From isn at c4i.org Thu May 2 02:19:51 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] We're Watching You Message-ID: Forwarded from: Jeff Moss Just a note. The speech can be seen here: http://media.blackhat.com:5554/ramgen/blackhat/bh-usa-01/video/bh-usa-01-marshall-beddoe-chris-abad-video.rm The rest of the 2001 speeches will be up this week. Jeff At 04:17 AM 4/29/2002 -0500, you wrote: > Forwarded from: Justin Lundy > > Raytheon developed SilentRunner directly after a programmer named > "bind" published his open-source "siphon" project on the Internet > two years ago. The siphon software passively mapped networks (see > where the SilentRunner name comes from?) to generate OS fingerprints > for all hosts that were a source of traffic. This also included a > list of all open ports on the machines. Newer versions, and the > development versions contain a greatly expanded list of useful > features. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:08:40 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] We're Watching You Message-ID: Forwarded from: Joshua Krage (non-attributed redistribution OK) On Mon, Apr 29, 2002 at 04:17:46AM -0500, Justin Lundy wrote: > Raytheon developed SilentRunner directly after a programmer named > "bind" published his open-source "siphon" project on the Internet > two years ago. The siphon software passively mapped networks (see > where Considering I was present at a functional demo of the pre-release SilentRunner product well over two years ago, before the Siphon presentation at Blackhat (for which I was also present) I find this claim quite hard to believe. Corporate products do not have same-day development turnaround, especially on the then three-OS environment. So the claim that SilentRunner stole the siphon concept to create a corporate product is completely off-base. > Having worked in the computer industry for a while, nothing sickens > me more than a constant supply of low-quality, small-scope software > that was written in a week and sells for rediculous amounts of > money. If While I cannot attest to the quality of the code, I do know it took much more than a week to develop the core product. The visualization tools are quite interesting. As to the price, I personally agree; full Gigabit IDS deployments cost a fraction of a single SR sensor. :) - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:12:49 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] RE: [defaced-commentary] c4iweb.spawar.navy.mil defaced by The Deceptive Duo Message-ID: Forwarded from: "OSSN C.B. Gilham" [Please reply directly to the author. - WK] I am currently out in the middle of the ocean and do not have web access. A Naval defacement is very close to me, and I was wondering if anyone knew anything more on this defacement. I.e. service exploited, etc ? Also, if anyone knows anything more on 'The Deceptive Duo' and thier motivation, statement, ect. I would appreciate a posting to the list, or email me directly. Thanks. ----d----a----y----z---- PGP Key ID ( pgp.mit.edu ): 0xDD284509 "They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 > ---------- Forwarded message ---------- > From: "alldas.org Defacement Mirror Agent" > X-Sender: ml-manager@defaced.alldas.org > To: alldas-defaced@defaced.alldas.org > Date: Mon, 29 Apr 2002 06:19:55 -0500 (CDT) > Subject: [alldas-defaced] c4iweb.spawar.navy.mil defaced by The Deceptive > Duo > > Defaced Website: c4iweb.spawar.navy.mil > Defaced by: The Deceptive Duo > > IP: 216.120.105.72 > > Mirror URL: > http://defaced.alldas.org/mirror/2002/04/29/c4iweb.spawar.navy.mil/ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:11:03 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] MoD breaks ranks on custom firewall Message-ID: http://networknews.vnunet.com/News/1131396 By Paul Allen [01-05-2002] Rising technology overhead drives MoD to adopt commercial firewalls The Ministry of Defence's security technology advisors have changed their approach to its firewall policy. David Hartley, unclassified network manager at the Defence Science and Technology Laboratory (DSTL), formerly the Defence Evaluation Research Agency (DERA), said the MoD agency had bought in firewall technology as the overhead of maintaining internally produced code had become too great. "While I don't want to suggest we are de-skilling, having people who can write and maintain code is difficult to justify. Our business is supporting the network, not coding software," said Hartley. But Hartley stressed that improvements in commercially available firewalls, in conjunction with IDS and external evaluation, had been the main driver behind the strategy switch. "We have taken a good look at commercial firewalls over the past five years, and have moved towards them because now they have the strength for our needs," said Hartley. The move was phased in over the past 14 months. Former DERA team leader for IT health checks, now managing security architect at consultants @Stake, Phil Huggins, said using commercially available firewall code was an issue of support versus trust. "A large enterprise may not have the necessary skill set to create and run custom firewall code, they may have future support and training issues when current staff move on." He said that while a custom firewall could reap huge benefits in terms of a better fit for business requirements, the management overhead could prove too high for many. "It requires both strong skills management and a recognition that more time may need to be made available to manage such systems correctly. "I strongly believe that businesses are better off properly managing a technology they know well, rather than using a technology it has been told is more secure, but using it badly," said Huggins. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:12:23 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Banks: A veil of safety Message-ID: http://news.com.com/2009-1017-893226.html By Sandeep Junnarkar Staff Writer, CNET News.com April 30, 2002, 4:00 AM PT Late one recent Sunday night, an executive at a midsized financial services firm received the kind of call everyone in the industry dreads: a demand for $1 million, or else the brokerage's network would crash the next day with a surreptitiously installed program. The firm's security team spent a frenzied night searching for the pernicious code but failed to find it, and the system went down for an hour in the morning. The executive's phone rang once more: The caller threatened to crash the system again, but this time during peak trading hours. The brokerage, in this case, paid up. "We figured out how the person got in and patched the system," said Ed Skoudis, a hacking expert at security firm Predictive Systems, which was called in to fortify the company's networks. "We deal with about two intrusions per month, and we're just one of the many teams out there doing this work. We're not dealing with denial-of-service attacks or script kiddies playing around, but skilled financial intrusions." Although electronic break-ins are nothing new, their frequency has been quietly mounting in recent years as more banks rush online to provide services for consumers who are finally using the Web in significant numbers to manage their money. The popularity of online banking is projected to grow from 22 million households in 2002 to 34 million in 2005, according to Financial Insite, publisher of the Online Banking Report newsletter. While not explosive, that steady increase represents a sea change in public perception about online banking, in many ways one of the last frontiers of electronic commerce. Along with safeguarding medical histories, many people view their financial information as a sacred totem--a record of their past and a window into their nest egg for the future--and are increasingly distrustful of financial institutions in today's climate of Enron-inspired paranoia. "Let's face it, a bank is in the business of trust," said Mark Rasch, the former head of the U.S. Justice Department's computer crimes unit. "The reason you go to a bank is because you trust them not only to give you a good rate of return on your money, but also to keep your money safe and secure, and to protect your privacy associated with your finances. Attacks on the electronic infrastructure are attacks on all three of those." An $11 billion secret No comprehensive records on computer-related crime are public, but it is estimated to drain as much as $11 billion per year from consumers and corporations in the United States alone, with a growing portion coming from financial institutions. In their annual joint study released in April, the FBI and the Computer Security Institute, a security advocacy group, noted that the combined financial losses for 223 of 503 companies that responded to their survey came to $455 million. Often, the highest cost for financial institutions is not the loss of money directly from theft but the expense of fortifying their systems to avoid repeat intrusions. Security experts estimate that a bank can spend upward of $1 million on equipment and consulting after a single incident to repair flawed technologies, which can require far more vigilance than the surveillance cameras, alarms and guards used to secure physical branch offices. "Based on our examinations, we have seen an increase in security events over the past several years," said John Carlson, a senior adviser for bank technology at the Office of the Comptroller of the Currency, which monitors U.S. banks as an arm of the Treasury Department. "I am telling you that security incidents are definitely increasing." The true depth of the problem remains unknown, however, as banking sources acknowledge that the industry releases as little information as possible on such incidents. Although some high-profile intrusions and technical blunders have been impossible to keep out of the news media, the vast majority rarely come to public light. When banks suspect criminal activity, the Treasury Department requires them to file "Suspicious Activity Reports," bulletins originally used to track tax evaders and money launderers. The agency releases only limited information about the data it collects on breaches and other security incidents. "We don't supply that information, and we don't really want to supply that information," Carlson said. "If such a report were made public, banks might shy away from reporting their suspicions. In addition, making such reports public would be unfair and prejudicial to the subject, against whom there have been no formal charges or findings leveled." But consumer organizations say more public disclosure is needed. They note that banks are notorious for pushing to shield many aspects of their operations from scrutiny, employing armies of lobbyists to pursue their agendas on Capitol Hill. "If there is increasing concern about break-ins and security with online banking, I believe the government should be clearer about the insecure nature of these online banking services," said Edmund Mierzwinski, a consumer banking advocate with the U.S. Public Interest Research Group, the national lobbying office for state non-partisan public-interest groups. Insurance against sabotage With such high stakes, all parties involved inevitably blame each other when a breach occurs, because there are so many points of potential vulnerability in the vast and complex systems of financial operations: hosting companies, Internet service providers, databases, transaction software and all manner of hardware. And all hope to deflect the legal liability inevitably associated with such incidents. Accordingly, banks are turning to insurance companies because their coverage has failed to keep up with risks related to the Internet. Traditional insurance for banks covers robberies, but the new policies specifically deal with losses stemming from entire systems crashing because of sabotage or hacker or virus attacks that destroy data and programs. Progressive and Chubb are among those now offering policies tailored to shield banks from losses resulting from computer intrusions. Progressive said that hundreds of small community banks have signed up for its Internet Banking Protection Package since it introduced the policy last summer. "We are getting more and more interest from banks as they realize the risks," said Judi Kovach, a Progressive manager. "We had to enhance our insurance to include Internet banking exposure because the traditional coverage was written 100 years ago." Some of these new policies also cover liability issues in case a customer sues because his privacy was breached. The federal government insures each bank account up to $100,000, but that applies only when an entire institution collapses. Security breaches have not been confined to younger, Internet-only banks like NetBank in the United States and Egg in Britain; established global leaders such as Citibank, Credit Suisse Group's Direct Net and Barclays Bank have proven vulnerable as well. Security lapses have also been reported by regional institutions such as Wells Fargo in California, Republic Bank in Florida and First Virginia. Moreover, security concerns involving online banking are rising with the advance of Web services, a new way of writing software that makes it easier to link systems and get information online. If this budding industry takes hold, people may find their private information on vulnerable servers or databases connected somewhere to the Net regardless of whether they have ever banked online. "Many old-guard banks depend on legacy systems like mainframes. There's also corporate desktop systems and branch computers and ATMs; all live on the network, and all have some degree of access," said Adrian Lamo, a self-described "ethical hacker" whose conquests include the New York Times' internal network, where he viewed the Social Security numbers and other private information of former President Jimmy Carter and hip-hop artist Queen Latifah, among others. "Even branch terminals are frequently older and obscure, potentially vulnerable to anyone knowledgeable in their foibles." The weakest links One notoriously weak link, for example, is a Microsoft server in wide use. Early last year the FBI's National Infrastructure Protection Center warned that several organized hacker groups from Russia and the Ukraine were targeting online banks and other e-commerce sites by exploiting vulnerabilities in un-patched versions of Microsoft's Internet Information Server software. The FBI advisory blamed the international groups for online break-ins at 40 companies in 20 states. In its regular security alert, Microsoft detailed how a computer connecting to the server could exploit a feature meant to allow controlled Internet access to a database, secretly redirecting information back to the intruder. Using this method, according to the FBI, hackers gained unauthorized access and downloaded proprietary bank information, customer databases and credit card numbers. They then coolly turned around and notified companies of the intrusion, offering services to patch their systems against further attacks. If a company declined to pay for their services, the hackers became more belligerent and threatened to sell pilfered customer information. In October, the FBI reissued the advisory to emphasize that this particular line of attack was still a dangerous threat. Microsoft had released patches to plug that particular security hole in 1998 and reissued security bulletins to customers through 2000, but many companies failed to make the repairs. The scenario exemplifies how such "fixes" are routinely ignored by many systems administrators--if they are aware of the problem at all--and underscores the ease of denying culpability when a system is breached. The banks can blame Microsoft, while the software giant can point to negligent technology departments at the financial institutions. Complicating matters further, the type of software used by financial institutions can vary widely from company to company. The larger institutions develop software tailored to their systems, while smaller banks try to customize off-the-shelf technologies. In either case, vulnerabilities are likely. "It turns out that the specialized, in-house stuff has more security holes than the off-the-shelf ones," said a former investigator for the Treasury Department who is now a head of security for a multinational bank. "If you use an off-the-shelf system, you may have a secure infrastructure, but if you configure it poorly or customize it, you could introduce holes to it." The latter occurred with a small, regional financial institution that enlisted an outside security team to evaluate an off-the-shelf system it had already begun to use. The consultants found one field of data that was exchanged between the server and browser that required a four-digit number between 1 and 10,000--from 0001 to 9999--that was generated automatically by the application. "If we could successfully guess this number, we could become some user. The fact is that 1 in 10,000 doesn't take long to guess if I can guess 100 permutations per minute with an automated number generator," said Predictive's Skoudis, who did not disclose the identity of the bank involved. "We weren't told if we were called in because of an incident, but the vulnerability was there and a present threat." Hackers often target hosting companies and ISPs, usually the weakest links in the chain, to bypass firewalls. In December, Lamo broke in to MCI WorldCom's ISP network and was able to view the secure networks of Citibank and Bank of America, which ran over leased lines. Lamo exploited something called an "open proxy," a server normally used by a company to filter data on an Internet connection. The open proxy had been mistakenly installed on a Web server when it was first configured, leaving it exposed. "Any intruder could have taken control of the routers with the information I had," Lamo said. Sometimes, all it takes is one errant ISP connection to bring down an entire system. Even a bank with a fully protected internal network could find itself exposed if a teller were to sign on to a personal America Online account from inside the network, for example. This could happen because AOL forms a virtual network adapter and assigns a separate IP address, according to Lamo. "That automatically creates something of a tunnel through many firewalls when the user signs on," Lamo said, explaining that while that bank network remains secure, a workstation within the bank becomes vulnerable by way of the AOL address. This scenario was exploited less than two years ago when intruders cracked one of AOL's customer information databases by establishing a connection to the computers of some of the company's customer service representatives. "It illustrates how any organization can't really prepare against all possibilities when they're using a public network," Lamo said. Human error Despite all the possible technical weaknesses in the online banking infrastructure, humans often present far more risk than any technology. Investigators and security experts note that a bank insider more often than not plays a role in security breaches. An insider can be someone working at any point along the financial network infrastructure, from a current or former employee in the bank's technology department to someone affiliated with an off-the-shelf software company. "Insiders know your systems. They can inflict the most damage," Skoudis said. "They might be gone for months but may have installed remote-control software to get in from anywhere." Investigators and security experts said the pressure and worry that built steadily to make sure that computer systems were ready for the infamous Y2K bug presented a great opportunity for insiders to "go bad." "Financial institutions were running around like mad, hiring people right out of the phone book to make sure they could put up all the signs and banners saying, 'We are Y2K ready--don't pull all your money out,'" said Hale Guyer, a special investigator and member of the Illinois attorney general's Task Force on the Investigation of Internet Crime and Child Exploitation. "They all did very poor background checks because of the rush. What would have kept one of those people from putting in a back door to your systems?" Even without inside help, hackers can prey on what investigators say is the most susceptible link of all: the bank customer tapping in from home, often on a computer with little or no security software. This person presents the most tempting target, the one least aware of how much damage can be done simply by opening an e-mail attachment or clicking a link. Home PCs still routinely fall victim to "Trojan horses," types of software that pretend to do something useful but in fact punch security holes in individual systems and allow hackers to log keystrokes or record conversations if a microphone is attached to the computer. Lamo said most of the fraud discussed on less-sophisticated hacker chats relates to stealing information using Trojan horses. This stolen information is still only one phase of a process that takes weeks of work, requiring a hacker to painstakingly gather all the information necessary to impersonate someone online. But that may change with newer, more sophisticated hacking technologies. "It is likely that we will see automated attacks appearing eventually, using viruses to attack many users of online banking indiscriminately," said Mike Bond, a computer security researcher at Cambridge University. He added, though, that this is unlikely to occur in the near future. Bond and his colleague Richard Clayton made headlines last year when they developed a program that allowed them to bypass one of IBM's most secure cryptographic co-processors, a system used to store PIN codes for ATMs. The researchers demonstrated the breach on a laboratory computer, and IBM subsequently fixed the flaw. "No matter how great a job you do, a determined attacker will eventually find some sort of problem," Bond said. "You have to find just one fault to exploit, while banks need to cover all possible faults." