independent accredited testing laboratories that validate modules for conformance to Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules. The Cryptographic Module Validation Program (CMVP) provides for the validation of implementations of many cryptographic standards and guidelines developed by NIST, including encryption algorithms, digital signature algorithms, hashing algorithms, random number generators, and message authentication methods. Information about the CMVP is available at http://csrc.nist.gov/cryptval/. NIST has established a program for testing and validating PIV components and subsystems for conformance to FIPS 201-1. This effort is managed by the NIST PIV Program (NPIVP). Testing organizations will be accredited by NIST's National Voluntary Laboratory Accreditation Program (NVLAP), which provides third-party accreditation to testing and calibration laboratories. NVLAP accredits public and private sector laboratories, including commercial, manufacturers' in-house, university, and federal, state, and local government laboratories, based on evaluation of their technical qualifications and their competence to carry out specific calibrations or tests. Information about this new validation program is available at http://csrc.nist.gov/npivp/. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Fri May 26 05:04:38 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 26 May 2006 04:04:38 -0500 (CDT) Subject: [ISN] Researchers: Antivirus Software Has Flaw Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/05/25/AR2006052501081.html By TED BRIDIS The Associated Press May 25, 2006 WASHINGTON -- Symantec Corp.'s leading antivirus software, which protects some of the world's largest corporations and U.S. government agencies, suffers from a flaw that lets hackers seize control of computers to steal sensitive data, delete files or implant malicious programs, researchers said Thursday. Symantec said it was investigating the issue but could not immediately corroborate the vulnerability. If confirmed, the threat to computer users would be severe because the security software is so widely used, and because no action is required by victims using the latest versions of Norton Antivirus to suffer a crippling attack over the Internet. Symantec has boasted its antivirus products are installed on more than 200 million computers. A spokesman, Mike Bradshaw, said the company was examining the reported flaw but described it as "so new that we don't have any details." Researchers from eEye Digital Security Inc. of Aliso Viejo, Calif., discovered the vulnerability and provided evidence to Symantec engineers this week, said eEye's chief hacking officer, Marc Maiffret. He demonstrated the attack for The Associated Press. Maiffret's company _ which has discovered hundreds of similar flaws in other software products _ also produces intrusion-protection software, called "Blink," that he said already blocks such attacks and can operate alongside Symantec's antivirus products. Maiffret published a note about the company's discovery on its Web site but pledged not to reveal details publicly that would help hackers attack Internet users until after Symantec repairs its antivirus software. eEye said it intends to describe the problem in detail privately for some of its largest customers. "People shouldn't panic," Maiffret said. "There shouldn't be any exploits until a patch is produced." The reported flaw comes at an awkward time for Symantec. Its chief executive, John Thompson, has campaigned in recent months to convince consumers they should trust Symantec _ not Microsoft Corp. _ to protect their personal information. Maiffret said eEye's testing showed the problem affects Norton Antivirus Version 10, including its corporate editions. He said Symantec's current security suite - which includes both antivirus and firewall features - did not appear to be vulnerable. -=- On the Net: Symantec: http://www.symantec.com eEye Digital Security: http://www.eeye.com U.S. Computer Emergency Readiness Team: http://www.us-cert.gov From isn at c4i.org Fri May 26 05:04:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 26 May 2006 04:04:56 -0500 (CDT) Subject: [ISN] Red Cross warns blood donors of possible ID thefts in Midwest Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000754 By Todd Weiss Computerworld May 24, 2006 About 1 million blood donors in the Missouri-Illinois Blood Services Region of the American Red Cross were warned last week that personal information about them could have been stolen earlier this year by a former employee and might have been used in identity thefts. The former worker had access to 8,000 blood donors in a database she used in her job, all of whom were notified by mail of possible identity theft problems on March 17, according to the agency. But after the original warning letters went out, the Red Cross decided to expand the identity theft warnings to all 1 million donors in the Missouri-Illinois region because of concerns that she may have accidentally accessed other records in the larger group. The warnings to the 1 million donors are being made through the media and the agency's Web site, not through individual letters. At least four of the donors among the original 8,000 in the donor database were victims of the data-theft scheme, said Jim Williams, a spokesman for the regional agency. An investigation is continuing to determine if any other donors have been affected. The thefts occurred when the former employee, a telephone blood-drive recruiter, entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims. The database uses unique donor numbers to store records for each person, and by entering random numbers, the recruiter was able to access the records of the four victims. The former employee, 20-year-old Lonnetta Shanell Medcalf of St. Louis, then allegedly opened credit card accounts at several stores using the stolen information and made purchases valued at more than $1,000, according to a statement by the U.S. attorney's office in the eastern district of Missouri. Medcalf began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered, Williams said. Medcalf had 8,000 donor contacts in her database out of more than 1 million donors in the region who were not affected by the data thefts. Her case is scheduled for trial on June 19. The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters. Medcalf has been indicted on three felony counts of aggravated identity theft and one count of credit card fraud in connection with the incidents, according to the U.S. attorney's office. The Red Cross sent written notifications of the data breach to all 8,000 potential victims on March 17, advising them to contact credit bureaus to check their credit reports for any irregular purchases or activities. The agency is reimbursing any of the affected 8,000 donors if the credit reports can't be obtained for free. The agency also set up a toll-free hot line to aid any identity-theft victims of the incident and said it's taking additional security steps to ensure that such an incident doesn't happen again. All staff members are being reminded, for instance, that donors don't have to put their Social Security numbers into their Red Cross donor records. The Red Cross also apologized for the incident and said it is working to improve security for such information. If convicted, Medcalf faces a maximum penalty of 10 years in prison and/or a fine of $250,000 for the charge of credit card fraud. Each count of aggravated identity theft also carries a mandatory two years in prison consecutive to the credit card fraud sentence. "We feel like victims here as well, but the ultimate victims are our donors," said Williams. From isn at c4i.org Fri May 26 05:05:13 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 26 May 2006 04:05:13 -0500 (CDT) Subject: [ISN] VA chief vows "relentless" exam of data protection polices Message-ID: http://www.fcw.com/article94649-05-25-06-Web By Bob Brewin May 25, 2006 Jim Nicholson, the Department of Veterans Affairs' secretary. testifying in Congress about the theft of personally identifiable data for every living veteran, vowed to enforce existing policies and procedures and institute new ones to ensure the department protects sensitive data. The VA, Nicholson said, has "begun a relentless examination of its policies and procedures to make sure nothing like this happens ever again." Nicholson, testifying today before a joint hearing held by the Senate Veterans' Affairs and Homeland Security committees, also acknowledged that the culture at the VA in regards to information security needs to change. The agency has in place policy directives to safeguard sensitive information, but many VA employees view those directives as just guidelines, Nicholson said. The data analyst who loaded personal information on 26.5 million veterans on a PC at home which was stolen May 3, did so in direct violation of agency policy, Nicholson told the hearing. Nicholson, an Army veteran who spent eight years on active duty 22 years in the Reserves, said "I'm damn mad about the loss of veteran data, and the fact that one person has put us all at risk." To ensure other VA make data protection a key part of their jobs, Nicholson said, every employee will be required to complete a cybersecurity and information privacy course by June 30 and will need to sign a privacy act statement on an annual basis. The VA also intends to run regular background investigations on department employees who handle sensitive information, Nicholson said. The unidentified data analyst who lost the information has worked for the VA for 32 years and has not been subject to a National Agency Check since he was employed, Nicholson added. Nicholson said he has started the recruitment process for a "personal information security czar" to ensure that data protection remains in the forefront at the department. The VA will also work to encrypt sensitive information and plans to have new guidelines by June to govern user access to data, Nicholson told the hearing, but did not provide any details. From isn at c4i.org Fri May 26 05:05:31 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 26 May 2006 04:05:31 -0500 (CDT) Subject: [ISN] Oracle's security chief lambastes faulty coding Message-ID: http://www.networkworld.com/news/2006/052506-w3c-oracles-davidson-coding.html By Jeremy Kirk IDG News Service 05/25/06 Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company's marketing scheme that advertised its database products as "unbreakable." "I think my response was 'What idiot dreamed this up?," Davidson said Thursday at the W3C conference in Edinburgh, Scotland. If civil engineers built bridges in the same fashion in which software developers write code, people would face the "blue bridge of death" every morning going to work, Davidson said. Software developers, she noted, tend to laugh nervously when they hear the analogy -- an insider reference to what programmers call the blank, "blue screen of death" on a PC display when Windows fails. But Davidson, who commands a security unit responsible for database applications used by multinational companies and governments, said developers often have a blind eye for security. Hackers are proving ever more capable of taking advantage of poorly written software, and it's naive for developers to think those holes won't be exploited, she said. "The mentality needs to change," she said. The financial cost of faulty code in software is staggering. The National Institute of Standards and Technology, a U.S. government agency, estimates computer security problems cost between $22.2 billion to $59.5 billion per year, Davidson said. The problem of insecure software starts with how software developers are taught at universities and goes straight through to systemic vendor attitudes, Davidson said. Software coders at Oracle often need remedial coding education after they are hired since they don't consider how "evil" input could affect their products such as databases, Davidson said. Universities are not teaching secure coding practices and are reluctant to change their curriculum, she said. Vendors are pressured to move products into the market as quickly as possible, and often lack the tools to build better ones, Davidson said. As a result, software development is reaching a "tipping point" where poor security is a board-level issue. The result of bad code means spiraling patching costs for both clients and companies such as Oracle. Davidson said the record for fixing one defect was 78 patches, which cost the company around $1 million. "I don't hate protecting our customers, that's important, but what a waste of resources to try to band-aid after the fact something we should have caught earlier," she said. As a result, Oracle has implemented numerous measures to produce better code. Oracle created a 200-page guide on coding standards. An in-house hacking team pokes products for holes in live hacking sessions. Developers up to senior vice presidents must participate in educational Web-based classes. "We use our own dumb-ass mistakes as examples," Davidson said. "Because if you don't do that, developers think this is an academic argument." The company uses new in-house tools to looks for buffer overflow vulnerabilities and SQL injection attacks. It also employs software from Fortify Software to scan for problems in Oracle's 30 million lines of code, she said. The environment around security is getting better, she said. A few years ago, books on security were scare. But the implications of poor security -- and an entrenched attitude that frequent patching is acceptable -- are too costly. "My goal is to be out of a job," Davidson said. From isn at c4i.org Tue May 30 01:06:25 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 30 May 2006 00:06:25 -0500 (CDT) Subject: [ISN] DOD: China fielding cyberattack units Message-ID: http://www.fcw.com/article94650-05-25-06-Web By Josh Rogin May 25, 2006 China is stepping up its information warfare and computer network attack capabilities, according to a Defense Department report released this week. The Chinese People's Liberation Army (PLA) is developing information warfare reserve and militia units and has begun incorporating them into broader exercises and training. Also, China is developing the ability to launch pre-emptive attacks against enemy computer networks in a crisis, according to the document, "Annual Report to Congress: Military Power of the People's Republic of China 2006." The Chinese approach centers on using civilian computer