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:21:42 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Hackers spur shutdown of computer server for Navy Message-ID: http://www.uniontrib.com/news/business/20020501-9999_1b1spawar.html By Bruce V. Bigelow UNION-TRIBUNE STAFF WRITER May 1, 2002 A defense contractor developing a public Web site for the Navy shut down a key computer network this week after hackers gained access to employee passwords and other user information. A Navy spokesman emphasized yesterday that no military secrets were stored on the computer server operated in Mission Valley by Booz Allen Hamilton, a consulting firm working with the Navy in San Diego. But the weekend incident was embarrassing to SPAWAR, the San Diego-based Naval command that serves as the information technology provider for the entire U.S. Navy. Booz Allen has been working closely with SPAWAR, known officially as the Space and Naval Warfare Systems Command, to develop a Web site featuring public information about SPAWAR. That Web site was subjected to a similar cyber attack on April 22, about a week before the electronic raid on Booz Allen. In each incident, Web pages were defaced, private information was disclosed and unauthorized messages claiming responsibility for the attacks were posted by "the Deceptive Duo." One message read: "We are two US Citizens that understand how sad our country's cyber-security really is . . . This situation proves that we are all still vulnerable even after 9/11." Richard Williamson, a SPAWAR spokesman, denounced those statements as insincere, saying: "These people claim that their goal is to make our network more secure. If that was true they would not have illegally broken into our machines and they would not have illegally posted information on our Web site." In the April 22 attack on SPAWAR's Web site, Williamson said the hackers found that passwords intended to give system administrators access to Web-based software were left on "default" settings. By not changing the passwords that provide access, Williamson said, "We locked the door and then essentially left the keys hanging on a nail on the doorframe." Whether that security breach was directly related to the weekend raid on Booz Allen's computer server was under investigation, Williamson said. "It is possible that they picked up something off our server, such as a name or a password," to gain access to the other system, Williamson said. Dave Karp, a manager in Booz Allen's San Diego office, said a team of the firm's own computer experts was analyzing both cyber attacks to see which files were accessed. "As you might imagine, our Web guys are scrambling," Karp said. "My Web guys have been at GQ (general quarters) for a while. This is not simple stuff." Karp said the computer server accessed by the hackers was an internal system used by Booz Allen employees to store documents and develop software for the Navy's public Web site. Documents retrieved from the system and displayed by the hackers included names, e-mail addresses and phone numbers of, and other information about 35 Booz Allen employees. One employee, who was contacted by the Union-Tribune on the cell phone number listed in one document, confirmed that the information about him was accurate. Another document listed 34 user names and passwords, presumably for Booz Allen employees to access their computers. Williamson emphasized that no classified documents were stored on the public Web servers. He said SPAWAR is often subjected to hacker attacks, which once reached 83,000 "hits" in one 24-hour period, because it represents an elite U.S. military technology command. At least some documents stored on the system, however, apparently had not been reviewed for public release. For example, a five-page memorandum that had been stored on the system was about the Navy's "Integrated Battle Force Training Process." Williamson said the memo, which was issued last year by Rear Adm. Kenneth D. Slaght, had not been reviewed for public release. In the previous raid on SPAWAR's Web site, the intruders electronically pasted several screen shots to the home page that appeared to be a flight schedule and passenger manifest for a Midwestern commuter airline's database. It also appeared that e-mail addresses and full names of some airline customers were compromised. According to one SPAWAR employee, Slaght was furious about the recent incidents. Bruce Bigelow: (619) 293-1314; bruce.bigelow@uniontrib.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:03:44 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] [defaced-commentary] c4iweb.spawar.navy.mil defaced by The Deceptive Duo Message-ID: Forwarded from: "Huggins, Michael" Note: I did not immediately respond, took a few to think this one over. Hypothetical situation: If I was to break into a classified space and remove material would I not be prosecuted for Trespassing even if I was trying to show you you were weak. v/r Michael Michael H. Huggins CISSP CTOC USN (ret) First Command Information Security Manager 817 569 2435 -----Original Message----- From: InfoSec News [mailto:isn@c4i.org] Sent: Tuesday, April 30, 2002 3:58 AM To: isn@attrition.org Subject: [ISN] [defaced-commentary] c4iweb.spawar.navy.mil defaced by The Deceptive Duo ---------- Forwarded message ---------- Date: Mon, 29 Apr 2002 07:28:06 -0400 (EDT) From: security curmudgeon To: defaced-commentary@attrition.org Subject: [defaced-commentary] c4iweb.spawar.navy.mil defaced by The Deceptive Duo Another interesting defacement. Of note, the information and screenshots at the bottom and the validity of them. ---------- Forwarded message ---------- From: "alldas.org Defacement Mirror Agent" X-Sender: ml-manager@defaced.alldas.org To: alldas-defaced@defaced.alldas.org Date: Mon, 29 Apr 2002 06:19:55 -0500 (CDT) Subject: [alldas-defaced] c4iweb.spawar.navy.mil defaced by The Deceptive Duo Defaced Website: c4iweb.spawar.navy.mil Defaced by: The Deceptive Duo IP: 216.120.105.72 Mirror URL: http://defaced.alldas.org/mirror/2002/04/29/c4iweb.spawar.navy.mil/ [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:10:43 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Creator of "Melissa" Virus, Which Did Millions of Dollars of Damage, Sentenced to 20 Months Message-ID: http://ap.tbo.com/ap/breaking/MGAJMEADP0D.html The Associated Press Published: May 1, 2002 NEWARK, N.J. (AP) - The creator of the "Melissa" virus was sentenced Wednesday to 20 months in federal prison for causing millions of dollars of damage by disrupting e-mail systems worldwide in 1999. David L. Smith, 33, pleaded guilty in December 1999 to a state charge of computer theft and to a federal charge of sending a damaging computer program. In the federal plea, both sides agreed the damage was greater than $80 million. Smith is believed to be among the first people ever prosecuted for creating a computer virus. In court Wednesday, he called the act a "colossal mistake." The Melissa virus, which struck in March 1999, was disguised as an e-mail marked "important message" from a friend or colleague. It caused computers to send 50 additional infected messages. The volume of messages generated slowed some systems to a crawl. Smith could have faced up to five years in prison, but prosecutors suggested a term of about two years, saying he had given authorities extensive assistance in thwarting other virus creators. He was also fined $5,000 by U.S. District Judge Joseph A. Greenaway Jr. Smith has said he created the virus on computers in his Aberdeen apartment and used a stolen screen name and password to get into America Online. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:14:46 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Hacker Pleads Guilty To Accessing NASA System Message-ID: http://www.newsbytes.com/news/02/176281.html By Wilson P Dizard III, GCN WASHINGTON, D.C., U.S.A., 01 May 2002, 2:13 PM CST A hacker charged last year with breaking into a NASA server has pleaded guilty in the U.S. District Court in San Antonio to one count of intentionally accessing a federal computer without authorization, NASA said Monday. He faces a possible one-year jail term and a $100,000 fine. Ruben Candelario, who entered his plea April 18, is scheduled to be sentenced June 20. He was indicted a year ago on charges of hacking into the Web and e-mail server of NASA's Virginia Consortium of Engineering and Science at Langley Research Center in Hampton, Va. He also was charged with possessing and trafficking in computer passwords. Candelario, who used the nickname skrilla, was the subject of an investigation by the NASA Inspector General's Computer and Technology Crimes Office and investigators of the Guadalupe, Texas, Sheriffs Department. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:14:27 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Announcing DEF CON 10! Message-ID: Forwarded from: The Dark Tangent D E F C O N 10 C O N V E N T I O N D E F C O N 10 C O N V E N T I O N DEF CON 10 CONVENTION D E F C O N 10 C O N V E N T I O N >> READ AND DISTRIBUTE AND READ AND DISTRIBUTE AND READ AND << Initial Announcement: 05/01/2002 We are proud to announce the 10th annual Def Con. The 10th anniversary of what has become the largest hacker convention on the planet! DEF CON 10 will be August 2nd to the 4th at the Alexis Park Hotel and Resort in Las Vegas, Nevada, USA. [> What is DEF CON <] Defcon is a convention for the more "underground" elements of the computer culture. Defcon is geared towards hackers, programmers, phreaks, cyberpunks, cypherpunks, open source hackers, civil liberty and privacy advocates, HAMs, casual bystanders, lookieloos, feds, reporters, and anyone interested in seeing what's going on in the computer underground today. [> What's Happening <] WHO: You know who you are, you shady characters. WHAT: A convention for you to meet, party, and listen to some speeches that you would normally never hear. WHEN: August 2nd to the 4th - 2002 WHERE: Las Vegas, Nevada @ The Sahara Hotel Taking advantage of expanded meeting space this year, there will not only be three tracks of speaking, but two break out areas for small mini-classes on select topics. For complete up to the minute information visit http://www.defcon.org/ The following is a brief overview of what to expect. [> Wireless Network <] At DC 9 we grew the coverage of the wireless network to cover most of the Alexis Park. We operate an 802.11b wireless network with a gateway to the net. It is a wide open network with no WEP security, assigning addresses by a DHCP server. Yes, people mess with the DHCP server, but all in all it works well. NEW for this year: DEF CON will continue to grow the network, as well as provide some dedicated servers for attendees to use. For example we will have a web/ftp server set up where people can upload pictures they have taken in order to share them with the rest of the con attendees. DEF CON will also have a limited amount of 802.11a access points for Really high speed access. While all this great bandwidth is limited by our net connection, it will be great for people on the local network to swap pictures and data. [> Call for Papers <] If you are interested in speaking at DEF CON TEN, please read this Call for Papers announcement and follow the directions to submit a talk. http://www.defcon.org/html/dc10/defcon-10-cfp.html [> Speaking <] There will be three speaking areas and two break out areas for demonstration and classes. Speaking will start an hour or two later in the day than in previous years, and go an hour later into the evening. Look to the web site once speakers have been selected for the exact schedule and changes. [> Break Out Areas <] The two break out areas will hold around 150 people each, and will be used for specific demonstrations or talks that would not work well in the really large speaking areas. An example of a break out talk might be on how to modify your TiVO, where audience members would be walked through working on their own TiVO. Topics such as radio modification, killer robot building, chipping your PS2, etc. would all work well for the break out areas. [> Hotel Room Video <] We've gotten the bugs worked out of the hotel's broadcast system. This year we will be broadcasting 3 separate channels on the hotel's internal TV system. One channel will be playing movies, anime, and other kinds of entertainment. The other two will be used for broadcasting the speakers. This should help with the overcrowding that sometimes occurs, as well as allowing out attendees to relax in their rooms and not miss anything. [> Streaming Audio/Video <] Provided we have the bandwidth, we will be streaming all of the audio and video from the event. Hopefully, we can put up a few reflectors in different geographical area so that folks in all parts of the wired world will be able to tune in and see what's going on. OFFICIAL EVENTS [> Capture the Flag Contest <] An expanded version of the classic CTF contest, this year will feature more audience participation. There will be multiple IDS systems plugged into wall projectors reporting on what is happening, as well as some custom filters to keep track of what team is ahead. NEW for this year, with the help of the three time CTF winners, the Ghetto Hackers, this years contest will be all new and action oriented. http://www.ghettohackers.net/ctf/ has all the latest contest information. [> DJs <] There will be DJs again at DEF CON, but there will be no DJ room as in past years. Instead this year there will be more of a "cool out" lounge with DJs, chairs, and it will be more of a place to hang out. The party is nice for the Black and White ball on Saturday night, but in the mean time we want to provide that space for you to be able to hang out and work on whatever project you're working on so you can get out of the lobby or the hallways. We'll bring LAN access and wireless access into the room and make it a relaxing, yet constructive environment. There will be DJ action in the new lounge and in the CTF arena. If you are interested in playing a set at DEF CON, email bink@23.org to find out more and hit http://www.23.org/DJing for more info. [> The Defcon Shoot <] The Defcon Shoot will be entering its 6th year. This year it will be hosted at the Boulder Nevada Rifle and Pistol Gun Club. Check out the Shoot website at http://www.dis.org/dcshoot or get on the mailing list by mailing majordomo@23.org with 'subscribe dcshoot' in the message body. [> Black and White Ball <] Despite the changes happening to the DJ area, the Black and White Ball will still be happening this year. Traditionally folks would dress up and we'd provide the entertainment, but over the years less and less people came in costume. This year we'd like to encourage folks to dress up for the event. Anything goes, you can play it straight and throw on your best outfit, or go completely sideways and wear your purple and silver zoot suit or dress up like one of the ghosts from Pac-Man. Don't let Bluknight be the only one running around in a rubber body suit. [> DEF CON TEN Logo Contest <] The Official DEF CON TEN logo contest is now open. Here are the rules, and what you could win: Submit your entries by email to logos@defcon.org. Name your entries in the following format to help us add them on-line faster: dc-10-[your-handle]-[#].[jpg/gif/psd] where [your-handle] is your handle in lowercase with spaces replaced with dashes. [#] is replaced by a number representing the current logo you are submitting. [jpg/gif/psd] is either a jpeg, a gif, or a photoshop file, the three file formats accepted. For example, Net Ninja is submitting three jpeg logos. He would name the first one dc-10-net-ninja-1.jpg and the last one dc-10-net-ninja-3.jpg. Please set the resolution to be 24 bit color(for .jpg or .psd) and a maximum of 650x650. If you want to also submit for tee shirts as well we will need you art in photoshop (at a very high resolution) or illustrator formats. Submissions will be added on-line to the DEF CON web site, and cool logos will be printed in the con program. Really cool shirt logos will be used on a shirt design or two for the con. If your logo is selected for a shirt you will receive free admission for yourself and four people as well as five shirts of your choosing, plus bragging rights. We'll make sure your handle is on the shirt. Keep an eye on http://www.defcon.org/dcx-logos.html to see the most current submissions. [> DEF CON TEN Slogan Contest <] Have a witty slogan for this years DEF CON? Well, what are you waiting for? Submit it to the Defcon Slogan page. If we pick your slogan you'll win something, I'm not entirely sure what, but something cool. To submit a slogan pay a visit to http://www.securitytribe.com/dcslogan.html and to view the slogans already submitted visit http://www.securitytribe.com/sloglog.html. NON-OFFICIAL EVENTS [> DC Jump <] Ever have the desire to jump out of a perfectly good airplane? Me either, but some folks are planning on doing just that. Its the second DC Jump and you can find more info about it here: http://www.dcjump.com [> Coffee Wars <] Coffee Wars will be back for its 3rd jittery year. They don't really have much of a plan right now, but have assured us it will happen. Keep an eye on http://coffeewars.org for more up to date info. [> DEFCON Notes Exchange <] Inspired by the South By Southwest Notes Exchange [http://www.sxswblog.com/exchange.asp] your pals at VP Labs have decided to throw together one of their own. Quite simply, the DEFCON Notes Exchange exists so con attendees can swap and compare notes on talks in a central area. Drink too much the night before and miss a talk? Debating between two different speeches on two separate tracks? Check the notes exchange to see what other folks had to say about the talk you missed. Happen to take notes on something? Chip in. We operate on the zenlike 7-11 policy of "Got a penny? Leave a penny. Need a penny? Take a penny." except until we get the Amazon micropayment tipjar up we'll just take your notes. Pay a visit to http://noteex.vplabs.org/ for more info as the convention approaches. [> Cost <] Cost for DEF CON TEN will be $75 USD, cash. We have had problems with people in the past bouncing checks and not signing travellers checks, so to avoid these issues we are switching to cash only. To read more about why we are increasing the cost, and what it will allow DEF CON to do, read this: The decision to raise the admission price was not easy, but it is a necessary thing if we want to continue to bring you the best possible con. Putting DEF CON on every year is not cheap. Our detractors seem to be under the belief that we don't have pay anything to put DEF CON on and that we spend the rest of the year taking turns rolling about in a huge pile of money, this couldn't possibly be further from the truth. In addition to the costs of renting every inch of available space at the Alexis, there's also costs for: rental A/V gear and personnel, insurance, air conditioning units, extra hotel staff, legal costs, ADA compliance, shipping, electrical, Internet, tax, theft, printing, phone charges, extra security people, etc. Keeping the con at 50 bucks leaves us with no room to expand. In our open letter to the community we asked what we could/should do to make DEF CON a better place and the one consistent thing we learned is that many of you would have no problem paying more if we, in return, used that extra money to make the con better. So for the first time in 5 years, we are going to raise the cost of admission. So, what does that get you? It allows us to put up another tent so we have even more space, it allows us to rent more air conditioning units so we can keep both tents cool (for those that missed last year, the main hall was a tent on the roof that at any given moment was around 100 degrees (38C) and about 80% humidity, not a fun time). In addition to making the con more habitable, the extra money can be used to pay our speakers. By being able to pay our speakers, who have spoken for free up till now, we can book even better talks and bring in new speakers that had previously been out of our reach. The money can also go to support our infrastructure. Our infrastructure is comprised mainly of aging hardware and whatever folks donate. We would like to add newer and faster network gear, more APs, and more A/V equipment to DEF CON. This will allow us to do just that. Finally, our staff is comprised of volunteers, some of whom have been doing this for 9 years. This year it would be nice to actually pay some of the folks that have tirelessly worked to make DEF CON what it is. So in summary: More money = more space, cooler conditions, better speakers, better gear, and happier staff. People who do not have to pay are speakers, staff, attendees of The Black Hat Briefings, and VIPs (Traditionally people who have helped out in years past or donated time and equipment to help make the show happen.) [> Hotel Info <] The Alexis Park Hotel and Resort is across the street from the Hard Rock Hotel, and is a block off the main strip. Located at 375 East Harmon Ave in Las Vegas, NV 89109. The Alexis Park is a non gambling hotel, so people 18 years and older can get a room there. New for DEF CON 10, to be on the hotel property you _MUST_ have a DC 10 badge. This is a requirement of the hotel to cut down on locals just "passing through" the con, and causing problems. Toll-free reservation line 1-800-582-2228. http://www.alexispark.com/ ERRATA [> Vendor Info <] If you are interested in being a vendor at DEF CON 10 this year, please read the Vendor FAQ at http://www.securitytribe.com/vendor-FAQ.html Vendor space is limited, so reserve your space now. [> Getting to DEF CON 10 - The Car Caravans <] If there's more than two of you in a given location, theres probably a caravan in your area. Here's some of the more well known ones Deathrace 2k (The SoCal Caravan) http://www.deathrace2k.org Deathrace2k Message board (covers all areas, not just SoCal, check here to see if folks in your area are going) http://deathrace2k.org/phpBB/ The Bay Area Caravan http://caravan.billzhouse.com The Utah Caravan http://defcon.hektik.org [> Chat <] Pay a visit to the new DEF CON forums. Chat with other like minded folks. Topics range from DEF CON planning, current events, politics, acking, newbie education, to local 2600 meeting info. The forums can be found at http://forum.defcon.org - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:10:22 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Security UPDATE, May 1, 2002 Message-ID: ******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Computer Associates International, Inc. (CA) http://list.winnetmag.com/cgi-bin3/flo?y=eLkE0CJgSH0CBw01bH0A8 VeriSign--The Value of Trust http://list.winnetmag.com/cgi-bin3/flo?y=eLkE0CJgSH0CBw01bI0AA (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: COMPUTER ASSOCIATES INTERNATIONAL, INC. (CA) ~~~~ Prevent viruses from halting your business. Keeping out costly viruses is a full-time job. Let CA's eTrust(TM) Virus Defense Solution stop viruses in their tracks, from the gateway to the desktop, while you stay focused on your business. eTrust Virus Defense from Computer Associates is a flexible, nodal-based solution that is also easy on your bottom line. Call 1-800-875-9659 or visit http://list.winnetmag.com/cgi-bin3/flo?y=eLkE0CJgSH0CBw01bH0A8 ~~~~~~~~~~~~~~~~~~~~ May 1, 2002--In this issue: 1. IN FOCUS - Should Microsoft Add Another Security-Related Mailing List? 2. SECURITY RISK - Automatic Script Execution Vulnerability in Outlook 2002 and Outlook 2000 3. ANNOUNCEMENTS - Need 24 x 7 Availability? - Win a Personal Cinema Card at the Connected Home Virtual Tour 4. SECURITY ROUNDUP - News: Intruders in Europe Might Face Jail Time - Feature: SQL Server: Effective Installation - Feature: Windows XP Warning Overblown - Feature: Wireless Security 5. Instant Poll - Results of Previous Poll: Antivirus Defense Location - New Instant Poll: Security Information Notification 6. SECURITY TOOLKIT - Virus Center - FAQ: What Is MBSA? 7. NEW AND IMPROVED - Virus Engines Bundled in Email Security Package - Enhanced Security for Remote Control with AES 8. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: How Can I Remove a COM1 Folder? - HowTo Mailing List - Featured Thread: Email Attachment as an Executable 9. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net) * SHOULD MICROSOFT ADD ANOTHER SECURITY-RELATED MAILING LIST? Did you read the NTBugtraq mailing list last week? If not, you missed some good points that list moderator Russ Cooper made. Cooper points out that Microsoft sometimes falls short in the area of security notifications, as I'm sure many of you will agree (see the URL below). Cooper said, for example, that Microsoft doesn't adequately notify its customers about the release of new service packs, security rollup packages, and security updates for specific products, such as the Outlook Email Security Update. In addition, the company doesn't directly notify customers when it releases new security tools, such as Microsoft Baseline Security Analyzer (MBSA), HFNetChk, and URLScan for Microsoft IIS. http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=9960 Without such notification, customers remain unaware of new security- related tools and patch packages--at least until word gets out through security-related mailing lists or until members of the press learn about the tools and packages and publish articles that notify readers. The lack of notification also makes Microsoft customers do extra work. Cooper notes, for example, that installing Microsoft's security rollup packages often eliminates the need to install numerous individual patches because the rollup packages contain all the patches released to date. In addition, security rollup packages might contain additional patches not related to a specific Microsoft security bulletin. Cooper didn't but could have included security-related TechNet articles among the examples that support his point. Sometimes, Microsoft releases security information exclusively in TechNet articles but doesn't notify customers about the articles. The recent Microsoft article "Denial of Service Attack on Port 445 May Cause Excessive CPU Use," which outlines registry tweaks that help prevent Denial of Service (DoS) attacks, is a case in point. Microsoft released the article in mid-April to help administrators, but didn't notify customers about it. Instead, customers found out through mailing lists and news reports. We published a related news story ("Microsoft Article Q320751: Denial of Service Workarounds") in last week's Security UPDATE (see the URL below). http://www.secadministrator.com/articles/index.cfm?articleid=24930 If you read that news story and clicked the embedded link to the Microsoft article, you know that the article was on the TechNet Web site at the time of publication. However, when I looked for the article Monday, someone had removed it from the TechNet Web site. What's going on? I don't know because Microsoft doesn't publish any information in such instances--so it's a case of now you see it, now you don't! Microsoft apparently has at least two approaches to security-related notifications: one approach for issued security bulletins and another for other security-related matters. Cooper believes that in addition to security-related hotfixes, Microsoft should issue a security bulletin every time the company releases a security-related patch or tool. That's a good idea, but perhaps publishing all security-related information in security bulletins might not be the best way to handle such user notification. Alternatively, Microsoft could establish a second security-related mailing list to notify users about non-bulletin security matters, such as the release of new service packs, the publication or withdrawal of pertinent TechNet articles, and the release or update of new security- related tools such as MBSA and URLScan. Developing an additional user- notification method--whether that involves new bulletins or a second mailing list--would certainly benefit Microsoft's "Get Secure and Stay Secure" initiative. As matters stand now, users must rely on third parties for important security information. What do you think? Would you benefit from Microsoft notifying you about additional security-related information and resources? If you believe you would benefit, would you prefer to be notified through a security bulletin or through a new Microsoft security mailing list? Please stop by the Security Administrator home page (see the URL below) and respond to our new Instant Poll. I also welcome email messages with your further thoughts about security-related notification (mark@ntsecurity.net). I look forward to your responses. http://www.secadministrator.com ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ FREE E-COMMERCE SECURITY GUIDE Is your e-business built on a strong, secure foundation? Find out with VeriSign's FREE White Paper, "Building an E-Commerce Trust Infrastructure." Learn how to authenticate your site to customers, secure your web servers with 128-Bit SSL encryption, and accept secure payments online. Click here: http://list.winnetmag.com/cgi-bin3/flo?y=eLkE0CJgSH0CBw01bI0AA ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISK ==== (contributed by Ken Pfeil, ken@winnetmag.com) * AUTOMATIC SCRIPT EXECUTION VULNERABILITY IN OUTLOOK 2002 AND OUTLOOK 2000 Microsoft Outlook 2002 and Outlook 2000 contain a vulnerability that can let an attacker execute arbitrary scripts under the user's security context on the vulnerable computer. This vulnerability stems from a difference in the security settings that the system applies when it displays rather than edits an email message. Microsoft has released Security Bulletin MS02-021 (E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward) to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=25002 3. ==== ANNOUNCEMENTS ==== * NEED 24 X 7 AVAILABILITY? High-availability networks, systems, and applications are crucial to every business. Sign up for our free Webinar taking place on May 24 (sponsored by MKS), and find out how to achieve 24 x 7 availability on Windows 2000. Windows & .NET Magazine author Tim Huckaby shares his expertise on load balancing, monitoring, and more. Register today! http://list.winnetmag.com/cgi-bin3/flo?y=eLkE0CJgSH0CBw0qQh0AS * WIN A PERSONAL CINEMA CARD AT THE CONNECTED HOME VIRTUAL TOUR If you think you've already seen the Connected Home Virtual Tour, think again. Browse through the latest home entertainment, home networking, and home automation options and check out our special feature on wiring your home. Sign up for prize drawings, too, and you might win a free personal cinema card, courtesy of VisionTek and nVIDIA. Take the tour today! http://list.winnetmag.com/cgi-bin3/flo?y=eLkE0CJgSH0CBw0LTe0Ap 4. ==== SECURITY ROUNDUP ==== * NEWS: INTRUDERS IN EUROPE MIGHT FACE JAIL TIME The European Union (EU) has proposed a "Council Framework Decision" that would help standardize criminal law across all member nations as they prosecute computer-related crimes. The framework defines punishment for offenses that include unauthorized access to computers, Denial of Service (DoS) attacks, intentional propagation of destructive code such as worms and viruses, malicious interception of communications, and identity theft. http://www.secadministrator.com/articles/index.cfm?articleid=24982 * FEATURE: SQL SERVER: EFFECTIVE INSTALLATION Microsoft tries to make installing its software as smooth and easy as possible, and Microsoft SQL Server 2000's installation is no exception. From the installation CD-ROM, you load setupsql.exe from the x86\setup folder, fill in a few details on the setup screens, and within a few minutes, the installation proceeds without further user intervention. You can even successfully install SQL Server 2000 without understanding what the choices mean, just by clicking Next in most of the setup dialog boxes. However, I strongly advise you not to treat the installation lightly. Pay attention to each option, and make sure you thoroughly understand the implications of each choice you make. Some bad decisions, such as wrong collation settings, might be hard to fix; others, such as accepting the default authentication, might create security holes. http://www.secadministrator.com/articles/index.cfm?articleid=24317 * FEATURE: WINDOWS XP WARNING OVERBLOWN When it comes to Windows XP, no report is too innocuous to be dragged out, dissected, and--apparently--blown out of proportion by the mainstream media. Consider, for example, the XP Universal Plug and Play (UPnP) vulnerability. By far, the most interesting aspect about the UPnP vulnerability is the irresponsible way in which various media entities reported it. http://www.secadministrator.com/articles/index.cfm?articleid=24487 * FEATURE: WIRELESS SECURITY The weak security of 802.11's built-in Wired Equivalent Privacy (WEP) algorithm is enough to give managers nightmares. Indeed, many IT managers have delayed 802.11 implementations until standards committees finish work on a more robust means of securing wireless networks. Others have decided to use WEP and hope for the best. However, secure solutions are available. http://www.secadministrator.com/articles/index.cfm?articleid=24549 5. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: ANTIVIRUS DEFENSE LOCATION The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Where have you placed your organization's antivirus defenses?" Here are the results (+/X percent) from the 365 votes: - 5% On desktops - 3% On email servers - 2% On file servers - 1% At the Internet border - 89% At two or more of the above locations * NEW INSTANT POLL: SECURITY INFORMATION NOTIFICATION The next Instant Poll question is, "How should Microsoft notify its customers about new service packs and new or updated security-related rollup packages, tools, and TechNet articles?" Go to the Security Administrator Channel home page and submit your vote for a) Microsoft should issue security bulletins for all security-related matters, b) Microsoft should add a mailing list for non-bulletin security matters, or c) Microsoft needn't notify customers in any additional ways. http://www.secadministrator.com 6. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: WHAT IS MBSA? ( contributed by John Savill, http://www.windows2000faq.com ) A. Microsoft has released Microsoft Baseline Security Analyzer (MBSA), a tool that analyzes a system for security information related to its Windows OS version, Microsoft IIS version, Microsoft SQL Server version, hotfixes, and passwords. You can use MBSA to run checks against local or remote machines. The tool runs only on Windows .NET Server (Win.NET Server), Windows XP, and Windows 2000-based systems. However, you can use the tool to scan remote computers that run Windows NT 4.0 Service Pack 4 (SP4) or later. For more information about MBSA, visit Microsoft's Web site at the first URL below. To download MBSA, visit Microsoft's download Web site at the second URL below. http://support.microsoft.com/default.aspx?scid=kb;en-us;q320454 http://download.microsoft.com/download/win2000platform/install/1.0/nt5xp/en-us/mbsasetup.msi After you download the tool, run the mbsasetup.msi file to install MBSA. You can execute the MBSA shortcut from the Start menu to run the tool in graphical mode, or you can type mbsacli.exe at the command prompt. Windows doesn't add the MBSA program to the PATH variable by default, so you must either navigate to the \%programfiles%\microsoft baseline security analyzer folder or add this folder to your PATH statement. 7. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, products@winnetmag.com) * VIRUS ENGINES BUNDLED IN EMAIL SECURITY PACKAGE SOFTWIN announced that its ICSA-certified BitDefender virus engine and Norman Virus Control will ship with GFI's MailSecurity, a new email security package. GFI MailSecurity runs multiple best-of-breed virus engines simultaneously to ensure maximum protection against virus assaults. GFI MailSecurity is available for the Virus Scanning (VS) API or as an SMTP gateway version. The VS API version integrates seamlessly with Microsoft Exchange Server 2000 and scans the Exchange 2000 Information Stores (ISs). Price includes virus updates for 1 year and free support for 3 months after purchase. Prices start at $295 for 10 mailboxes. Contact GFI at 888-243-4329 or sales@gfi.com. http://www.gfi.com/mailsecurity * ENHANCED SECURITY FOR REMOTE CONTROL WITH AES Vector Networks released PC-Duo 7.0, a remote control PC-management product that includes encryption options ranging from 56-bit Data Encryption Standard (DES) through new Pentagon-driven 256-bit Advanced Encryption Standard (AES). PC-Duo supports Windows XP Server and XP Professional and costs $817.50 per 10-user license. Contact Vector Networks at 800-330-5035 or probinson@vector-networks.co.uk. http://www.vector-networks.com 8. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: How Can I Remove a COM1 Folder? (21 messages in this thread) Christer writes that he runs an FTP server, and he noticed a COM1 directory within his PUB directory. The COM1 folder contains 600GB of data, but he can't open or delete the folder. When he tries, Windows reports that the directory can't be found. Do you know how he can remove the folder? Read the responses or lend a hand at the following URL: http://www.secadministrator.com/forums/thread.cfm?thread_id=99095 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Email Attachment as an Executable (One message in this thread) Dante received a sample of a file as an email attachment, and the file might contain a virus. The file was saved as hammerhart.txt.{3050F4D8- 98B5-11CF-BB82-00AA00BDCE0B}. When he right-clicks the file, it shows as an HTML application, and the file wants to execute. He wants to know whether anyone knows why a file extension of .{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} is considered an application? Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0204d&l=howto&p=438 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- mark@ntsecurity.net * ABOUT THE NEWSLETTER IN GENERAL -- vpatterson@winnetmag.com (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- products@winnetmag.com * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdate@winnetmag.com * WANT TO SPONSOR SECURITY UPDATE? emedia_opps@winnetmag.com ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. Copyright 2002, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:30:13 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] 'Deceptive Duo' Strikes Again Message-ID: http://www.eweek.com/article/0,3658,s=1884&a=26313,00.asp By Dennis Fisher May 3, 2002 The Deceptive Duo, a Web defacement crew that has struck several government and banking sites in the last week, on Thursday defaced a site belonging to Gartner Inc., an IT research firm. As of 4:45 p.m. EDT Thursday, the site located at http://asiapac.gartner.com/press was still displaying the defacement. Gartner, based in Stamford, Conn., conducts research and analysis on various segements of the high-tech industry. As such it makes a high-profile, if somewhat odd, target. The Deceptive Duo has until now attacked mainly U.S. government and banking sites as part of a campaign that the pair says is aimed at alerting officials to the inherent vulnerability of the country's IT infrastructure. In its defacement, the pair mocked the kind of pronouncements that Gartner and other research firms make their living with. "Many recent cyberattacks could have been avoided if enterprises were more focused on their security efforts, but users seem not to learn from their mistakes," reads a line at the top of the site, which is attributed to Richard Mogull, a Gartner research director. The line appears to be taken from a U.K. trade publication that is paraphrasing Mogull's conclusions in a recent research report. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:29:41 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] [defaced-commentary] Deceptive Duo in the news again Message-ID: ---------- Forwarded message ---------- Date: Sun, 5 May 2002 20:59:18 -0400 (EDT) From: security curmudgeon To: defaced-commentary@attrition.org Subject: [defaced-commentary] Deceptive Duo in the news again Earlier today (May 5, 2002), the defacing group "Deceptive Duo" struck again changing the home page of three gov/mil systems. Website: asp.navair.navy.mil (198.97.72.28) Mirror: http://defaced.alldas.org/mirror/2002/05/05/asp.navair.navy.mil/ OS: Windows Website: www.export.gov (170.110.104.25) Mirror: http://defaced.alldas.org/mirror/2002/05/05/www.export.gov/ OS: Windows Website: www.fhfb.gov (204.94.175.5) Mirror: http://defaced.alldas.org/mirror/2002/05/05/www.fhfb.gov/ OS: Windows Despite only defacing 9 machines (5 .gov, 2 .mil, 2 .com), they have received media attention because of their "objective" and "mission". >From one of their defacements: Objective: Alert all National Security threats. Specifically the critical infrastructures(government agencies, banks, environmental system controls, airport/airlines, corporations) within The United States of America Mission Outline: Locate and scan critical cyber-components of The United States of America for vulnerabilities creating a foreign threat, while remaining undetected. Once located, publicly inform those who deserve to know the extent of incompetence that lies between foreign lines and the United States Administration. While this sounds noble, one has to wonder if they are sincere about their desire, or if this is nothing more than a means for publicity. If they are sincere about improving the security of the national infrastructure, several questions come to mind. * With the recent events of 9-11, the FBI is overtasked with tracking down leads related to terrorists and potential threats. How is taking federal agents off those tasks to investigate domestic computer crime helping? * If they are so interested in improving security, why are their targets only Windows machines? Defacing a single type of operating system typically points to script kiddies who are abusing the latest vulnerability, not people competant at computer security. * Why are they exposing personal information such as home phone numbers and addresses of people affiliated with the sites? These are not people that are responsible for the security of the systems being compromised. Sharing this personal information with a recognized journalist would serve the same purpose and protect their personal information. So far, these defacements don't seem to show a real concern for national security. Media attention seems to be a higher priority. -- Deceptive Duo defacements: http://defaced.alldas.org/?attacker=The+Deceptive+Duo FAA Confirms Hack Attack By Kevin Poulsen, Apr 25 2002 4:52PM http://online.securityfocus.com/news/378 Computerworld > News > Saturday, 4 May, 2002 Hacker duo say they hack for sake of national security "We must take drastic means for them to take this seriously" Linda Rosencrance, FRAMINGHAM http://www.computerworld.com/securitytopics/security/story/1,10801,70728,00.html - The information and commentary is Copyright 2002, by the individual author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this mail are not necessarily the opinion of all Attrition staff members. Commentary Archive: http://www.attrition.org/security/commentary/ The Attrition Mirror: http://www.attrition.org/mirror/attrition/ Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html Contacting Attrition Staff: staff@attrition.org To subscribe to Defaced Commentary, send mail to majordomo@attrition.org with "subscribe defaced-commentary" in the BODY of the mail (without quotes). To unsubscribe, include "unsubscribe defaced-commentary" in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:29:57 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] AIM vulnerability resurfaces Message-ID: http://news.com.com/2100-1040-899411.html?tag=fd_top By Robert Lemos Staff Writer, CNET News.com May 5, 2002, 9:00 PM PT AOL Time Warner failed to properly fix a security hole in its AOL Instant Messenger application, leaving its users vulnerable to a new way to exploit the same flaw, a security researcher said this weekend. The current incarnation of the bug could have been just as dangerous as the previous version, publicized in January, allowing malicious AIM users the ability to execute any program on a vulnerable user's computer, said Matt Conover, a hacker with a security research group known as "w00w00." "This is almost identical to the problem we found originally, and that's saddening," he said. "By using a slightly different method, we are able to get around the filtering they used to protect against the last flaw." Last time, the error occurred in how the "add game" command handled a request from another user. This time, the error occurs when a malicious AIM user sends an overly long "add external application" command to another user. Known as a buffer overflow, the error allows an attacker to execute a program on the victim's computer. After being notified by w00w00, AOL Time Warner fixed the problem by, again, applying a filter to its instant messaging servers, said Conover. Because the fix can be done to AOL's own machines, the protection is immediate, he added. Attempts to confirm the fix Sunday with an AOL Time Warner representative were unsuccessful, however. While Conover said AOL responded quickly to the flaw this time, the group still had to use private contacts formed during the last security incident; AOL Time Warner still does not publish a central security contact for its software. "There is still no way to publicly contact them, which means that they haven't learned anything from the last incident," he said. Moreover, while AOL Time Warner's fix prevents the current hole from being used to attack another user or to spread worms or viruses through instant message chats, Conover worries that an online vandal may find another method that could also elude AOL's fix. "I definitely don't think they did enough to secure the IM client," he said. "The responded quickly to this instance of the flaw, but if they stop there, I think they are being lazy." Because AOL Time Warner fixed only a specific instance of the flaw rather than the network security problems that lead to the vulnerability, the company could see a third strike against its instant messaging client, he said. "All the code that requests one user to add something from another user needs to be looked at," he said. The statement echoes another that the w00w00 security team made in its January 1 advisory for the original flaw. "This may be more generic and exploitable through other means, but AOL has not released enough information about their protocol for us to be able to determine that," the group warned. Until AOL has taken its security to heart, Conover said he believes instant messenger users should think about moving to a new software provider. "We recommend that people use an IM provider that has a means to deal with security issues, because--right now--AOL doesn't," he said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sun May 5 00:00:44 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Best Buy hit by WLAN snooping Message-ID: http://www.theinquirer.net/02050207.htm By Mike Magee, 02/05/2002 09:02:29 BST US RETAIL FIRM Best Buy was forced to close its wireless network yesterday after people were able to snoop on transactions by using easy-to-obtain software running in laptops in parking lots. Best Buy uses wireless technology to transfer data from cash tills to central computers in their shops, but people are easily able to grab packets containing all sorts of confidential data including credit card details by tuning into the wireless waves. One hacker on a board said that he had fired up Kismet outside a shop last week and bought a unit with his own credit card to see what info was transmitted. He said that when he searched the logs he saw SQL queries and table headers in his log including his own credit card number. He tried a number of other Best Buy stores and his software was able to pick up lots of other transactions from customers flying on the airwaves. WLANs are notoriously insecure, although safeguards can be built into them. Because the technology is comparatively cheap and also fast, it has been touted as an ideal solution for large businesses wanting to save money on their IT infrastructure. At this year's Intel Developer Forum, the firm was dishing out loaned WLAN cards to the world's foremost journalists, many of whom were happily typing their stories and sending their emails under the protective cone of a Chipzilla hotspot. We wondered if this was necessarily a good idea at the time. Top datacomms journalist Tony Dennis said that when Intel did a similar thing at last year's Developer Forum, he noticed that the system was inherently insecure. Oops... - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:27:15 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Biometric Security Not Ready to Replace Passwords Message-ID: http://www.newsbytes.com/news/02/176325.html By Carlos A Soto, Government Computer News WASHINGTON, D.C., U.S.A., 02 May 2002, 2:05 PM CST Biometrics vendors are doing their best to supplant passwords as the chief form of computer security, but Government Computer News Lab tests indicate that many of their products are not quite ready. Some developers have continued to improve already good devices, but others need to go back to the drawing board. Bad biometric security is worse than no security at all because it can lock out a legitimate user, admit an interloper or - perhaps most dangerous - lull a network administrator into a false sense of safety. For this review we examined six fingerprint-recognition devices and one voice-recognition device. A word of caution: An administrator cannot deploy large numbers of any of those fingerprint devices without third-party administrative software. This year, to test the efficiency of multiple biometrics products on the same computer system, we used the Saf 2000 software suite from SafLink Corp. of Bellevue, Wash. Saf 2000, priced at $49.95 per client, lets the administrator manage multiple biometric devices on a network. I created four accounts on a 1-gigahertz Pentium 4 PC running Microsoft Windows 2000. With the easy-to-use Saf 2000 administrative software, I enrolled a different trait for each account. L&H Speech Verification software from Lernout & Hauspie Speech Products USA Inc. came bundled with the SafLink suite and was by far the weakest link in this review. It was so sensitive to ambient sounds that it sometimes wouldn't let me log in if the air conditioning wasn't on as it had been during enrollment. I had to enroll three times before the software was satisfied with its template of my voice. Each enrollment required saying "my voice is my password" three times, as in the movie "Sneakers." So I had to say the phrase nine times to get a good template. The software made an X-Y graph of my speech patterns, pronunciation and speed. It calculated a mean of these points and converted the pattern into a template for identification. Even so, it couldn't recognize me when I had a cold or spoke too quickly or slowly. Although the software was user-friendly, it demanded perfect conditions and lots of patience, just as face recognition does. Every biometric device forces a user to standardize the entry of the trait that is being recognized. After a time, logging in on the device becomes second nature, like typing a familiar password. But although I've tested voice recognition in the past and used it intensively for a month for this review, I still dreaded logging in each morning. Most of Lernout & Hauspie has been acquired by ScanSoft Inc. of Peabody, Mass., and what remains is having financial difficulties. Neither L&H nor ScanSoft any longer supports the speech-verification software in the SafLink bundle, which SafLink originally licensed from L&H. The SecuGen Mouse from SecuGen Corp. of Milpitas, Calif., also came bundled with the Saf 2000 software. It was the only biometric mouse in the review that connected to the test PC via a combined parallel port and PS/2 cable. SecuGen sells other mice that connect to a universal-serial-bus port. The $119 parallel-port model used a track and ball, not optical tracking, but it had a fast, embedded optical chip for fingerprint recognition. The optical sensor, which recorded a thumbprint only, was on the left side of the device. To enroll other prints, the user would have to pick up the mouse. SecuGen curved the top of the mouse leftward to make placing the thumbprint more natural. That would inconvenience left-handed users. Despite those minor design flaws, the SecuGen mouse did its job well. It never failed at log-in, and I could not get around its security. Like the SecuGen mouse, the ergonomic U-Match Mouse from BioLink Technologies International Inc. used an optical sensor to pick up fingerprints. Because the U-Match mouse was larger than the SecuGen, as well as ergonomically shaped, the fingerprint plate at the left side was clumsier to use. The U-Match had USB connectivity and a scroll wheel. Also, the oxidation and erosion of paint by finger moisture we observed when we reviewed the U-Match a year ago were no longer a problem. We wish the U-Match were optical instead of track and ball; optical innards don't require cleaning and operate more smoothly. But the U-Match seemed too bulky and heavy to glide smoothly even if it were optical. The ID Mouse from Siemens AG used a small, more sophisticated silicon chip to identify fingerprints. It was the only optical laser mouse in the review, and it cost $119. For those reasons, and its USB connection, our Reviewer's Choice and Bang for the Buck designations went to the ID Mouse. Siemens smartly placed the ambidextrous fingerprint sensor at the center of the device so that a user could enroll any finger comfortably. The Microsoft Windows XP operating system has been out for more than six months, and you'd think every biometric product would now be XP-compatible. But only two of our fingerprint devices had drivers for XP when we started reviewing biometric devices in February. Only one of those products had XP-compatible software and was XP-certified: the $130 DFR-200 BioTouch USB fingerprint reader with BioLogon 3 software from Identix Inc. These products were also the easiest to set up and use. The BioTouch USB reader with BioLogon 3 connected at least a minute faster than serial-port devices, which sometimes required rebooting twice. BioTouch installation took just one reboot. Because the BioTouch USB had an optical sensor for fingerprints, it was bulkier than a silicon-chip device. It also had an awkward arrangement for placing a finger on the optical sensor. The BioLogon 3 software converted that data into a log-in algorithm, stored on a server or desktop PC. Users wary of identity theft are increasingly reluctant to put a fingerprint credential on a networked system that could be hacked. Sony Electronics Inc. and a Swedish company, Precise Biometrics, have an answer. Their fingerprint-recognition devices keep the print data in the devices themselves, not on a server or PC, and they have added other security enhancements. Last year we looked at Precise Biometrics's 100 SC. This year, the new USB-connected Precise 100 MC surpassed our expectations, earning a Reviewer's Choice designation. The Precise 100 MC received an A-minus grade for better speed and ease of use in a streamlined hardware design. The 100 MC design abandoned the SC line's silicon sensor, from Veridicom Inc. of Sunnyvale, Calif., in favor of a smaller chip from AuthenTec Inc. of Melbourne, Fla. Another improvement to the $200 Precise 100 MC was the addition of a $10 smart-card token with an 8-MHz mini-processor running Java. Although XP drivers are ready for the MC, the suite isn't yet XP-compatible. Sony Electronics focused on hardware with the FIU-710 Puppy. Known for sleek designs, Sony did a good job of making the $200 USB unit light and easy to handle. The Puppy, which performs the functions of fingerprint reader and smart card, is far smaller and thinner than the Precise 100 MC. Sony manufactured the silicon chip, which performed in our tests perhaps a tenth of a second faster than the speedy 100 MC. It also seemed more durable thanks to a metal sensor cover that retracted when a finger slid onto the chip. The Secure Suite software bundled with the Puppy was easier to install and set up than the Precise suite. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:27:38 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] CERT running security pilots Message-ID: http://www.fcw.com/fcw/articles/2002/0429/web-info-05-03-02.asp By Dan Caterinicchia May 3, 2002 The CERT Coordination Center at Pennsylvania's Carnegie Mellon University has developed two unique pilot programs designed to bolster the information assurance capabilities of government agencies. The number and sophistication of cyberattacks against U.S. government systems have increased in recent years, but the refinement of the individuals initiating them has decreased, which makes it even more difficult for agencies to differentiate a high school hacker from an extended, coordinated intrusion attempt, said John McHugh, senior member of the technical staff at the CERT Coordination Center (CCC) at Carnegie Mellon. Speaking May 2 at an Armed Forces Communications and Electronics Association information technology conference in Quantico, Va., McHugh said the basic idea is to make sure that cyber intruders can't take out all the systems all the time since "survivability is the mission-centric notion of information assurance." To help agencies improve their defenses, the CCC is working on the Automated Incident Response (AirCERT) program, a data collection and coordination exercise that uses statistical methods to detect emerging threat patterns. AirCERT uses an open source infrastructure to automatically gather and report security incidents from CCC client Internet sites that agree to have that information inspected, McHugh said. The goal is to "reduce the burden on security analysts by automatically handling well-understood attacks," he said. The CCC has completed an AirCERT proof-of-concept prototype and is testing the program with members of the Internet community. The CCC also is working with a defense agency -- which McHugh would not name because of security concerns -- on another program that uses raw data to identify routing anomalies and back doors into a network. The NetFlow system collects enormous amounts of unbiased data and analyzes it in "chunks at a time" to help establish "traffic baselines" and detects potentially nefarious activity as deviations from the baselines, McHugh said. The CCC is working with the defense agency on a detailed analysis of its daily traffic and hopes to use real-time data in the future, he said, adding that agencies and companies that use Cisco Systems Inc. routers can do this type of analysis. "This is a capability in most Cisco routers, and anyone who wants to can collect this data," McHugh told Federal Computer Week. "We're working with a large government client to develop tools to [enable them to] analyze it themselves." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sun May 5 00:00:30 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Competition to "reverse engineer" mystery program Message-ID: http://www.newscientist.com/news/news.jsp?id=ns99992250 Will Knight 17:21 03 May 02 NewScientist.com news service Programmers the world over will next week have the chance to "reverse engineer" a mysterious and malicious computer program. They must determine its intentions and test their programming skills. The idea is to simulate the crises network administrators face whenever a rogue program, also known as a Trojan or zombie, is uploaded into a computer system by an intruder. These programs are designed to capture passwords or probe the system for further weaknesses on the intruder's behalf. An administrator must work out what the program does, but without seeing the source code used to build it. "In specific cases, you may encounter something you don't recognise," says Job de Haas, managing director of Dutch company ITSX Security, and one of the competition's judges. "It is important that you can get a feeling for the extent of the compromise and how serious it is." Back to the source The program will be released next week at the link below, but no further information will be provided, not even the language it was written in. Competitors must not only determine the purpose of the program but also figure out ways it could be stopped in its tracks. They will even be asked to guess what kind of person wrote the program. A panel of judges will mark all the entries. The Reverse Challenge is the brainchild of a consortium of computer researchers from different companies and universities known as the Honeypot Project. Reverse engineering involves effectively going backwards through the process of building a computer program. Some programming tools will help with this task but, says De Haas, the process also requires good programming skills. "It's been a very secluded skill that has become more and more mainstream," he says. "An explosion of these [hacking] tools will make this a very needed skill for people in this field." Ian Brown, a computer security researcher at University College London, says this skill is useful for combating all sorts of malicious programs, including computer viruses and worms. "When a new virus, Trojan or zombie is discovered in the wild, its mode of operation, and hence how to defeat it, can be derived without the need for its source code," he explains. But programmers will be competing for more than just kudos. They can win computer security books and entry to the Black Hat Briefings, a US computer security conference. The Honeypot Project has in the past organised competitions requiring competitors to analyse a computer system after a simulated break-in. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:18:13 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Confessions of an Error-Filled Tome Message-ID: [This was grabbed from another list I'm on, I should also mention that we're currently reading Mr. Verton's book and expect to have a full review in the near future. - WK] ---------- Forwarded message ---------- Date: Thu, 2 May 2002 14:10:58 -0400 (EDT) From: Jason Scott To: intel0202@yahoo.com Cc: dc-stuff@treachery.net, jericho@attrition.org, veggie@gothic.net Subject: Confessions of an Error-Filled Tome Mr. Verton: As a researcher working on a historical documentary and a collector of what some would call "hacker history", I am often told about interesting or relevant books and articles that come out. I was directed to your book by an incredulous IRC denzien who was crowing about the numerous errors in your book, errors that even an "outsider" shouldn't have missed. I wanted to see for myself, and purchased a copy (used) of "Confessions of Teenage Hackers (2002)". The tipster was correct; your book suffers, even on a cursory glance, from glaring errors. I figured you have high hopes of a second edition being printed, so I wanted to pass them along to you. Keep in mind that these are just from a cursory glance; I've not had the opportunity to read the book cover to cover. -------------------------------- Page 196: "A nationwide hacker crackdown nabs teenage members of the notorious hacking groups known as the Masters of Deception (MOD) and the Legion of Doom (LOD). The teen hackers are responsible for the famous Martin Luther King, jr. Day crash of the AT&T long-distance telephone network. The hackers would be indicted in 1992." ..this is false. The Martin Luther Day crash of 1990 was caused by a bug in the AT&T switching software (often reported as a "wrong BREAK statement in the C code"; analysis of the software bug in question is out on the internet), which caused a cascading failure and the outage. No hackers were at all involved. Transcription of AT&T Report on the Bug: http://www.infowar.com/iwftp/risks/Risks-9/risks-9.63.txt Lumping MOD and LOD together as some sort of super-team causing this crash is an additional error; I was not privy to exact member politics, but it's generally known and reported elsewhere that the two groups were not fond of each other, and regardless, none of them were involved in the crash. What DID happen is that members of MOD were raided shortly after the crash occurred, very likely the result of turned-up heat from authorities trying to show results for a major infrastructure loss. In March, Eric Bloodaxe and The Mentor (both of LOD) also were raided, along with a number of other folks, as part of a continued effort by the FBI. In all cases, the crimes they were ultimately accused of (and for some indicted on) were not related to the AT&T crash. What bothers me here is the use of the phrase "hacker crackdown", which is the title of the Bruce Sterling book that makes the entire situation of blaming hackers on a problem they didn't cause its central thesis! That is, you mention the title of the book and get the facts wrong entirely and completely when they're recounded within the first chapter. I'm of the opinion you didn't actually read it. >From the hazy vantage point of a decade, I could understand some minor slip-ups, but this entire situation was researched and written about perfectly by another author. You are perpetuating a myth, a myth easily researched and dismissed. --------------------------------------- --------------------------------------- Page 203: Your bibliography/listing of Hacking-related articles begins in 1994. That is fundamentally disturbing. I have to assume this is the extent of your research outside of web page listings, and if so, you're working with a lopsided, heavily sensationalistic bombardment of fearmongering. Most of the coverage of "defacements" attaches an extreme amount of weight to the process, when it mostly consists of the modfication of text and image documents on an often unrelated server, separated from the actual day-to-day functioning of a government in corporate entity. Once the Internet became a "hot topic" in 1995 with the advent of Netscape and AOL/Microsoft forays into it, desperate media outlets, lacking in solid information, grabbed onto any subject they could, and defacements recieved a foolish amount of coverage. Your biblography indicates you have bought into it completely. -------------------------------------- -------------------------------------- Page 207: "John Vranesevich - www.antionline.com/jp - The website of the founder of the hacking Web site AntiOnline.com, thought to be one of the best hackers in the world." Goodness, by who? Certainly by Mr. Vranesvich and yourself, I suppose. This isn't my fight, but I find your classification of him particularly ironic since you thank Jericho of Attrition for assistance with defacement history, and somehow neglect his many months of research into Vranesevich as a charlatan: http://www.attrition.org/negation/ ------------------------------------- ------------------------------------- Page 208: "Cult of the Dead Cow (now @Stake) - www.l0pht.com - The Cult of the Dead Cow (cDc) is best known as the group that authored and distributed Back Orifice, an open-source software product that allows a hacker to take over a remote computer. However, the group has since gone legitimate under the auspices of @Stake, a security consulting firm. That's there you'll end up with this link." I'm completely confused where you got this information. L0PHT was a group of Boston-based hackers and technical folks who had a permanent space rented in downtown boston and later outside boston, hence, a loft (l0pht). Many folks visited them and were friends and associates, including members of the Chaos Computer Club and the Cult of the Dead Cow. But to combine them like they were all the same people... that's just bizzare. The Cult of the Dead cow was a textfile writing group founded in Lubbock, TX in 1984. They released writings on BBSes and later the Internet, well into the present day, and still have occasional releases. They gained the attention of the media in the early 1990's, and delighted in being called upon for media interviews, many of which they used for their own purposes. In the mid 1990's, they started releasing programs, including the much-touted Back Orifice tools, and gained notoriety for that as well. Currently, they are affiliated with a movement called Hacktivismo, which calls upon hackers to use their efforts to better the world for freedom and human rights. This is a positive thing, so I understand why you would be unaware of it. The L0pht gained notoriety for their programs from the start, releasing exploits and programs to show flaws in Windows and other commercial products. They were acquired by @Stake and dropped the l0pht name some time afterwards, although the name still appears in various locations, more as a hint or a reminiscince than anything else. This is also an ironic mistake, as no two groups have earned as much airtime and column space as these two in the second half of the 1990s, which falls smack into your obvious area of focus. To combine them points to incompetency. ----------------------------------------- This was minimal effort to find these mistakes. If you intend to correct them in a second edition, please let me know and I will send you more. If you are not interested and have already