expertise and equipment to enhance PLA operations, the DOD report states. "During a military contingency, information warfare units could support active PLA forces by conducting "hacker attacks" and network intrusions, or other forms of "cyber" warfare, on an adversary's military and commercial computer systems, while helping to defend Chinese networks," according to the report. These units would be composed of computer experts from academies, institutes and IT industries, it states. In 2005, the PLA began to incorporate offensive computer network operations into military exercises, with the goal of developing first strike capability, "The PLA considers active offense to be the most important requirement for information warfare to destroy or disrupt an adversary's capability to receive and process data," the report states. Computer Network Operations is an important part of the Chinese strategy to achieve electromagnetic dominance in any conflict, and as a force multiplier, according to the report. The PLA seeks to combine CNO with electronic warfare, kinetic strikes against C4 nodes, and virus attacks on enemy systems, to form what PLA theorists call "Integrated Network Electronic Warfare," it noted. This year's DOD report on Chinese military modernization is the latest of six annual installments. Congress mandated the annual reports in the fiscal 2000 Defense authorization bill. China has often criticized the reports as an attempt to exaggerate its military modernization and demonize China. A spokesman for the Chinese Foreign Ministry called this year's report an attempt to spread the China threat theory with a Cold War mentality, according to the Xinhua News Agency. From isn at c4i.org Tue May 30 01:06:37 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 30 May 2006 00:06:37 -0500 (CDT) Subject: [ISN] IT expert preaches importance of security Message-ID: http://www.thetriangle.org/media/storage/paper689/news/2006/05/26/SciTech/It.Expert.Preaches.Importance.Of.Security-2014305.shtml By: Kaushal Toprani 5/26/06 "Why do cars have brakes?" is a question Scott Laliberte, a director at Protiviti Independent Risk Consulting, often asks his new clients. "To make the car go faster," Laliberte explained to a group of about 30 students attending a seminar on information security held in the Rush Building, May 24. Without a way to slow down, a car could not go down steep hills or take sharp turns. Laliberte applies the same concept to technology. Without the controls information security offers, the safe use of information technology is limited. Protiviti assists over 1,000 clients worldwide in risk consulting, internal auditing and incident response. Laliberte has written two books about information security risk assessment, Hack I.T. and Defend I.T. Recent attacks on sensitive data and new regulations have created a demand for Protiviti's services. Laliberte explained the case of Choice Point Incorporated, an identification and credit verification company. In February 2005, it was discovered that Choice Point had sold 100,000 Social Security numbers to fraud artists. The incident cost Choice Point over $20 million. Even since this well-publicized incident, over 82 million consumers have had their private data compromised, according to Laliberte. Laliberte also recounted an incident in which a university's keycard system was hacked, jeopardizing the security of labs where specimens of infectious diseases were kept for research purposes. These new attacks have prompted the government to respond with new regulations that are changing the business environment. The Gramm-Leach Breach Act requires financial institutions to protect their clients' financial data. The Health Insurance Portability and Accountability Act gives the same protection to patients' health data. Protiviti's security architecture is based on ISO 17799, an international standard that describes best practices in information security. Laliberte explained that Protiviti looks at the whole picture when performing a risk assessment, including business and cost factors, IT factors, and compliance issues. Protiviti aims to analyze an organization's needs, standardize the security policies and automate the enforcement of these policies. Laliberte also discussed the tools that are available to information security professionals. Intrusion detection systems, which look at incoming and outgoing traffic on a network for suspicious patterns or attacks, aren't a silver-bullet solution to network security. "They're only as good as the people that implement them," Laliberte said. He talked about a company he once audited where the intrusion detection system was installed, but not configured, and the alerts were ignored. An IDS often creates a "false sense of security," Laliberte said. Protiviti uses more than 100 different security tools, each with its own specialization. Some of these tools are available as freeware, and others are sold as commercial solutions. Laliberte urges caution when using freeware, as it is often written by hackers who program back doors into the code, which leave the system vulnerable. Laliberte discussed job prospects in the field of information security. There are various jobs that range from being very technically oriented to very process-oriented - that is, jobs that require defining policies. Entry-level information security professionals can expect to make between $40,000 and $60,000 a year. Laliberte said he recruited from college campuses. He looks for students with a track record of success in tasks they take on, checking their GPA and other activities. He also requires a good understanding of the fundamentals of IT. "I can teach the security, but the IT is harder to teach," he explained. In order for new information security professionals to be successful, Laliberte recommended reading a lot about the field and networking with other professionals already in the business. For those who are looking to get into the field, he recommends getting the Global Information Assurance Certification Security Essentials Certification. The most important key to being successful, Laliberte said, is passion. "No matter what you do, do it well and be passionate about it," Laliberte said. Students felt Laliberte gave a good overview of information security. "He was good at explaining things people don't realize," said Andrew Rutherford, a senior majoring in information systems. ? Copyright 2006 The Triangle From isn at c4i.org Tue May 30 01:06:48 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 30 May 2006 00:06:48 -0500 (CDT) Subject: [ISN] Three Mile Island guard playing video game fails to see inspector Message-ID: http://www.usatoday.com/tech/gaming/2006-05-29-nuclear-guard-game_x.htm By Deborah Yao The Associated Press 5/29/2006 PHILADELPHIA - A security guard at the Three Mile Island nuclear power plant was so absorbed in playing a hand-held video game that he failed to see an inspector approach during a surprise inspection, the agency said. The employee did not violate any rules as guards are allowed to engage in mind-stimulating activities, the state Department of Environmental Protection said. But the alleged lapse - which follows five other reports of employee inattention in the past two years - is prompting officials to review current policies. "The issue is not the guard's use of the video game," Kathleen McGinty, secretary of the environmental agency, said in a statement. "The real issue is that his complete absorption in the game distracted him from noticing the repeated approach of our inspector. And that shows why this procedure needs to be changed and these video games disallowed," she said. The state agency will work with the U.S. Nuclear Regulatory Commission and nuclear plant operators to review policies after the latest inspection, which was first reported by The Patriot-News of Harrisburg in Saturday editions. The department's nuclear safety staff conducted a surprise check between 4 a.m. and 8 a.m. Friday at the Dauphin County plant. The guard did respond properly to a radio check while the inspector was present, McGinty said. The guard's only responsibility is to respond to radio checks and be ready to take action if necessary, the agency said. Gov. Ed Rendell sanctioned the off-hour surprise checks in February at each of the state's five nuclear power plants after public concerns emerged over reports of employee inattentiveness at Three Mile Island. AmerGen Energy, the company that operates Three Mile Island, had reassigned a shift manager suspected of sleeping on the job. Three Mile Island, located about 10 miles southeast of Harrisburg, was the site of the nation's worst nuclear accident when a partial meltdown occurred in 1979. Copyright 2006 The Associated Press. All rights reserved. From isn at c4i.org Tue May 30 01:06:14 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 30 May 2006 00:06:14 -0500 (CDT) Subject: [ISN] AT&T leaks sensitive info in NSA suit Message-ID: http://news.com.com/AT38T+leaks+sensitive+info+in+NSA+suit/2100-1028_3-6077353.html By Declan McCullagh Staff Writer, CNET News.com May 26, 2006 Lawyers for AT&T accidentally released sensitive information while defending a lawsuit that accuses the company of facilitating a government wiretapping program, CNET News.com has learned. AT&T's attorneys this week filed a 25-page legal brief striped with thick black lines that were intended to obscure portions of three pages and render them unreadable. But the obscured text nevertheless can be copied and pasted inside some PDF readers, including Preview under Apple Computer's OS X and the xpdf utility used with X11. The deleted portions of the legal brief seek to offer benign reasons why AT&T would allegedly have a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic. The Electronic Frontier Foundation, which filed the class-action lawsuit in January, alleges that the room is used by an unlawful National Security Agency surveillance program. "AT&T notes that the facts recited by plaintiffs are entirely consistent with any number of legitimate Internet monitoring systems, such as those used to detect viruses and stop hackers," the redacted pages say. Another section says: "Although the plaintiffs ominously refer to the equipment as the 'Surveillance Configuration,' the same physical equipment could be utilized exclusively for other surveillance in full compliance with" the Foreign Intelligence Surveillance Act. The redacted portions of AT&T's court filing are not classified, and no information relating to actual operations of an NSA surveillance program was disclosed. Also, AT&T's attorneys at the law firms of Pillsbury Winthrop Shaw Pittman and Sidley Austin were careful not to explicitly acknowledge that such a secret room actually exists. A representative for AT&T was not immediately available to comment. Although EFF's lawsuit was filed before allegations about the room surfaced, reports of its existence have become central to the nonprofit group's attempts to prove AT&T opened its network to the NSA. A former AT&T employee, Mark Klein, has released documents alleging the company spliced its fiber optic cables and ran a duplicate set of cables to Room 641A at its 611 Folsom Street building. This is hardly the first time that PDF files have leaked embarrassing or sensitive information. In an ironic twist, the NSA published a 13-page paper in January describing how redactions could be done securely. A similar problem has arisen with metadata associated with Microsoft Office files. In March 2004, a gaffe by the SCO Group revealed which companies it had considered targeting in its legal campaign against Linux users. Microsoft Office 2003/XP even offers a way to "permanently remove hidden data and collaboration data" from Word, Excel and PowerPoint files. Documents that EFF filed, including a redacted version (click here for PDF) of a sworn statement by Klein released this week, were properly redacted. Instead of including the underlying text and layering a black rectangle on top, the San Francisco-based civil liberties group saved those pages as image files. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue May 30 01:07:00 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 30 May 2006 00:07:00 -0500 (CDT) Subject: [ISN] Feds lift security role of AusCERT Message-ID: http://australianit.news.com.au/articles/0,7204,19296902%5E15319%5E%5Enbv%5E15306,00.html James Riley The Australian MAY 30, 2006 COMPUTER security outfit AusCERT will hire additional staff after being handed an expanded role in helping protect critical federal government IT infrastructure. AusCERT general manager Graham Ingram said a landmark agreement with the Attorney-General's Department would lead to a bigger workload and a fatter budget. AusCERT is to provide whole-of-government security services to all Commonwealth departments and agencies. The agreement elevates AusCERT's role as a critical partner in the IT component of federal national security initiatives. Negotiated by Attorney-General's Department as part of its Critical Infrastructure Protection program, the agreement replaces a series of piecemeal contracts between AusCERT and individual departments. "The agreement means a much expanded role for AusCERT, and it will make things much clearer as to what that role is," Mr Ingram said. Attorney-General Philip Ruddock's office has bristled at suggestions the Government was seeking to curtail its relationship with AusCERT. It claimed the opposite was true. The department had created a tiny co-ordination team called GovCERT late last year - with one technical staff and one policy adviser - but a spokeswoman for Mr Ruddock said AusCERT remained the main resource for risk detection and assessment. "The suggestion that somehow GovCERT is a threat to, or somehow detracting from, the viability of AusCERT is simply not correct," Mr Ruddock's spokeswoman said. "AusCERT has been providing advice to a range of government departments under separate contracts," she said. "The government feels a better way of dealing with this is to have a whole-of-government approach and to have a single agency point of contact, and that's what we're trying to do." Mr Ingram said AusCERT and the department had not decided if the contents of the agreement would be made public. The creation of GovCERT would ultimately make AusCERT's role easier by giving it a single point of contact in government to deal with in case of specific threats, he said. "There are certain things that AusCERT really cannot do and would not wish to