turned your efforts to other mistake-ridden tomes, I will bother you no further. - Jason Scott TEXTFILES.COM - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:30:27 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Cyber Crime Crisis Looms in Zimbabwe Message-ID: http://allafrica.com/stories/200205030157.html Financial Gazette (Harare) May 3, 2002 Posted to the web May 3, 2002 Joseph Ngwawi Business News Editor IMAGINE your bank statement being transmitted spontaneously via electronic mail to millions of individuals and companies across the world because a virus has attacked the bank's computer system. Chris Wilson - this is not his real name - says he once received e-mail messages containing information on financial statements of customers of a local commercial bank. The above example is just the tip of the iceberg on how susceptible the computer system could be to hackers and how incidents such as these aid the new global fad of cyber crime. Computer experts say at least one computer network in Zimbabwe is attacked by hackers every 30 minutes and that the local private sector is sitting on a time bomb amid fears cyber security is not accorded the top priority that it deserves. Although actual figures on the financial losses incurred by local firms and organisations due to cyber crime are not documented, Zimbabwe has not been spared some of the dangers of the new information age. In the United States, the financial losses due to cyber crime are estimated at more than US$450 million a year. According to computer experts, the Internet connection is the most frequent point of attack. The laxity of information security policies in the country just makes this worse. Computer experts say almost all computer systems in the country have been violated in one way or another in the past year, resulting in billions of dollars worth of financial losses. In just two of these cases, separate Harare-based companies lost millions of dollars due to the sophisticated manipulation of the accounting systems by their workers who colluded with some outsiders. Other losses have occurred through theft of proprietary information, which is later used by a company's competitors. But David Behr, head of one of the country's leading Internet service providers, Zimbabwe Online, says no cases of industrial espionage have been recorded yet in Zimbabwe, adding that the main culprits are usually the so-called "script kiddies" who spend most of their time surfing at Internet cafes. "The main culprits are not the government or the corporates but these are usually fairly young people, probably male with a lot of time on their hands," Behr said. The script kiddies are usually able to break into an organisation's personal files and use or alter the information. Harare-based computer expert John Sheppard said the situation was compounded by the absence of sound information security systems at most Zimbabwean firms, which increased the chances of them falling prey to cyber criminals. He noted that the bulk of Zimbabwe's computer networks were not properly protected against viruses, one of the means by which hackers and other people could sabotage an organisation's database. He said it was possible for sensitive information to be transmitted to other people whenever a company's or bank's computer system is attacked by a virus. "Many outbreaks such as the outbreak of a variant of the Klez virus that hit the country recently are totally controllable by a combination of virus education, intelligent virus and general security protection and by ensuring that programmes such as Outlook Express and Internet are patched and updated to current patch levels," Sheppard said. The Klez virus hit Zimbabwe's Internet industry two weeks ago, completely shutting out more than 75 percent of the country's companies and individuals from the rest of the world. The virus affected access to the Internet by most companies and deleted their files or documents, sending a warning signal that Zimbabwe, as part of the global information village, must get its act together or suffer major losses soon. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:15:08 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] FAA hacked by patriots Message-ID: Forwarded from: Drew Williams Good article by Kevin on the FAA getting hacked. I hope the FAA realizes its vulnerabilities stem far beyond those of a couple of kids and some passenger screening protocols. Last year some of our Security folks (from a major IT Security company for whom I work), visited the FAA and discussed the simple problems of viruses, and how they could corrupt those very servers that control the flight patterns. Because of pricing-per-server, the FAA employs a very cheap and hardly reliable brand of anti-virus technology, which has been documented as not even close to a top-five contender. This worries a lot of people--especially those of us in IT security who have to fly every week. I hope the FAA will make some changes in how they view their infrastructure--not just how they look at little old ladies getting "randomly" screened at the gates. --- InfoSec News wrote: > http://www.theregister.co.uk/content/55/25029.html > > By Kevin Poulsen, SecurityFocus Online > Posted: 26/04/2002 at 06:54 GMT > > Hackers were able to penetrate a Federal Aviation Administration > system earlier this week and download unpublished information on > airport passenger screening activities, federal officials confirmed > Thursday. > > Styling themselves "The Deceptive Duo," the hackers on Wednesday > publicly defaced an FAA server used by what was the administration's > Civil Aviation Security organization, which until recently was > responsible for supervising passenger screening at U.S. airports. > There, the intruders posted a mission statement vowing to expose > America's poor state of cyber security for the good of the nation. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:22:24 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Gartner: Attacks exploit user security indifference Message-ID: http://www.nwfusion.com/news/2002/0502gartnersec.html By David Legard IDG News Service, 05/02/02 The vast majority of successful attacks on computer systems exploit security weaknesses which are well known and for which patches exist, according to research company Gartner. Many recent cyberattacks could have been avoided if enterprises were more focused on their security efforts, but users seem not to learn from their mistakes, according to Richard Mogull [cq], research director for Gartner. Patches were available to protect systems against the Code Red virus, but had generally not been deployed, Mogull said. Worse, the Nimda virus exploited exactly the same weakness a few months later and was still able to cause havoc around the world. Combined losses from the two incidents are estimated at running into billions of dollars, largely due to user indifference, according to Mogull. According to Gartner, the five top vulnerabilities to cyberattacks include: * Lack of risk management integration. * Security not integrated into projects. * Poor governance and culture. * Weak security of suppliers and partners. * No benchmarking on spending and value of security projects. * To counter these vulnerabilities, users should take steps including: Increasing the enterprise's overall security posture. * Developing an internal response plan and aggressively monitor Internet activity on all systems, especially firewall and intrusion detection logs. * Evaluating established security plans in light of recent events, and update as needed. * Form a cyberincident response team or contracting with an external provider to evaluate systems." Through 2005, 90% of cyberattacks will continue to exploit known security flaws for which a patch is available or a preventive measure known, Gartner said. During that time, 20% of enterprises will experience a serious Internet security incident - defined as one which is more than a virus attack. Of companies suffering incidents, the cleanup costs of the incident will exceed the prevention costs by 50%, Gartner said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:28:47 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] LEA 2002 Workshop on the Law of Electronic Agents Message-ID: Forwarded from: Pierluigi Perri Call for papers On 13 July 2002 Bologna will host LEA 2002, the first international workshop on software agents and the law, organised by CIRSFID as an event connected to the international conference AAMAS (Autonomous Agents and Multiagent System) All information on the LEA workshop is available at the url http://www.cirfid.unibo.it/~lea-02/, with indications on the topics, the invited speakers, registration, etc. It is possible to submit papers to the Scientific Committee until 15 May, 2002. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:20:17 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Linux Advisory Watch - May 3rd 2002 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 3rd, 2002 Volume 3, Number 18a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for fileutils, imlib, sudo, webalizer, openssh, squid, docbook, modpython, nautilis, and radiusd-cistron. The vendors include Caldera, Conectiva, EnGarde, Red Hat, SuSE, and Trustix. * FREE Apache SSL Guide from Thawte * Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. --> http://www.gothawte.com/rd248.html ** Build Complete Internet Presence Quickly and Securely! ** EnGarde Secure Linux has everything necessary to create thousands of virtual Web sites, manage e-mail, DNS, firewalling, and database functions for an entire organization, all using a secure Web-based front-end. Engineered to be secure and easy to use! Don't jeopardize your organization with an off-the shelf Linux! --> http://www.guardiandigital.com/promo/ls150402.html +---------------------------------+ | fileutils | ----------------------------// +---------------------------------+ A race condition in various utilities from the GNU fileutils package may cause a root user to delete the whole filesystem. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/ 3.1.1/Server/current/RPMS fileutils-4.1-4.i386.rpm f10c905587b4221fc794cefaf262e9ee Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2045.html +---------------------------------+ | imlib | ----------------------------// +---------------------------------+ Imlib versions prior to 1.9.13 would fall back to loading images via the NetPBM package. NetPBM has various problems itself that make it unsuitable for loading untrusted images. This may allow attackers to construct images that, when loaded by a viewer using Imlib, could cause crashes or potentially, the execution of arbitrary code. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/ 3.1.1/Server/current/RPMS imlib-1.9.14-1.i386.rpm 56ed4f4cdf53abc39ba462021496314b imlib-devel-1.9.14-1.i386.rpm 743951ea75a12121f6696a57a6a4d091 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2047.html +---------------------------------+ | sudo | ----------------------------// +---------------------------------+ Global InterSec published[3] an advisory about a memory heap corruption vulnerability[2] in sudo. This vulnerability could possibly be used by local attackers to obtain root privileges. Sudo allows users to specify the password prompt they receive. This prompt can contain macros (such as %h) that will be expanded by sudo. Sudo can be tricked into allocating the wrong ammount of memory for this prompt. Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ sudo-1.6.6-1U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ sudo-doc-1.6.6-1U8_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2037.html EnGarde: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ i386/sudo-1.6.4-1.0.7.i386.rpm MD5 Sum: 0ecafa8dd05315772afa7e77f7089d69 i686/sudo-1.6.4-1.0.7.i686.rpm MD5 Sum: a267c880a9e0093e4e13d140898756cc EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2040.html Trustix: ftp://ftp.trustix.net/pub/Trustix/updates/ /1.5/RPMS/sudo-1.6.6-1tr.i586.rpm 0bb2e55703b06a958ff2016c8f639636 Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2042.html Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/slackware-8.0/ patches/packages/sudo.tgz d0598233fefeb9d37450eec10a087e07 Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-2036.html SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap1/ sudo-1.6.5p2-79.i386.rpm b54f68ff4b32f9d920f2f1ff887d1ddc SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2046.html +---------------------------------+ | webalizer | ----------------------------// +---------------------------------+ Spybreak reported[2] a buffer overflow vulnerability[3] in the DNS resolver code. This flaw could possibly be exploited by a remote attacker in control of a DNS server which would be queried by the webalizer program. Webalizer in Conectiva Linux is not executed by default, it is necessary for the user to configure and enable a cron job for it to run. Conectiva: ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ webalizer-2.01.10-4U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ webalizer-doc-2.01.10-4U70_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2038.html +---------------------------------+ | openssh | ----------------------------// +---------------------------------+ Buffer overflow in OpenSSH's sshd if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. PLEASE SEE VENDOR ADVISORY FOR UPDATE OpenSSH Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2039.html Trustix: http://www.trustix.net/errata/trustix-1.5/ /1.5/RPMS/openssh-server-3.1.0p1-3tr.i586.rpm f00b0fa1bf6f52826cf8623893501781 /1.5/RPMS/openssh-clients-3.1.0p1-3tr.i586.rpm 20a431fd990edfb51f62cf80c7298d82 Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2043.html +---------------------------------+ | squid | ----------------------------// +---------------------------------+ A security issue was recently found and fixed by the squid team. The bug exists in the Squid-2.X releases up to and including 2.4.STABLE4. Error and boundary conditions were not checked when handling compressed DNS answer messages in the internal DNS code (lib/rfc1035.c). A malicous DNS server could craft a DNS reply that causes Squid to exit with a SIGSEGV. Trustix: ftp://ftp.trustix.net/pub/Trustix/updates/ /1.5/RPMS/squid-2.4.STABLE6-1tr.i586.rpm 69369be4888324c1b2e2eeb38018f97e Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2041.html +---------------------------------+ | docbook | ----------------------------// +---------------------------------+ The default stylesheet used when converting a DocBook document to multiple HTML files allows an untrusted document to write files outside of the current directory. This is because element identifiers (specified in the document) are used to form the names of the output files. Red Hat Linux 7.2: noarch: ftp://updates.redhat.com/7.2/en/os/noarch/ docbook-utils-0.6.9-2.1.noarch.rpm e6b43a27e4712ee6a91871605092acab ftp://updates.redhat.com/7.2/en/os/noarch/ docbook-utils-pdf-0.6.9-2.1.noarch.rpm a45e3dddc9f3269c3db77bd153697df3 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2048.html +---------------------------------+ | modpython | ----------------------------// +---------------------------------+ Updated mod_python packages have been made available for Red Hat Linux 7.2. These updates close a security issue in mod_python which allows the publisher handler to use modules which have only been indirectly imported. Red Hat 7.2 i386: ftp://updates.redhat.com/7.2/en/os/i386/ mod_python-2.7.8-1.i386.rpm 9b9e4a43002cd22f9a8df7fd9784e925 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2049.html +---------------------------------+ | Nautilus | ----------------------------// +---------------------------------+ The Nautilus file manager (used by default in the GNOME desktop environment) writes metadata files containing information about files and directories that have been visited in the file manager. The metadata file code in Red Hat Linux 7.2 can be tricked into chasing a symlink and overwriting the symlink target. Red Hat: i386: ftp://updates.redhat.com/7.2/en/os/i386/ nautilus-1.0.4-46.i386.rpm f91c1cb8fb30034c8ea8aefa184c5589 ftp://updates.redhat.com/7.2/en/os/i386/ nautilus-devel-1.0.4-46.i386.rpm af4c6accb8c0e4ec60921e0938ad925d ftp://updates.redhat.com/7.2/en/os/i386/ nautilus-mozilla-1.0.4-46.i386.rpm 84ffe4f70577e6d235086a8a7cd86a4d Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2050.html +---------------------------------+ | radiusd-cistron | ----------------------------// +---------------------------------+ ZARAZA reported security releated bugs in various radius server and client software. The list of vulnerable servers includes the cistron radius package. Within the cistron package, a buffer overflow in the digest calculation function and miscalculations of attribute lengths have been fixed which could allow remote attackers to execute arbitrary commands on the system running the radius server. SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/n3/ radiusd-cistron-1.6.4-168.i386.rpm 8215e7113e8937844ab5d2deba8bbb13 SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2044.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:28:34 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Melissa Creator Sentenced On State Charges Message-ID: http://www.newsbytes.com/news/02/176370.html By Dick Kelsey, Newsbytes FREEHOLD, NEW JERSEY, U.S.A., 03 May 2002, 4:02 PM CST "Melissa" virus author David L. Smith today was sentenced in a New Jersey court to 10 years in prison on state charges but will serve only a 20-month federal sentence handed down Wednesday. Monmouth County Superior Court Judge Lawrence Lawson imposed the sentence under a plea agreement with Smith, who named the virus after a topless dancer. Smith, 34, was handed the maximum "10-year sentence to run concurrently and co-terminously to the federal sentence," a court spokesman said this afternoon, which means Smith's state time will run out when he completes his federal term. U.S. District Judge Joseph A. Greenaway Jr. on Wednesday sentenced Smith to 20 months in federal prison, opting for a far shorter term than federal guidelines allow. Smith will also serve three years of supervised release upon completion of his prison stay. The federal court's decision on the lesser sentence was "based on Smith's level and length of cooperation in other investigations," according to a news release issued by the U.S. Attorney's office in Newark, N.J. Smith pleaded guilty in 1999 to federal and state charges related to creation of the virus that wreaked havoc among millions of computer users worldwide and left monetary damages far greater than the $80-million maximum under federal sentencing guidelines. The macro virus was contained in a Microsoft Word document attached to an e-mail. When opened on a vulnerable system, Melissa sent copies of itself to 50 people in the victim's e-mail address book using the Microsoft Outlook e-mail program. Newsbytes correspondent Brian McWilliams contributed to this story. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:19:04 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] MS seeks senior spook to score Federal security $$$'s Message-ID: http://www.theregister.co.uk/content/4/25130.html By John Lettice Posted: 02/05/2002 at 14:22 GMT Microsoft is seeking to hire a high level executive whose role will be "to position Microsoft as a strategic partner to the [US] government in using our products and technologies to build Homeland Security solutions." Or, as the lead-in to the help-wanted ad less modestly puts it: "The Director of Federal Homeland Security will partner the world's most successful software company with the world's most powerful nation in using innovative and agile technology to prepare, detect, prevent, protect, respond, recover and manage against terrorism." When not steering an alliance between the world's two remaining superpowers, the director will lead the Microsoft Homeland Security Leadership team (which we'd never heard of, possibly because it's only just been invented), and seems to be expected to combine intense lobbying of the Office of Homeland Security with acting as Microsoft's 'Face of Homeland Security' to the press, at conferences and through white papers. The detailed responsibilities listed in the ad are commendably upfront, making no bones about the director's role being to secure Microsoft a large share of the post-9/11 Federal security trough. The successful candidate will have "more than 10 years experience as a senior level US Government executive," and "must hold a security clearance, Top Secret with polygraph preferred." They must also "be willing to maintain active clearance at highest levels of security" and "be knowledgeable and experienced in Federal government business, both operationally and [ahem...] politically." So Microsoft wants to pull in a senior spook who knows the people in Washington (and indeed will be based in Washington), and is willing and able to "use and leverage credentials (including security clearances), existing relationships, and knowledge of the Federal government's business and politics to position Microsoft as a strategic partner to the government in using our products and technologies to build Homeland Security solutions." They'll have to "engage Microsoft Homeland Security Leadership Team on a regular basis in all Office of Homeland Security ongoing activites," keep up with "congressional decisions, appropriations, executive orders and presidential directives that may impact Homeland Security opportunities [i.e. $$$s]," and keep track of "Homeland Security related approriations and which agencies manage the funding [i.e. more $$$s]." The job also involves 'helping' the Office of Homeland Security decide what it is that it's going to ask companies like Microsoft for, before it officially asks. The director will "lead Microsoft's responses to Office of Homeland Security related RFIs and RFPs" but will also "be proactive in influencing requirements prior to RFI/RFP stage." We understand this is a process Microsoft has successfully beta-tested this approach with a smaller country's government, also beginning with U. Part and parcel of this proactivity will be to "develop and maintain strong relationships with key influential government executives" and to "establish oneself as a trusted advisor to the Office of Homeland Security staff." Fortunately, as US government officials are incorruptible, and Microsoft is noted for its readiness to dispense impartial advice and guidance without fear or favour, world security will be safe the hands of the new director, whoever that may be. If you think you're hard enough (and if you are, we've no idea why you're reading The Register, but suspect it's not for fun), then you can get full details