do, and that is to co-ordinate government activity," Mr Ingram said. "We can't do that. We're aiming to have GovCERT as a facilitation point in the Australian government to allow us to work much more effectively," he said. Brisbane-based AusCERT employs 20 security specialists and expects to hire more by the end of the year as a result of the deal with the Attorney-General's Department. AusCERT, which stands for the Australian Computer Emergency Response Team, is a not-for-profit organisation that provides early warning and vulnerability assessment services for private and public organisations. The team includes personnel with high-level security clearances, and has taken part in transnational, government-to-government cyber security exercises such as CyberStorm earlier this year. From isn at c4i.org Tue May 30 01:07:11 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 30 May 2006 00:07:11 -0500 (CDT) Subject: [ISN] WestJet apologizes to Air Canada for web snooping Message-ID: http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20060529/westjet_apology_060529/20060529?hub=CTVNewsAt11 CTV.ca News Staff May. 29 2006 WestJet Airlines says it's sorry that members of its management team covertly accessed a confidential Air Canada website, and has agreed pay $15.5 million. In a joint news release from the two carriers, WestJet said that in 2003-2004, members of their management team "engaged in an extensive practice of covertly accessing a password protected proprietary employee website maintained by Air Canada to download detailed and commercially sensitive information without authorization or consent from Air Canada." "This practice was undertaken with the knowledge and direction of the highest management levels of WestJet and was not halted until discovered by Air Canada," said the news release. The Calgary-based airline has agreed to pay $5.5 million to cover Air Canada's investigation and litigation costs resulting from the dispute. It will also make a $10-million donation to children's charity, at the request of Air Canada. "This conduct was both unethical and unacceptable and WestJet accepts full responsibility for such misconduct. WestJet sincerely regrets having engaged in this practice and unreservedly apologizes to Air Canada and Mr. Robert Milton." In 2004, Air Canada filed a $220-million lawsuit against WestJet, alleging that company employees used a confidential website to access private information about Air Canada's passenger traffic. Air Canada claimed WestJet used the still active password of a former employee who had access to the site, and that the information was used by WestJet to plan the airline's flight schedule and expansion. WestJet countersued, accusing Air Canada of hiring private investigators to sift through "recycling material" at the home of a WestJet executive. It says the airline then hired a U.S. firm to put the shredded documents back together. At the time, WestJet also said it didn't believe the Air Canada website contained confidential information, and said it could have gleaned the info by counting passengers at airports. Mark Hill, a WestJet vice-president and co-founder, was among those named in the Air Canada lawsuit. He resigned in July of 2004 amid the allegations. From isn at c4i.org Tue May 30 01:07:25 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 30 May 2006 00:07:25 -0500 (CDT) Subject: [ISN] Sourcefire Turns Failed Deal Into an Opportunity Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/05/29/AR2006052900824.html By Dina ElBoghdady Washington Post Staff Writer May 30, 2006 Network security firm Sourcefire Inc. enthusiastically agreed to sell itself for $225 million in October, watched the deal crumble in March, then immediately began searching for new investors -- and found them. Not many companies bounce back after an attention-grabbing deal fails. But Columbia-based Sourcefire has secured $20 million in late-stage funding, announced its first-ever cash-flow positive quarter and started preparing to go public since its proposed sale to Check Point Software Technologies Ltd. fell through. Check Point, of Ramat Gan, Israel, and Sourcefire agreed to withdraw the deal after a federal panel, the Committee on Foreign Investment in the United States, expressed concerns about the transaction's national security implications. Sourcefire makes software that protects against hackers and sells it to U.S. intelligence agencies and some of the country's largest companies, such as Lockheed Martin Corp. The companies and the federal panel declined to discuss details of the investigation or why the deal was scuttled. While the deal's collapse was disappointing, it may turn out to be fortuitous, said Wayne Jackson, Sourcefire's chief executive. As the investigation into the sale dragged on, Sourcefire's revenue kept increasing, and presumably so did its value. "By the end of it, we felt we were leaving quite a bit of money on the table," said Jackson, who joined Sourcefire in 2002, about two years after selling his firm Riverbed Technologies Inc. to Aether Systems Inc. for $1 billion. "The company's value changed quite a bit during that time, and we started to see a lot of additional potential in the company as a stand-alone entity." Sourcefire does not disclose its revenue or income, except to say that the company is profitable and that its sales in 2005 rose 68 percent from the previous year. Analysts estimate that the company had $35 million in revenue in 2005 and that its list of customers keeps growing. For all those reasons, Meritech Capital Partners of Palo Alto, Calif., led the most recent round of financing, which injected the largest one-time infusion of capital into Sourcefire since it was founded in 2001. "We've looked at dozens of security companies out there, and this is one of two or three that we've decided to invest in," said Mike Gordon, Meritech's managing director. "In this sector, it's very hard to get beyond a few initial customers and develop momentum, and Sourcefire has developed that momentum." The company has raised $53.7 million and still has about half of that in cash, Jackson said. Sourcefire is the creation of Martin Roesch, who invented the coding program Snort in 1998 in his home in Eldersburg, Md., while juggling a day job as a software engineer. Roesch posted Snort, which "sniffs" packets of data to detect signs of network intrusion, on the Internet. Snort is an open-source program, meaning anyone can download it free, modify it, copy it or resell it. While allowing anyone to inspect and manipulate network security software may sound counterintuitive, it's not, said Scott Crawford, a senior analyst at Enterprise Management Associates, an information-industry research firm in Boulder, Colo. "One of the security virtues of open source is it's open to everybody's scrutiny," Crawford said. "You can look at every line of code, and in that sense, it's inherently more trustworthy. If there's a weakness that exists, it's more probable that someone will catch it because so many eyes are looking at it." Anyone who uses Snort for commercial purposes must publish changes made to the software or to any software they create that links to Snort, said Roesch, who is Sourcefire's chief technology officer. It's an honor system, he said, but ignoring the rules "results in the technology equivalent of accounting fraud. Someone figures it out and blows the whistle on you and everyone who writes open-source software basically blacklists you." So how does a firm that offers its wares free make money? By enhancing its offering. The free Snort basically inspects traffic for potential threats to a network, but the money-making Snort adds to the technology by enabling it to make decisions about the flow of traffic and block attacks in networks on a global scale. Those added features, particularly the prevention aspects, are what companies and intelligence agencies find useful. "It's one thing to give away the engine for free, and it's another thing to build the car," Jackson said. "We make the whole car and make it robust and fail-proof." Most of the company's money comes from ready-to-use hardware loaded with Snort programs that sell for $6,000 to $125,000, depending on the rate of traffic it is capable of inspecting. The equipment fits directly into the customers' network. More money comes from distributing updates of Snort's detection rules in advance of their release on the Internet. Greg Young, an analyst at information-technology research firm Gartner Inc., said the real value of open-source Snort is that it gives Sourcefire greater foot-in-the door recognition for selling the souped-up commercial product. "There's a mistaken perception that Check Point was buying Sourcefire for open-source Snort," Young said. But they were really buying them for the intellectual property they have around the commercial product, he said. ? 2006 The Washington Post Company From isn at c4i.org Wed May 31 03:13:59 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 31 May 2006 02:13:59 -0500 (CDT) Subject: [ISN] Aussie firm identifies Skype flaw Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=6105 By Michael Crawford Computerworld Today (Australia) 30 May 2006 Australian security firm Security Assessment has discovered a flaw with the install of the Windows-based Skype client. Skype was notified of the potential flaw earlier this month and promptly issued a patch. General vulnerability dissemination was made on 22 May 2006 by Security Assessment. The vulnerability, which has been confirmed by Skype, could allow users to "retrieve" files from other Skype users through unauthenticated connections, due to a flaw present in the URI (Uniform Resource Identifiers). The flaw is enabled through the URI handler installed during initiation of the Windows Skype client. It allows additional command line switches to be passed onto the Skype client, potentially allowing a file transfer. For such a transfer to be initiated the attacker must authorise the victim, done easily through adding the victim to the attacker's contact list, which does not require authorisation from the victim or Skype user. Drazen Drazic, managing director of Security Assessment said the bug affects all releases of Skype to Windows, up to and including the latest versions. "We have had concerns about VoIP for a while, but there are not too many players in the space, security and otherwise, addressing VoIP security concerns," Drazic said. "There have been a lot of products rolled out and while only there are a few large Australian implementations, risk review has been an area of research for us. "We did not release the advisory until Skype got back to us and announced a patch which was Monday morning (22/05) last week." Exploitation of the flaw will only occur when the potential victim opens the URI exploit in Internet Explorer, which also requires the user to visit or open a compromised HTML page. The attacker must also know the location of the specific file on the intended machine; however, a common target would be the Skype configuration file. From isn at c4i.org Wed May 31 03:13:16 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 31 May 2006 02:13:16 -0500 (CDT) Subject: [ISN] Massive data breach puts VA's IT policies under a microscope Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000787 By Jaikumar Vijayan May 26, 2006 Computerworld Tim O'Pry, his wife and his son are all veterans, and they're among the 26.5 million vets whose personal data was stolen this month from the home of a U.S. Department of Veterans Affairs employee. What O'Pry has a hard time understanding as an IT professional is why the incident happened when technology and process controls are widely available to mitigate such risks. "Why the hell was someone allowed to have all that data at home?" asked O'Pry, who is chief technology officer at The Henssler Financial Group in Kennesaw, Ga. "Surely, they must have had policies and procedures to prevent that. If they didn't, why not? And if they did, what sort of checks and balances did they have?" O'Pry's sentiments were echoed by several other IT managers in the wake of the VA's disclosure last week that "electronic data" containing the unencrypted names, Social Security numbers and birth dates of all U.S. veterans discharged since 1975 was stolen during a burglary at the Maryland home of a data analyst who works for the agency. VA officials said the analyst had legitimate access to the data at work but wasn't authorized to take it home. The agency didn't specify what kind of IT equipment was stolen, but the FBI and the VA inspector general's office jointly identified it as a laptop and an external hard drive. The theft is one of the biggest data breaches reported thus far. But aside from its massive scope, the incident at the VA is no different from countless other compromises, and it points to a continuing failure by many organizations to implement well-understood controls on data transmission, access and storage, IT managers and security analysts said. "What it comes down to is information life-cycle management," said Robert Garigue, chief security executive and vice president of information integrity at Bell Canada in Montreal. Far too often, companies focus solely on protecting their technology infrastructures, to the exclusion of ensuring that the information stored within them is safe from being illegally accessed or compromised, Garigue said. The lack of attention paid to protecting data is especially dangerous because of the widely distributed nature of corporate information and the myriad ways in which it can be accessed, he added. "I don't know if anybody can honestly say they have thought of every single way someone can pilfer data," O'Pry conceded. But it pays to put controls around some of the more obvious ones, he said. One of the simplest steps is encrypting sensitive data on all removable and archival storage media to protect against compromises if devices are lost or stolen, said Eric Beasley, an IT security manager at a bank in the Midwest that he asked not be named. The VA "should have made it so easy and inexpensive for employees to encrypt data on their PCs and have had such a high penalty for not doing it that everyone would have [complied]," said Alan Paller, director of research at the SANS Institute, an IT security research and training firm in Bethesda, Md. O'Pry said that restricting the ability of end users to attach removable media, such as USB thumb drives, external hard disks, and DVD and CD burners, to their systems is another relatively straightforward way to lessen the risk of information leaks. "Every company faces removable media issues," he noted. In addition to adopting such restrictions, Henssler Financial has installed network filters to ensure that sensitive information isnt leaking out in e-mail messages or chat sessions and other peer-to-peer applications, O'Pry said. The financial services firm is also using a database auditing tool from Acton, Mass.