here. http://www.executive.computerjobs.com/job_view.asp?jobid=1379300&siteid=136&sort=pd&view=s&searchid=29321819&page=0&published= - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 23:59:58 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Re: FAA hacked by patriots Message-ID: Forwarded from: Felix von Leitner Thus spake InfoSec News (isn@c4i.org): > Because of pricing-per-server, the FAA employs a very cheap and hardly > reliable brand of anti-virus technology, which has been documented as > not even close to a top-five contender. This worries a lot of > people--especially those of us in IT security who have to fly every > week. I'm not worried whether the FAA uses the right virus checker or not. I'm worried that they use crap operating systems that have viruses in the first place. You are always one step behind the virus writers with scanners. This may be acceptable for Mom and Pop behind their 19200 modem, but it is not for any public administration in a sector where potentially lives are at stake. Peru is on the right track here (see slashdot). Felix - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:28:08 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Security poses primary wireless challenge Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2002/0429/web-dod-05-03-02.asp By Dan Caterinicchia May 3, 2002 The Defense Department faces many obstacles in its attempt to outfit soldiers with reliable, interoperable wireless communications on the battlefield, including battery-life concerns, the need for ruggedized machines and ever-present bandwidth issues. But securing those communications is still far and away the main problem to be overcome regarding such technologies, according to a panel of government and industry experts at an Armed Forces Communications and Electronics Association information technology conference May 2 in Quantico, Va. Marine Corps Lt. Col. J.D. Wilson, team leader for tactical wireless in the program manager's office for communications systems, said the military has a "burning need" for tactical wireless communications and called on the private sector to drive the technologies necessary to make that happen. John McHugh, senior member of the technical staff at the CERT Coordination Center at Carnegie Mellon University, said the problem with the military using commercial off-the-shelf solutions in those cases is that they are being used in environments -- and exposed to threats -- that the developers never planned for. "The information I've seen says we're in a lot of trouble," McHugh said. Wilson said the Marine Corps uses traditional radios to send encrypted "data grams" through modems on voice networks to reach their destination but would like to move to a wireless, peer-to-peer environment that would also enable multicasting and avoid the "manual intervention." The solution may come through DOD's Joint Tactical Radio System (JTRS), which is more of a computer with a radio front end. The software-programmable, multi-band, multi-use radio will permit communications across DOD services, something that has been difficult or impossible because of radio frequency problems, Wilson said. DOD is requesting $172 million for JTRS in fiscal 2003, up from $165 million in fiscal 2002. Still, there will be a time in the near future when traditional radios are working side-by-side with software-programmable models, "and we'll need to be able to route and secure them properly," Wilson said. Stephen Orr, a systems engineer for Cisco Systems Inc.'s DOD northeast division, said the company has been working with the Army on providing a secure, wireless local-area network for the tactical battlefield, focusing on reducing the size of the case needed to carry the equipment. Currently, the transit case weighs more than 100 pounds and carrying it is a two-man job. Orr also said that even if industry comes up with a new form of encryption or other security device, it usually takes more than two years to get DOD approval. That lag time means that hackers and other adversaries probably have figured out a way to beat it, McHugh said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:28:19 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Security poses primary wireless challenge Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2002/0429/web-dod-05-03-02.asp By Dan Caterinicchia May 3, 2002 The Defense Department faces many obstacles in its attempt to outfit soldiers with reliable, interoperable wireless communications on the battlefield, including battery-life concerns, the need for ruggedized machines and ever-present bandwidth issues. But securing those communications is still far and away the main problem to be overcome regarding such technologies, according to a panel of government and industry experts at an Armed Forces Communications and Electronics Association information technology conference May 2 in Quantico, Va. Marine Corps Lt. Col. J.D. Wilson, team leader for tactical wireless in the program manager's office for communications systems, said the military has a "burning need" for tactical wireless communications and called on the private sector to drive the technologies necessary to make that happen. John McHugh, senior member of the technical staff at the CERT Coordination Center at Carnegie Mellon University, said the problem with the military using commercial off-the-shelf solutions in those cases is that they are being used in environments -- and exposed to threats -- that the developers never planned for. "The information I've seen says we're in a lot of trouble," McHugh said. Wilson said the Marine Corps uses traditional radios to send encrypted "data grams" through modems on voice networks to reach their destination but would like to move to a wireless, peer-to-peer environment that would also enable multicasting and avoid the "manual intervention." The solution may come through DOD's Joint Tactical Radio System (JTRS), which is more of a computer with a radio front end. The software-programmable, multi-band, multi-use radio will permit communications across DOD services, something that has been difficult or impossible because of radio frequency problems, Wilson said. DOD is requesting $172 million for JTRS in fiscal 2003, up from $165 million in fiscal 2002. Still, there will be a time in the near future when traditional radios are working side-by-side with software-programmable models, "and we'll need to be able to route and secure them properly," Wilson said. Stephen Orr, a systems engineer for Cisco Systems Inc.'s DOD northeast division, said the company has been working with the Army on providing a secure, wireless local-area network for the tactical battlefield, focusing on reducing the size of the case needed to carry the equipment. Currently, the transit case weighs more than 100 pounds and carrying it is a two-man job. Orr also said that even if industry comes up with a new form of encryption or other security device, it usually takes more than two years to get DOD approval. That lag time means that hackers and other adversaries probably have figured out a way to beat it, McHugh said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:21:37 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:07 2008 Subject: [ISN] Shades of gray at security conference Message-ID: Forwarded from: bob http://news.com.com/2100-1001-897596.html Shades of gray at security conference By Robert Lemos Staff Writer, CNET News.com May 2, 2002 VANCOUVER, British Columbia--Near a table laden with coffee, tea and croissants, David Dittrich, senior security engineer for the University of Washington, discusses the newest tools of the trade with a hacker-cum-security-consultant known as "K2." They're a study in opposites: K2, stocky and jovial, has created, among other things, a "rootkit"--a tool for locking down unauthorized control of a server after an initial hack. Dittrich, tall and mainly serious, found K2's rootkit on several systems at UW, put there by a hacker who grabbed K2's tool off the Net. Was he angry? "I mainly thought it was funny," Dittrich said. In fact, the two--who some might think should be on opposite sides of the computer-security fight--actually work together. They're both involved in a project aimed at creating networks that act as an electronic bell jar, putting network attackers and their techniques under observation. The relationship between Dittrich, who is widely considered a "white hat" security expert--one of the good guys--and K2, who some consider a "black hat," is typical of many who have met here at the CanSecWest security conference. Despite the Sept. 11 terrorist attacks and the renewed suspicion that many security experts feel is directed at their profession, the hackers and security gurus that attend CanSecWest haven't quietly gone away. While attendees mostly consist of independent security experts--in other words, hackers gone legit--a large portion of industry experts and a handful of law enforcement and government agents are also attending. Among the topics on the agenda: vulnerabilities in Microsoft's .Net software-as-a-service plan; university networks as a playground for online vandals; and the legal ramifications of monitoring hacker activity. Though the opposite sides mix, they don't always mingle, said K2. "A lot of the government people don't talk about what they are doing, so in some cases, it's one-sided," he said. "It needs to be a two-way street." "Simple Nomad," an old-school hacker who works for security company BindView, had an animated discussion with a small bevy of government workers and law enforcement officers about government security. Collegial? Perhaps. Yet, later in the day, Simple Nomad gave a presentation on the various ways terrorists--and the average Joe--could secretly communicate information to each other and managed to jokingly thumb his nose at the government in the process. But while the new concerns brought on by the World Trade Center attack haven't driven the crowd here underground, they have changed things. In the shadow of the attacks, security consultants and tool hackers have, in many ways, dialed down their activities a notch, said Dragos Ruiu, an independent security consultant and the organizer for the CanSecWest conference. "You might as well be an assassin," Ruiu said. "The penalties are smaller to kill someone nowadays than hacking into a computer." The problem, Ruiu says, is that the tools created by hackers have two uses: They can be used to compromise systems, but they can also be used to secure them. Most people don't understand that and would rather clump any who use the tools together in the same "bad guy" category. "People distrust things they don't understand," Ruiu said. "The black magic factor is high." Ruiu said he expected that most people at the conference would fall into the white hat--or security-conscious hacker--category, but there was no way to be sure. "You never know who the threats are," Ruiu said. "You really can't tell who the people are that do the bad stuff." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:19:28 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Two Dozen Highline H.S. Students In Hot Water For Falsifying Grades Message-ID: http://www.komotv.com/stories/18162.htm May 1, 2002 By Emily Langlie BURIEN - They were smart enough to hack into a computer system, but foolish enough to leave a clue behind. Now, more than two dozen students at Highline High School are in trouble after hackers changed their grades. In some cases, those phony grades were sent to colleges. Highline High School is proud of its high-tech learning center where kids become computer experts. But now some of those expert students are in trouble. They hacked into a school computer system and improved their grades. Students have been talking about it for weeks. But they didn't get away with it, only because a teacher discovered an inappropriate comment of a foul nature left in the system. The teacher noticed the comment when she was entering grades the last week in January. The school district's computer experts were called in, and for three months, they investigated grade changes. Last week, letters went home to 26 students with various levels of involvement. Those who hacked into the system and changed grades are suspended for the rest of the year. Those who got the altered transcripts and didn't tell the district are suspended for 10 days. Some who knew about the grade changes after the fact got no discipline. Colleges that received the phony grades got a letter with a correct transcript. They weren't told who was responsible for the fraud. But the problems for these students at Highline aren't over yet. The district's full investigation is being turned over to Burien Police for possible charges of computer trespass. Some of the students are appealing their discipline. The school district doesn't know if any of the students have lost scholarships or been rejected from colleges because of the falsified transcripts. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Sat May 4 06:18:40 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] University systems a haven for hackers Message-ID: http://news.com.com/2100-1001-898084.html?tag=fd_top By Robert Lemos Staff Writer, CNET News.com May 2, 2002, 4:20 PM PT VANCOUVER, British Columbia -- College is intended to nurture the quest for knowledge, but many universities are also unwitting breeding grounds for hacking and online piracy. In a presentation here at the CanSecWest security conference, David Dittrich, senior security engineer with the University of Washington, said university politics and a lack of emphasis on computer security have made college networks rife with online piracy and hacking. The networks "are a real fertile ground," Dittrich said in an interview after the presentation. "There is a responsibility that the universities are not meeting." While some universities have good security checks in place, the majority of academic networks are tempting targets for hackers because of their lack of security, abundance of bandwidth and overworked administrators. At the University of Washington, for example, Dittrich, two other security engineers and several network engineers have to deal with network outages, compromised computers, rogue libraries of pirated media and software, and students who can't get online to get their homework done because of all of the illicit traffic. Responding to recent complaints from two students that their computers were exhibiting strange behavior, Dittrich and the other engineers found that at certain times of day, the university's bandwidth was being overwhelmed by sudden spikes in usage. He found that a handful of computers on the network had been compromised and that a distributed database of pirated software and movies had been installed. This time, nine systems on the network had more than 520GB of pirated software and movies stored on them, including the just-released "Scorpion King." That was just this week; in total, more than 70 systems have been found to have been used for digital piracy and so-called distributed denial-of-service (DDoS) attacks. The files could be accessed only through Internet chat "bots"--automated programs--that would allow only those in the know to download the files. Such piracy is not always set up by outside hackers, Dittrich said. Several of his server investigations have revealed that students have been hosting the pirated software. In fact, a snapshot of the traffic on the network showed that 37 percent of the data consisted of transfers by the file-sharing program Kazaa, and another 15 percent belonged to another file-sharing program, Gnutella. The problems are not new. In 1999, Dittrich had to clean up nearly 80 Solaris systems and 40 Linux systems that had been compromised and on which online vandals had installed DDoS tools. In 2000, 200 systems had been hit with the Code Red worm and another 150 or so with the Nimda worm. "It's not large percentage-wise," he said, "but it is large in number." In all, thousands of the university's 50,000 systems could be vulnerable to one of the dozens of flaws commonly exploited by online vandals. That multiplies when the systems are used to scan other, non-university systems. Four systems owned by PowerBot, a Swiss Army Knife of hacker utilities, automatically found 9,000 systems last summer outside the university that were vulnerable to the attack used by Code Red. The problems are not isolated to the University of Washington. Right after Dittrich's talk, another administrator approached him asking for advice because her network is wide open to exploitation. The fear, she said, was that if the school's computers were used to attack another company, that company might sue for damages. The security administrator asked that she and her college not be identified. Such problems may continue until a lawsuit is brought against a university or the various academic departments in the university get serious about security, Dittrich said. "Not everyone hears the message," he said, especially when nothing happens to the universities in the way of punishment if they don't secure their systems. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 2 02:19:51 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] We're Watching You Message-ID: Forwarded from: Jeff Moss Just a note. The speech can be seen here: http://media.blackhat.com:5554/ramgen/blackhat/bh-usa-01/video/bh-usa-01-marshall-beddoe-chris-abad-video.rm The rest of the 2001 speeches will be up this week. Jeff At 04:17 AM 4/29/2002 -0500, you wrote: > Forwarded from: Justin Lundy > > Raytheon developed SilentRunner directly after a programmer named > "bind" published his open-source "siphon" project on the Internet > two years ago. The siphon software passively mapped networks (see > where the SilentRunner name comes from?) to generate OS fingerprints > for all hosts that were a source of traffic. This also included a > list of all open ports on the machines. Newer versions, and the > development versions contain a greatly expanded list of useful > features. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 6 02:29:04 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: Fwd: [ISN] Hackers exploit Korea to attack global systems Message-ID: ---------- Forwarded message ---------- Date: Fri, 26 Apr 2002 23:38:46 -0400 From: R. A. Hettinga To: Digital Bearer Settlement List Subject: Re: Fwd: [ISN] Hackers exploit Korea to attack global systems --- begin forwarded text Status: U Delivered-To: nanog-outgoing@trapdoor.merit.edu Delivered-To: nanog@trapdoor.merit.edu Delivered-To: nanog@merit.edu Date: 26 Apr 2002 23:07:48 -0400 From: johnl@iecc.com (John R. Levine) To: nanog@merit.edu Subject: Re: Fwd: [ISN] Hackers exploit Korea to attack global systems Newsgroups: iecc.lists.nanog Organization: I.E.C.C., Trumansburg NY USA Cc: Sender: owner-nanog@merit.edu >>Some foreign servers block access attempts whose origins are traced to >>Korea, implying that the country's leadership in the broadband >>Internet business may be marred by its negligence in upgrading lame >>security protection systems, the center said. No kidding. Some of us have gotten so tired of spam from Korea, both stuff relayed from the west and Korean-language spam promoting Korean web sites, combined with the complete lack of response to all abuse reports, that we've blocked all mail from Korean networks. As an experiment, I set up an RBLish blocking list at korea.services.net. It lists all the APNIC space assigned to Korea (I think, APNIC's records are sloppy) along with any ARIN space assigned to Korea that's come to my attention due to being spammed from it. It blocks a lot of spam, with very little collateral damage for me since despite having books in print in Korean in Korea, nobody ever writes to me from there. I've told people they can use it informally, and it now gets about 5 hits per second, up from 3 a few weeks ago. The blocking message points at a web page explaining why I'm blocking mail, with an unblocked address to write to me, so I get about one message a week from Korean sysadms saying "I fixed my open relay, please unblock my /32 now". I write back and say it's not just them, their entire ISP is blocked due to unresponsiveness. I hope someday they'll clean up their act enough to stop blocking them, but I'm not holding my breath. Anyone's welcome to use it informally. There's no SOA and no zone transfers since it's running rbldns, not bind, but you can check dig 3.0.0.127.korea.services.net to see how it works. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:52:08 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Army Layers Security Blankets To Guard Networks Message-ID: http://www.newsbytes.com/news/02/176400.html By Dawn S Onley, Government Computer News TEMPE, ARIZONA, U.S.A., 06 May 2002, 12:43 PM CST Shortly after a military surveillance plane collided with a Chinese fighter last April, a two-week "cyberwar" began, and U.S. Army Web sites took numerous hits. More than 50 Web pages were defaced by an automated attack launched by supporters or agents of the People's Republic of China. The hackers placed anti-American sentiments in English and Chinese characters on some of the sites. But most of the attacks could have been prevented if published fixes, identified in Information Assurance Vulnerability Alerts, were in place on the hacked machines, said Lt. Col. John Quigg, chief of the Army's network security improvement program in the service's chief information office. An IAVA is a digital list of computer vulnerabilities. They are reported monthly to the chairman of the Joint Chiefs of Staff, Quigg said. The alerts are also posted on Army networks and warn of basic security measures needed to ward off viruses, worms or hackers. "The idea is to focus everyone's attention on the most likely attacks and use scanning technology to check the computers," Quigg said. "Getting these tools in place helps us to see the networks and get a little more proactive in defending them." Since last spring, the Army has taken a serious look at how its networks are secured, according to senior officials. And the scrutiny has produced some insights, they said. Sensitivity Filter Last fall, the Army started a Web Risk Assessment Cell of about 30 people to identify sensitive content on public Web sites that include data on Army operations. Quigg said the team, made up of contractors and Army personnel, uses keyword searches to locate sensitive Army information on public IP addresses. When the data is found, the team decides whether to edit or remove it. The Army got the idea from the Defense Department. Two years ago, DOD established its own risk assessment cell to monitor Defense Web sites for vulnerabilities that could compromise military operations if retrieved by hackers. Since Sept. 11, the critical protection of Army networks escalated another notch - to the force protection level, Quigg said. System administrators now brief the Army chief of staff every morning on all intrusions that occur. Since the war on terrorism began, there is greater emphasis on decreasing cyberthreats by adding layers of security. For instance, each Army installation now has at least one information security employee on staff. In March the Army conducted a weeklong information assurance awareness campaign to educate soldiers on steps to take to protect computer systems. "The important issue is to make our computer users aware of the procedures and security issues," said Lt. Col. Thaddeus Dmuchowski, director of the Army's Information Assurance Office. "It is key that everyone understand that cyberwarfare is an on-going threat." Last month, the Army awarded Harris Corp. a multimillion-dollar contract to protect its global networks. The Melbourne, Fla., company will install its Security Threat Avoidance Technology Scanner vulnerability assessment software on more than 1.5 million Army systems and will provide maintenance for three years. STAT Scanner searches for vulnerabilities in strategic and tactical networks at both active and reserve units. The software shows systems administrators a comprehensive analysis of vulnerabilities and risk levels, Quigg said. STAT Scanner works with the vulnerability alerts, Quigg added. The software runs on Microsoft Windows NT, Win 2000, XP, Linux and Sun Solaris platforms and can repair some vulnerabilities. The efforts reduced the percentage of successful attacks, even as the Army continues to see an increase in attempts by hackers to breach systems. In 2000, one in every 86 attacks on Army computer networks succeeded. Last year, only one attack in 149 was successful. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:43:08 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Best Buy hit by WLAN snooping Message-ID: Forwarded from: Times Enemy Greetings. I noticed this when i read the Vuln-Dev link to the story, but didn't think much of it. In this article, by Mike Magee, there are of course the obvious journalistic touch-ups, but then there is something which is blatantly incorrect. > One hacker on a board said that he had fired up Kismet outside a > shop last week and bought a unit with his own credit card to see > what info was transmitted. > He said that when he searched the logs he saw SQL queries and table > headers in his log including his own credit card number. Now, from the original post: "I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number." :: shrugs :: ciao .times enemy - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:48:39 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Biometric Security Not Ready to Replace Passwords Message-ID: Forwarded from: Steve Vawter Could not this allow for some smart fellow to put their own device on the system with their own fingerprint, bypassing the security? What type of security keeps this from occurring? > Their fingerprint-recognition devices keep the print data in the > devices themselves, not on a server or PC, and they have added other > security enhancements. Last year we looked at Precise Biometrics's > 100 SC. This year, the new USB-connected Precise 100 MC surpassed > our expectations, earning a Reviewer's Choice designation." Steve Vawter UNIX SYSTEM ADMINISTRATOR Zone Labs, Inc. 1060 Howard Street San Francisco CA 94103 ph 415-341-8323 fax 415-341-8299 cell 510-409-9184 pager 877-933-0549 -----Original Message----- From: InfoSec News [mailto:isn@c4i.org] Sent: Monday, May 06, 2002 12:27 AM To: isn@attrition.org Subject: [ISN] Biometric Security Not Ready to Replace Passwords http://www.newsbytes.com/news/02/176325.html By Carlos A Soto, Government Computer News WASHINGTON, D.C., U.S.A., 02 May 2002, 2:05 PM CST Biometrics vendors are doing their best to supplant passwords as the chief form of computer security, but Government Computer News Lab tests indicate that many of their products are not quite ready. Some developers have continued to improve already good devices, but others need to go back to the drawing board. Bad biometric security is worse than no security at all because it can lock out a legitimate user, admit an interloper or - perhaps most dangerous - lull a network administrator into a false sense of safety. For this review we examined six fingerprint-recognition devices and one voice-recognition device. A word of caution: An administrator cannot deploy large numbers of any of those fingerprint devices without third-party administrative software. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:50:48 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Cyberspace full of terror targets Message-ID: Forwarded from: Bob http://www.usatoday.com/life/cyber/tech/2002/05/06/cyber-terror.htm Cyberspace full of terror targets By Tom Squitieri, USA TODAY 5/5/02 WASHINGTON - Government and private computer networks are facing new threats of terrorist attacks, ranging from an attempt to bring havoc to a major city to nationwide disruptions of finances, transportation and utilities. But people with knowledge of national intelligence briefings say little has been done to protect against a cyberattack. Some of the threats come from individuals who might have connections to Osama bin Laden's al-Qaeda network in Pakistan and elsewhere, those who have been briefed say. The specific threats, in part, prompted a meeting April 18 of government intelligence and information-technology officials to discuss protecting the nation's computer networks. "This threat is growing," Sen. Jon Kyl, R-Ariz., says. "It's a big threat, because it is easy to do and can cause great harm." Congress is trying to reduce the threat. Legislation has been proposed to create a national "cybersecurity defense team" to identify areas most vulnerable to attack and determine how to reduce the danger. Other legislation would make it easier for companies to share information without being subject to antitrust or freedom-of-information laws. Such communication could alert the government to a terrorist attack, as opposed to more common cases of computer hackers targeting a company or agency. It could also help companies defend against attacks. The vast array of potential targets and the lack of adequate safeguards have made addressing the threat daunting. Among the recent targets that terrorists have discussed, according to people with knowledge of intelligence briefings: * The Centers for Disease Control and Prevention, based in Atlanta. It is charged with developing the nation's response to potential attacks involving biological warfare. * The nation's financial network, which could shut down the flow of banking data. The attack would focus on the FedWire, the money-movement clearing system maintained by the Federal Reserve Board. * Computer systems that operate water-treatment plants, which could contaminate water supplies. * Computer networks that run electrical grids and dams. * As many targets as possible in a major city. Los Angeles and San Francisco have been mentioned by terrorists, intelligence officials say. * Facilities that control the flow of information over the Internet. Richard Clarke, the White House special adviser on cybersecurity, says such sites, of which there are 20 to 25, are "only secure in their obscurity." The nation's communications network, including telephone and 911 call centers. * Air traffic control, rail and public transportation systems. Officials are most concerned that a cyberattack could be coupled with a conventional terrorist attack, such as those on Sept. 11, and hinder rescue efforts. "Cyberterrorism presents a real and growing threat to American security," says Rep. Jane Harman, D-Calif., top Democrat on the House Intelligence Committee's panel on terrorism and homeland security. "What I fear is the combination of a cyberattack coordinated with more traditional terrorism, undermining our ability to respond to an attack when lives are in danger." The Bush administration is seeking about $4.5 billion in its 2003 budget request to protect federal computer systems. That's about 8% of its information technology budget. Clarke warned lawmakers earlier this year that the threat of a cyberattack was greater than previously imagined. He says it could take three or four years to markedly improve the government's ability to prevent such attacks. Long before Sept. 11, officials warned of the nation's vulnerability to cyberattack. The Pentagon and many large companies have experienced limited attacks. Hackers calling themselves the "Deceptive Duo" recently infiltrated Pentagon computers and left a message indicating that the attacks were made to show "how sad our cyber-security really is." In 2001, cyberattacks caused $12 billion in damage and economic losses. Such attacks were successful in penetrating security systems at an airport in Massachusetts and a dam in Arizona, causing shutdowns of both facilities but no loss of lives or long-term damage. "The principal myth that you will hear is that nobody can actually change the operation of a physical system through computers," says Alan Paller, director of the System Administration, Networking and Security Institute, which teaches people how to protect computer systems. "There have been people who have already demonstrated how that can be done." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:49:23 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Linux Security Week - May 6th 2002 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 6th, 2002 Volume 3, Number 18n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Honeynet Project: The Reverse Challenge," "Network Forensics: Tapping the Internet," "Building an IDS Solution Using Snort," and "How a Virtual Private Network Works." * SECURE YOUR APACHE SERVERS WITH 128-BIT SSL ENCRYPTION * Guarantee transmitted data integrity, secure all communication sessions and more with SSL encryption from Thawte- a leading global certificate provider for the Open Source community. Learn more in our FREE GUIDE--click here to get it now: --> http://www.gothawte.com/rd253.html This week, advisories were released for fileutils, imlib, sudo, webalizer, openssh, squid, docbook, modpython, nautilis, and radiusd-cistron. The vendors include Caldera, Conectiva, EnGarde, Red Hat, SuSE, and Trustix. http://www.linuxsecurity.com/articles/forums_article-4921.html Find technical and managerial positions available worldwide. Visit the LinuxSecurity.com Career Center: http://careers.linuxsecurity.com +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * Honeynet Project: The Reverse Challenge May 2nd, 2002 The Reverse Challenge is an effort to allow incident handlers around the world to all look at the same binary -- a unique tool captured in the wild -- and to see who can dig the most out of that system and communicate what they've found in a concise manner. http://www.linuxsecurity.com/articles/intrusion_detection_article-4917.html * Challenging the Man-in-the-Middle May 1st, 2002 When logging in, several users reported seeing themselves already logged in from strange locations or running funny processes. Most of these folks are generally security-conscious, use strong passwords, and don't fall for the standard social engineering tricks. http://www.linuxsecurity.com/articles/cryptography_article-4902.html * Network Forensics: Tapping the Internet April 29th, 2002 Methods of archiving network data for forensic analysis. "Another approach to monitoring is to examine all of the traffic that moves over the network, but only record information deemed worthy of further analysis. The primary advantage of this approach is that computers can monitor far more information than they can archive -- memory is faster than disk. http://www.linuxsecurity.com/articles/intrusion_detection_article-4895.html +------------------------+ | Network Security News: | +------------------------+ * When Hackers Attack May 5th, 2002 What does it take to work in computer security? Beyond the basic math, science, and analytical skills, "you need tremendous patience and persistence--and you need to not have to sleep much," says Chet Hosmer, cofounder and chief executive officer of Wetstone Technologies Inc. ( http://www.linuxsecurity.com/articles/hackscracks_article-4927.html * How a Virtual Private Network Works May 3rd, 2002 For years, voice, data, and just about all software-defined network services were called "virtual private networks" by the telephone companies. The current generation of VPNs, however, is a more advanced combination of tunneling, encryption, authentication and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider's backbone. http://www.linuxsecurity.com/articles/network_security_article-4924.html * Good firewalls make good policy May 3rd, 2002 A well-designed computer network, like well-designed policy in a federation like Canada, depends on good firewalls. In a computer network, a good firewall alerts users to potential harmful interactions between the computer and the local network, and also between the local network and the Internet. http://www.linuxsecurity.com/articles/firewalls_article-4925.html * TCP/ IP and tcpdump Flyer (PDF) May 1st, 2002 Sans has provided a TCP/IP and tcpdump flyer guide. http://www.linuxsecurity.com/articles/network_security_article-4904.html * Building an IDS Solution Using Snort April 29th, 2002 This document provides a step-by-step guide to building an intrusion detection system using open-source software. The process involves Installing RedHat Linux 7.1, Compiling/Installing and configuration of MySql/Apache/ACID/Snort, Setup of Snort rules f Hardening of Machine The document assumes a basic level understanding of linux and computer technologies. http://www.linuxsecurity.com/articles/intrusion_detection_article-4893.html +------------------------+ | Vendor/Products: | +------------------------+ * Biometric Security Not Quite Ready to Replace Passwords May 2nd, 2002 Biometrics vendors are doing their best to supplant passwords as the chief form of computer security, but Government Computer News Lab tests indicate that many of their products are not quite ready. Some developers have continued to improve already good devices, but others need to go back to the drawing board. http://www.linuxsecurity.com/articles/vendors_products_article-4910.html +------------------------+ | General: | +------------------------+ * The Art of Misusing Technology May 3rd, 2002 Hacking has been described as a crime, a compulsion, an often troublesome end result of insatiable curiosity run amok. Rarely has anyone who is not a hacker attempted to portray the creation, exploration. http://www.linuxsecurity.com/articles/hackscracks_article-4922.html * Network Forensics: Tapping the Internet May 2nd, 2002 During the Gulf War, computer hackers in Europe broke into a UNIX computer aboard a warship in the Persian Gulf. The hackers thought they were being tremendously clever -- and they were -- but they were also being watched. http://www.linuxsecurity.com/articles/server_security_article-4915.html * Interior security flagged again May 2nd, 2002 A month after getting permission to reconnect some of its sites to the Internet, the Interior Department's Minerals Management Service is back in the hot seat. MMS has once again caught the attention of court-appointed Special Master Alan Balaran for failing to protect individual American Indian trust data. http://www.linuxsecurity.com/articles/government_article-4913.html * Security Agents Head For Cybercrime School April 29th, 2002 Security agents from both sides of the Atlantic are being sent to school so they can trace and prosecute computer criminals. The FBI, U.S. Customs, the High Technology Crime Investigation Association, Europol and the U.K.'s National High-Tech Crime Unit are among the agencies that have sent staff to learn about cybercrime, fraud, hacking and software bugs, according to the company, Massachusetts-based QinetiQ Trusted Information Management. http://www.linuxsecurity.com/articles/government_article-4890.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:53:00 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Security myths costing firms Message-ID: Forwarded from: William Knowles http://australianit.news.com.au/articles/0,7204,4265774%5E15306%5E%5Enbv%5E,00.html Karen Dearne MAY 07, 2002 SECURITY guru Peter Tippett loves to shock people. He invites IT professionals to seminars on network security and then says you don't need more network security - at least, you don't need as much as vendors want to sell to you. Spend up on anti-virus software if you want to, he said. But most businesses already had quite adequate security systems in place and personnel trained to deal with incidents, said Dr Tippett, who helped invent Norton security products and is now chief technology officer of TruSecure. He said no security system was ever going to be 100 per cent effective. The costs involved in reacting to every alert or vulnerability would be prohibitive, in any case, he said. A better approach was to quantify security risks, and take steps to realistically address them - bearing in mind the costs of doing so. Dr Tippett said companies were spending more money on security every year, but the problems of web defacements, intrusions, viruses and denial of service attacks still became worse. It was a mindset problem, he said. Companies were focusing on the wrong things and failing to get the basics right. "The problem is that people assume each security measure has 'binary effectiveness' - it either works all of the time or not at all," he said. "And while we pay lip service to the idea that no security is perfect, we still believe good security controls will be 99 per cent effective. Yet trying to achieve even 90 per cent effectiveness is incredibly costly, time-consuming and even counterproductive." A better approach was to employ "synergistic security", which hinged on the concept of redundancy in security controls, Dr Tippett said. A keen pilot, he likens the internet to the early days of commercial aviation, when there was little effort to control safety and planes frequently crashed. Now airline safety has improved 1000-fold, largely due to improved safety practices. If safety hadn't improved and planes crashed at the same rate they did 60 years ago, more than 500 people would die in air disasters each day, Dr Tippett said. Better technologies only accounted for a tenfold improvement in safety; better education and better practices had multiplied this a hundredfold. Dr Tippett said the internet needed something similar to the aviation industry - traffic controllers and government-backed agencies that provided immediate warnings in emergencies, and ensured the skies were safe and planes and pilots met stringent standards. "In internet security, there's no-one that can tell you what things you must do to protect your systems," he said. "There's no formal mechanism for distributing information about problems and what must be done to fix them." TruSecure is positioning itself in that space, as an information repository and advisory service. Dr Tippett said the company monitored the activities of some 800 hacker groups and collected 200 gigabytes of net traffic a day, to keep ahead of the problems. Most companies could improve their security by complementing the primary controls - firewalls, anti-virus scanners, encryption, intrusion detectors - with simple synergistic controls. "These controls need to be cheap, easy and non-infringing [on business operations] and effective enough against an important category of risk," he said. "For example, to protect an IIS server from external hacks, you could implement multiple complementary controls at different levels. "At the perimeter, configure border routers and firewalls to default-deny traffic. On the IIS box itself you could delete sample files, move or rename the command shell .exe and delete the scripts directory. "On the policies and practices level, you could specify only local management of the server and insist on a quarterly tune-up. And so on." At a bare minimum, companies should have either two primary controls (with greater than 90 per cent effectiveness), or a primary and at least three synergistic controls for each category of risks. "Failure of any one control in a scenario like this would still leave better than 99 per cent effectiveness," Dr Tippett said. ---------------------------------------------------------------------- Tippett's Top Net Security Myths 'Encryption over the internet is important.' But Dr Tippett said the increasing speed and complexity of networks meant it was almost impossible to inspect traffic for a single message. 'More obscure end-user passwords are advisable.' There was no measurable benefit, he said. 'Daily anti-virus updates are required.' Dr Tippett said daily updates were only 1 or 2 per cent better than weekly updates. 'Most vulnerabilities should be patched.' Vulnerabilities have to be quantified in terms of the probability of a threat succeeding. In many cases, a threat would not be worth worrying about. 