-based Lumigent Inc. to monitor database activity and alert administrators to suspicious activity such as someone trying to download unusually large amounts of data. Locking down a network against external attacks alone does little to protect enterprise data against accidental and malicious compromises from insiders, said Lloyd Hession, chief information security officer at New York-based BT Radianz, which provides telecommunications services to the financial industry. In environments where end users can get access to huge databases containing confidential information, there have to be many checks and balances in place, Hession said. Equally crucial is the need for security education and training, he added. Lapses such as the one at the VA often happen because end users simply don't know how to handle sensitive information, according to Hession. "The No. 1 tool really is awareness," he said. From isn at c4i.org Wed May 31 03:13:42 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 31 May 2006 02:13:42 -0500 (CDT) Subject: [ISN] Microsoft officially launches paid security product Message-ID: http://www.usatoday.com/tech/news/computersecurity/2006-05-31-microsoft-security_x.htm By Allison Linn The Associated Press 5/31/2006 SEATTLE - Security software makers, the 800-pound gorilla has landed. Microsoft will announce Wednesday that it is releasing software that aims to better protect people who use its Windows operating system from Internet attacks. The move pits the world's largest software maker head-to-head with longtime business partners Symantec, McAfee and others. Windows Live OneCare, which will protect up to three computers for $49.95 per year, marks the latest step in Microsoft's effort over the years to make its operating system less vulnerable to crippling Internet attacks. Windows, which runs on the vast majority of personal computers, has been a near-constant target of worms, viruses and other attacks, hurting countless users and forcing Microsoft to invest heavily in patching vulnerabilities and improving flaws. The official release of the OneCare product comes after months of public testing. Redmond-based Microsoft has previously said that its main focus for OneCare was the 70% of computer users who, according to Microsoft estimates, have no additional protection at all. But in an interview last week, Ryan Hamlin, general manager for the OneCare product, said the company also hopes to snag existing Symantec and McAfee customers. "We'd love for those customers to use our product, and encourage them to, but there's also 70% that don't use anybody," he said. Microsoft is hoping to gain an edge against Symantec and others by also including tools in OneCare to make computers run more smoothly and help people back up data. McAfee said Tuesday that it was preparing to release a new security service, code-named Falcon, this summer. A spokesman for Symantec, maker of the popular Norton products, said no one was available to comment on the OneCare competition. Hamlin said he expects the product to be profitable for Microsoft. He said the company doesn't have any current plans to bundle OneCare into the Windows operating system, as it has done with products such as its Internet browser and music and video player. But he said the company was looking at ways to distribute the product through computer makers or Internet service providers, as many competing security software makers have done. The OneCare release also comes on the heels of a federal lawsuit Symantec filed against Microsoft over a separate matter. The lawsuit, filed in federal court in Seattle, accuses Microsoft of misappropriating Symantec's intellectual property and breach of contract. The dispute is over is over a technology that allows operating systems to handle large amounts of data. Hamlin said Microsoft believes it acted appropriately. Copyright 2006 The Associated Press. All rights reserved. From isn at c4i.org Wed May 31 03:13:53 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 31 May 2006 02:13:53 -0500 (CDT) Subject: [ISN] Attend the 2006 Black Hat Briefings & Training Message-ID: Attend the Black Hat Briefings & Training USA event, July 29 - August 2, 2006 at Caesars Palace in Las Vegas, the world's premier technical event for IT security experts. Black Hat profiles next generation threats, delivers practical security techniques, and an understanding of legal and policy issues. The Briefings are designed to foster peer-to-peer communication and networking opportunities with over 2,500 security professionals from 40+ nations. Includes 36 hands-on training courses July 29 - August 1, and 60 presentations at the Briefings August 2-3, featuring security experts and "underground" security specialists. Register before June 30 for early-bird savings! http://www.blackhat.com From isn at c4i.org Wed May 31 03:14:36 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 31 May 2006 02:14:36 -0500 (CDT) Subject: [ISN] Under the Watchful Eye Message-ID: http://www.ucsdguardian.org/cgi-bin/features?art=2006_05_30_04 By Andrew Nguyen Senior Staff Writer May 31, 2006 Reading your e-mail is usually a private experience between you and the spammer that sent you that ad for the natural Viagra alternative. However, for UCSD students, that experience can be shared with the university administration, too: Even if you delete your e-mail, UCSD administrators can gain access to the ucsd.edu e-mail address provided to each student so long as they are authorized to do so by certain vice chancellors. With a sophisticated system of backups that allow the retrieval of e-mail even after it's been deleted, Academic Computing Services, the campus department that manages the e-mail system, and UCSD administrators could theoretically go through e-mails looking for instances of students breaking the law or university policy. What keeps them from doing so is the University of California's electronic communications policy, which focuses on "privacy, confidentiality and security in electronic communications." The policy spells out the circumstances under which a user's e-mail account can be viewed without his or her consent. At UCSD, the policy requires authorization from Vice Chancellor of Student Affairs Joseph W. Watson or Senior Vice Chancellor of Academic Affairs Marsha A. Chandler in order for an e-mail account to be inspected without the user's consent. The user must be notified of any such inspection. According to the Annual Reports on Nonconsensual Access to E-mail, between 2000 and 2004, UCSD requested authorization 12 times to access a user's e-mail without consent, and 11 of these requests were approved. In those cases, administrators sought to find out whether the user was breaking a law based on prior evidence, or there were "time-dependent, critical operational circumstances," were the reasons cited in the reports. Since users often delete e-mails to avoid running out of space in their mailbox, ACS developed a system that enables the retrieval of mistakenly deleted e-mail. ACS takes "snapshots" of the deleted e-mails at various times throughout the day - no less than twice per day - and can use those "snapshots" to restore e-mails that someone may need. Using a system of multiple hard drives for a seven-terabyte array that is then backed up to tapes, the data go quite a while back. Students or staff members can contact ACS to restore e-mails and, according to ACS Director Tony Wood, they're even used for disputes between faculty and students over grades. Since UCSD started providing e-mail service in the early 1980s, the number of e-mails that stream through the servers has increased to about 1 million a day. Out of all the messages that come into UCSD's e-mail servers, anywhere from 30 to 50 percent are spam, depending on the user's habits. Five percent of all e-mails contain viruses. Because of this, ACS has servers dedicated to keeping viruses and spam out of users' mailboxes. The UCSD Internet link isn't an ordinary connection: It's a massive optical pipeline that connects all the campuses of the University of California, as well as Stanford, the University of Southern California, Caltech and other universities. The connection is purchased through the Corporation for Education Network Initiatives in California - of which UCSD is a central backbone - for $160,000 a year, according to Wood, which pays for membership fees and Internet2 access. UCSD also purchases access to the Internet through CENIC measured by bandwidth use, at a cost of an additional $10,000 per month on average. The Internet connection isn't solely paid for by students; the state helps to pay for Internet connections used for more instructional purposes, while students pay for the wireless network, the wired connections in the residential areas and the computer labs. Once that connection gets to UCSD, according to Wood, it's divided up between 45,000 wired IP addresses, which connect about the same number of computers, and 15,000 monthly wireless users. All of these computers share a connection that has a bandwidth of about 50 megabits per second - in other words, way faster then your connection at home. With all that bandwidth, users can usually go about their business with no problems. It's only when someone is using a large amount of bandwidth that ACS is alerted. Unusually large uses of bandwidth are almost always caused by hackers attempting to send out spam or viruses, or by the use of peer-to-peer file-sharing software to upload and download large numbers of files. In the former case, ACS will just shut down the connection and repair the computer. The latter case, however, is more complicated. If a user is using so much bandwidth that it interferes with nearby users' connection, ACS will implement a rate limiter that slows down how much the individual can use at one time. Usage, not content, is monitored and even then only in UCSD residential areas. When it comes to ACS involvement, it's not what you're downloading, it's how much you're downloading. If ACS receives evidence that a user is committing or has committed a violation of its acceptable use policy, including copyright infringement and violation of federal, state or campus regulation, then it must take action. Usually after a warning for the first violation, ACS stops the connection for a period of time and refers the student to his or her relevant college judicial board. With e-mail approved as an official form of university communication and near-universal access to the Internet around campus, the UC system has had to create a policy that views e-mail and Internet usage as an important component of daily life - just so long as users behave. From isn at c4i.org Wed May 31 03:14:47 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 31 May 2006 02:14:47 -0500 (CDT) Subject: [ISN] FIU Student Records Compromised By Hacker Message-ID: http://cbs4.com/topstories/local_story_150225136.html By Jawan Strader May 30, 2006 (CBS4 News) WEST MIAMI-DADE Thousands of students at Florida International University have received notices in the mail warning that their personal records might have been compromised because of a computer hacker. The postcard sized letters were sent out last week warning of the breach that occurred two months ago. Some students were concerned because the size of the letter might make some think it's just junk mail. Students are also concerned because of the time that passed before the warning was put out. Part of the letter read as follows: "FIU recently discovered a computer infected with malicious software...[that] could allow an unauthorized person to gain access to a database that contained personal information, such as student and applicant names and social security numbers." Not all students received the letter because not all student records were put at risk. However, if you did receive a warning, university officials recommend you check your credit report with the three main credit reporting agencies to make sure you have not become the victim of identity theft. From isn at c4i.org Wed May 31 03:14:58 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 31 May 2006 02:14:58 -0500 (CDT) Subject: [ISN] Hackers gain access to server hosting bank Web sites Message-ID: http://www.thestate.com/mld/thestate/business/14703801.htm Associated Press May. 31, 2006 MAPLEWOOD, Minn. - Premier Banks says there is no evidence so far that hackers stole and used consumer data when they diverted customers from Premier's Web site to a phony site that asked for customers' personal data. President Mark Novitski said the Web site was immediately shut down after a customer reported the problem. Maplewood-based Premier Banks, which operates 22 branches, was among more than 100 banks across the nation that were affected when hackers gained access to a server operated by Goldleaf Technologies Inc. of Brentwood, Tenn., on Thursday. Goldleaf is host to Web sites mostly for smaller community banks. Customers who tried to gain access to the sites were redirected to a phony Web site that asked for a user name and password. If a customer entered them, the site then asked for credit card and ATM personal-identification numbers. Goldleaf spokesman Scott Meyerhoff said the security breach affected about 150 to 175 bank Web sites for anywhere from a minute to an hour and a half. He said the breach was the first in the company's history. Premier Banks notified the FBI and Federal Deposit Insurance Corp. and plans to send letters to its customers about the incident, advising them to change their online passwords, Novitski said. "The crooks are getting smarter," Novitski said. "It's a never-ending struggle." Novitski said the phony Web page fortunately didn't look like the bank's Web site. But he said he couldn't be sure how many customers may have entered information on the fake Web page. If the phony Premier Bank Web site had looked convincing, more of the bank's customers would have given up their data, said Ted Crooks, vice president of global fraud solutions for Minneapolis-based Fair Isaac Corp., which designs anti-fraud software for banks.