'Most businesses should focus more attention on firewall maintenance and management.' Just get firewalls up to 90 per cent effectiveness and ensure default router rules are not overridden, Dr Tippett advises. "It's about concentrating on essential practices, rather than best practice," Dr Tippett said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:47:26 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: Points to ponder, was Re: [ISN] Deceptive Duo in the news again Message-ID: Forwarded from: H C Cc: jericho@attrition.org, eceptive@linuxmail.org, dennis_fisher@ziffdavis.com Let's take a look at the wording of the "mission"... > From one of their defacements: > > Objective: > > Alert all National Security threats. Specifically the critical > infrastructures(government agencies, banks, environmental system > controls, airport/airlines, corporations) within The United States > of America Alert them of what? Insecurities? One has to then ask the same question that went around about what Lamos does...what gives Lamos or the "Deceptive Duo" the right or authority to conduct their activities? Another question arises...looking at the list of defaced sites as of today, are any of these systems part of the critical infrastructure? Were any of the systems housing classified, sensitive, or critical data, or in anyway connected to systems that did? Here's an eWeek story from Friday: http://www.eweek.com/article/0,3658,s=1884&a=26313,00.asp How does this affect the critical infrastructure? Sure, Gartner is a consulting firm that may provide information and advice to those who maintain the critical infrastructure, but the fact remains that the IT staff that manages things like the public web interface is usually a completely different organization from those providing advice and analysis. This isn't to say that I fully support Gartner...rather, I find DD's motives to be out of sync with their actions. A final thought on this topic...what happens if the DD gets into a system and modifies/destroys critical data, however inadvertently? What if their actions actually lead to damage of the critical infrastructure? Where then does their statement lie? > Mission Outline: > > Locate and scan critical cyber-components of The United States of > America for vulnerabilities creating a foreign threat, while > remaining undetected. Again, what gives the DD the authority to do this? Whenever a pen test or vulnerability assessment is conducted by a legitimate consulting firm, there are all sorts of legal documents and agreements that are signed. What about a public web server constitutes "creating a foreign threat"? W/ regards to remaining undetected...well, that's just a lot of empty rhetoric, isn't it? > Once located, publicly inform those who deserve to know the extent > of incompetence that lies between foreign lines and the United > States Administration. This statement makes little sense, but the thing that gets me is this...who determines who it is that deserves to know? Who gets informed? Why does it have to be public? > While this sounds noble, one has to wonder if they are sincere about > their desire, or if this is nothing more than a means for publicity. Agreed. On the surface, it _sounds_ noble... > * With the recent events of 9-11, the FBI is overtasked with > tracking down leads related to terrorists and potential threats. How > is taking federal agents off those tasks to investigate domestic > computer crime helping? While I'm not able to speak to what extent the FBI would investigate these incidents (does anyone know...I mean, really?), the Attorney General's mandate of a loss of $5000 most likely wouldn't come into play with these particular defacements. Given staffing levels and case load, a friend of mine at NIPC has alluded to the fact that the cut-off is closer to $50K or higher. Of course, the exact method by which the defacement seems to be known only to the "Deceptive Duo". Yes, we could speculate as to how they accomplished it, and perhaps many of us could even give several plausible answers...but so far as I've seen, the method of defacement hasn't been publicized. > * If they are so interested in improving security, why are their > targets only Windows machines? It may have more to do with their skill and available tools. Or, it may have to do with the fact that the systems they found just happened to be vulnerable Windows systems. > * Why are they exposing personal information You're right. One has to ask how posting the contents of databases, to include the rank, date of rank, and home phone numbers of staff members is pertinent to national security. The information extracted from the databases and displayed in the image on the defaced pages doesn't seem to be anything classified. One question, though...can you recommend a journalist that could be approached with such information, and would be able to accurately relate the story? I'd suggest Dan Verton...he's someone who'd be able to discern between unclass and classified information, at the very least. > So far, these defacements don't seem to show a real concern for > national security. Media attention seems to be a higher priority. This does seem to be the case, based on the outcome. However, I've been warned several times about attempting to discern the motives of an "attacker" based on the final results. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:52:28 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Security Flaw Found in Flash Player Message-ID: http://www.pcworld.com/news/article/0,aid,98263,00.asp Sam Costello, IDG News Service Friday, May 03, 2002 A security hole in the way Macromedia's Flash player handles ActiveX content could allow an attacker to run the code of their choice on vulnerable systems, according to a security advisory published by eEye Digital Security late Thursday. Macromedia is offering a new download of the player which fixes the flaw. The vulnerability affects the Flash.ocx ActiveX component of the Flash player version 6 revision 23, and may affect earlier versions as well, Aliso Viejo, California, eEye says in its alert. The Flash.ocx component is installed with Internet Explorer, as well as with the Flash player, eEye says. Hidden Code A buffer overflow in Flash.ocx could allow an attacker to run code of their choice on a vulnerable system when a user reads an HTML-formatted e-mail containing attack code, visits a Web site with attack code in it or uses Internet Explorer to display any other third party HTML, eEye says. EEye says that Macromedia, based in San Francisco, was already aware of the issue when it contacted the company and that the latest version of the Flash player fixed the flaw. Users should upgrade to the latest version of the Flash player, version 6 revision 29, eEye says. The updated Flash player can be downloaded from Macromedia's Web site. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:51:20 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Working in a network war zone Message-ID: http://news.com.com/2100-1001-900511.html?tag=fd_top By Robert Lemos Staff Writer, CNET News.com May 6, 2002, 4:00 PM PT reporter's notebook - VANCOUVER, British Columbia -- Even before the CanSecWest security conference started on Wednesday, unknown hackers had given the hotel's high-speed network a case of the hiccups. By Wednesday evening, the system was laid out flat. The pros were peeved, and a call for an electronic posse went out. "We're forming a hunting party," Dragos Ruiu, independent security consultant and conference organizer, told the room of nearly 150 hackers and security experts late Thursday afternoon. "If anyone wants to help us find out who's...poisoning the hotel network, talk to me." But that evening, the vandal stayed offline and the hotel network was, for a little while, glitch free. Networks don't come much more hostile than those at the CanSecWest security conference. The three-day conference brought together hackers, security consultants, and government officials to talk tech about the latest tools and trends in the online arena. Yet, the hackers evidently found it hard to stay away from wandering about the network. Overt attacks against computers seemed to be rare. More attacks were of the same type that afflicted the hotel's free Ethernet network, which in this case had so-called ARP poisoning. The Address Resolution Protocol, or ARP, is the means by which routers--the network device that directs information from the sender to the destination--keep track of what hardware is where. An attacker who successfully "poisons" a router's ARP tables can have a copy of data sent to them and can pretend to be another device on the network, such as the hotel's gateway. By spoofing the hotel's gateway, for instance, an attacker's computer could grab data, allowing the hacker to read unencrypted passwords, e-mail or Web pages. Along with giving the hotel network a case of confusion, unknown hackers set up eavesdropping programs and devices to capture data on the wireless network used by conference attendees. To protect against eavesdropping and because most of today's e-mail servers don't allow encrypted logins, many attendees encrypted their mail using any of the several available programs. Again, impersonation is the danger. By spoofing an encryption server, especially when the victim doesn't know the telltale signs of the hack--a warning that the server's encryption key has changed--the attacker can grab all the user's keystrokes. No wonder the government personnel left their laptops at home. Standard procedure requires them to blank their systems before leaving for such a conference and reinstall the operating system when they return. Too much trouble, it seems, as none of them brought a laptop. Other security experts decided to go PC-free as well, rather than deal with defending their laptops against all comers on the network. Those that connected either have total faith in their security, plan to reinstall the operating system or don't mind wondering whether their PC caught something up north at CanSecWest. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 7 03:51:46 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Aging Worms Still Crawl, Threaten Net Message-ID: http://www.pcworld.com/news/article/0,aid,98504,00.asp Sam Costello, IDG News Service Monday, May 06, 2002 The Nimda and Code Red worms, which emerged along with dire warnings that they could bring down large sections of the Internet (but didn't), may have a second chance. New data in a study by Arbor Networks shows that both worms are alive and well, and still infecting new victims daily. Though the data from Arbor's study is still preliminary, it shows a wide range of Code Red, Code Red 2, and Nimda infections, according to Dug Song, security architect at Arbor. The company has been monitoring a large section of the Internet since September and in that time has seen machines associated with about 5 million unique IP addresses become infected with one of the three worms, he said. Infections Increase Though Nimda infections are fairly level, the rate of Code Red 2 infections is up in the last month, he said. "There appears to be an ever-growing pool of Code Red 2-infected hosts [every month]," he said. Why Code Red 2 continues to spread is still a mystery to Arbor, Song said. "We don't know what's accounting for this," he said. "It's counterintuitive," since infected systems should be getting patched and removed from the Web, he said. Arbor's study isn't the only data that points to a continued presence for the worms. The worms still hold places in the top 20 viruses detected worldwide in April by Kaspersky Labs, and antivirus vendor Trend Micro has had more than 1500 reports of Nimda activity worldwide in the last 24 hours, according to a virus map on its Web site. Nimda and Code Red both attack security vulnerabilities in Microsoft's IIS Web server product, although patches to fix the flaws have been available for nearly a year. Despite the longstanding presence of the patches and the major push to fix vulnerable systems near the time of the original outbreaks, both worms have been constantly active since their release, said Oliver Friedricks, director of engineering at the consulting firm SecurityFocus. SecurityFocus is "still seeing a pretty consistent level of both worms," Friedricks said, though there has been a small increase in activity in the last few months. This is likely due to "people ... putting new systems on the Internet and not patching them" and those systems getting infected, he said. Preventable Problem The infection of unpatched machines that are new to the Internet is one of the main causes of the continued spread of the worms, said Russ Cooper, surgeon general of TruSecure and editor of the NTBugtraq security e-mail list. Despite the data from Arbor and SecurityFocus, Cooper said the number of systems infected by the worms seen by TruSecure has been down slightly. The continued spread of the worms and the conditions that allow it pose a serious problem, Cooper said. "We have a serious flaw in our infrastructure," he said. Machines that are, or once were, infected with Code Red or Nimda may have been compromised by attackers, he said. "There are probably a significant number of machines that have been compromised and nobody knows," Cooper said. Those machines could be used to launch massive denial-of-service attacks, though TruSecure has seen no indications that such attacks are imminent, he said. "It stands to reason that somebody may [launch such an attack]," he said. SecurityFocus' Friedricks agreed, saying "it is fairly trivial for someone to do that. It's not really rocket science." Arbor's Song underscored just how far from rocket science such an attack would be. Those attacks could be launched from a standard Web browser using Nimda-infected hosts, he said. "The bar is extremely low to launch a major, worldwide denial-of-service attack," he said. Song is still working to assess what sort of damage could be wrought from such an attack and expects to release more information from the study in a month or so. Ongoing Concern None of the three researchers has an easy solution to the problem, though. A government agency with the goal to discover, notify, and educate businesses about such infections could help, Friedricks said. There is currently no such agency, he said. For his part, Cooper urges some way to hold accountable any users or companies who are spreading worms and other malicious code. One possible way would be to make Internet service providers liable for their customers' spreading of malicious code, he said. He did concede, though, that such a step was not likely to occur. Neither is sure what will help change the situation. Even with 2001 being such a notable year for computer security incidents, thinking and behavior around these issues has not changed enough, Cooper said. "Maybe it's going to take a massive online attack ... a concerted attack against government interests. It's hard to say what will cause a shift in the thinking," Cooper said. Until thinking changes, though, all three agree that Nimda and Code Red will persist, much as other viruses do. As long as there are vulnerable systems on the Internet, "they'll be out there for a while," Friedricks said. "It's very unlikely that we'll see any fix to this until the installed base of IIS servers is upgraded or patched," Arbor's Song said. "Code Red and Nimda are going to be a permanent part of the Internet landscape for some time to come," he said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:07:50 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: Points to ponder, was Re: [ISN] Deceptive Duo in the news again Message-ID: Forwarded from: H C Cc: jericho@attrition.org, deceptive@linuxmail.org Well, according to CNN/IDG, we now have an idea of the methods used by the DD to gain access to the systems... http://www.cnn.com/2002/TECH/internet/05/06/national.security.hackers.idg/index.html The methods they reportedly used to compromise the sites are clear, but there is another issue at hand: The article states: "They say they have hacked into classified and nonclassified systems..." And then later: ""We had access to data and Web servers which included things such as pictures from Operation Restore Hope..."" Okay...I'm not sure how that constitutes "classified" information. Finally: "Williamson adds that the pair didn't get access to any classified information." So...DD says they did, Williamson says they didn't. Given that the method of attack used wasn't your basic directory transversal exploit, who knows what they had access to, or what they did to the systems besides simple web page defacements. The fact that SQL was accessible via the 'net is bad enough, but the fact that the DD were able to get in via "NetBIOS brute force" amazes me...not so much that they were able to do so, but they didn't get caught. Doesn't anyone enable logging in the EventLog anymore? Doesn't anyone review the logs? This also concerns me b/c since about Nov '01, the majority of security engineer positions available in the metro DC area have all required current TS clearences. I interviewed for some of them (no, my clearence isn't active) and found out that they were for the FAA. The FAA had/has contracts w/ defense contracting firms for analysts to monitor network activity in a NOC. Other "gubmint" agencies have the same thing. That being the case, why were these attacks not detected? - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:13:25 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Chernobyl virus rides Klez's coattails Message-ID: Forwarded from: Christian Wright http://news.com.com/2100-1001-900050.html?tag=fd_top By David Becker Staff Writer, CNET News.com May 6, 2002, 12:30 PM PT The Klez worm just keeps on giving. The persistent pest, which made a strong comeback last month in the form of the Klez.h variant, is now helping revive the Chernobyl virus, according to a new report from antivirus company Symantec. The report says that a virus known as W95.CIH.1049, a slight variation of the W95.CIH bug dubbed the Chernobyl virus when it began spreading four years ago, has been detected in recent infections of the Klez worm. The main difference with the new virus is that it's set to activate on Aug. 2 of every year, as opposed to the April 26 attack date of the original Chernobyl. Vincent Weafer, senior director of Symantec's Security Response team, said the company began seeing Chernobyl-infected messages last week, but they continue to account for only a handful of the thousands of Klez infested messages the company sees daily. Weafer said the viral bonus wasn't intentional but rather a by-product of Chernobyl-infected PCs also propagating the Klez worm. "As far as (Chernobyl) is concerned, the Klez worm is just another file to infect," Weafer said. "It's quite common to see piggybacking effects when you have worms that have been propagating for a long time in the world." Even though Chernobyl is ancient by virus standards and easily detected by almost any antivirus software, Weafer said it's not unusual to have bugs still making the rounds years after their debut. "When you look back at viruses, you see recurrences," Weafer said. "They can live for many years out in the wild." The first version of the Klez worm surfaced early last year, with subsequent variations causing damage ranging from moderate to minor. Bug writers hit pay dirt with the Klez.h variant, however, which quickly became one of the most active worms ever after it surfaced last month. Moscow-based security company Kaspersky Labs recently ranked Klez as by far the most active e-mail threat in April, responsible for 94.5 percent of all incidents reported during the month. British e-mail screening firm MessageLabs ranks Klez.h as No. 3 on its list of all-time most active computer pests, with more than 391,000 infections intercepted. At current rates of infection, Klez.h should surpass the No. 2 bug, BadTrans.b, in a few days. It'll have a long way to go, however, to catch the all-time champ, the SirCam worm, still going strong with more than 748,000 interceptions to date. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:20:59 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] 'Dr. Chaos' indicted in Wisconsin utility attacks Message-ID: http://www.chicagotribune.com/news/showcase/chi-020507chaos-story.story?coll=chi%2Dnews%2Dhed The Associated Press Published May 7, 2002, 3:21 PM CDT MILWAUKEE -- A man who calls himself "Dr. Chaos" and was accused of storing cyanide in Chicago's subway was indicted Tuesday on more than 50 acts of vandalism in 13 Wisconsin counties. The 13-count federal indictment against Joseph Konopka, 25, formerly of rural De Pere, Wis., is in connection to 53 acts of violence targeting energy facilities, telecommunications equipment and air navigation systems in Wisconsin. "This is a great day for law enforcement," said Lt. David Cornelius of the Kewaunee County Sheriff's Department. "It's fantastic to see this come to some closure." He and more than a dozen other representatives from county sheriff's departments joined U.S. Atty. Steven M. Biskupic at a news conference Tuesday at Milwaukee's federal courthouse. Biskupic said Konopka caused more than $800,000 in damage and about 28 electrical outages and other service interruptions affecting more than 30,000 power customers. Konopka, who went by the online name "Dr. Chaos," was charged March 11 in Chicago with possession of a chemical weapon. Konopka allegedly took over a Chicago Transit Authority storage room under the downtown area and stored sodium cyanide and potassium cyanide there. The Federal Bureau of Investigation said he claimed to be the leader of a Wisconsin group of vandals known as the "Realm of Chaos." He was charged March 23, 2001, in Door County with six felonies and three misdemeanors ranging from theft and burglary to criminal property damage. Konopka is accused of training his followers to hack into government computers, vandalize electric utility equipment, break into radio towers and burn facilities, a criminal complaint said. He formerly worked at Infinity Technologies in Green Bay. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:12:52 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Working in a network war zone Message-ID: Forwarded from: bschnzl@bigfoot.com This article was brought on by one who tried sniffing in a switched environment. He (She) had not practiced enough or was not familiar with the equipment he was manipulating. The sensational writing does add a bit to the occurance... In a message titled [ISN] Working in a network war zone, on 7 May 2002 at 3:51, InfoSec News sent these words: > http://news.com.com/2100-1001-900511.html?tag=fd_top > > By Robert Lemos > Staff Writer, CNET News.com > May 6, 2002, 4:00 PM PT > > reporter's notebook - VANCOUVER, British Columbia -- Even before the > CanSecWest security conference started on Wednesday, unknown hackers > had given the hotel's high-speed network a case of the hiccups. By > Wednesday evening, the system was laid out flat. > > The pros were peeved, and a call for an electronic posse went out. > > "We're forming a hunting party," Dragos Ruiu, independent security > consultant and conference organizer, told the room of nearly 150 > hackers and security experts late Thursday afternoon. "If anyone wants > to help us find out who's...poisoning the hotel network, talk to me." > > But that evening, the vandal stayed offline and the hotel network was, > for a little while, glitch free. > > Networks don't come much more hostile than those at the CanSecWest > security conference. The three-day conference brought together > hackers, security consultants, and government officials to talk tech > about the latest tools and trends in the online arena. [...] Bill Scherr IV, GSEC, GCIA Electronic Warfare Associates / IIT Lafayette RTI, Camp Johnson Colchester, VT 05446 802-338-3213 - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:11:31 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] GnuPG 1.0.7 released. Message-ID: Forwarded from: Jay D. Dyson Cc: Cryptography List -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I hadn't heard about this until just now, so I figured I'd pass it along. The latest iteration of GnuPG has been released with a load of changes and updates, far too many to mention. For more information, I'll let Werner Koch do the talking : http://lists.gnupg.org/pipermail/gnupg-announce/2002q2/000251.html And off I go to upgrade... - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-' `--' `--' `------ Dead I Am The One Exterminating Sun. ------' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SunOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iEYEARECAAYFAjzYagEACgkQGI2IHblM+8HxVACfZUFegUGvFNcIJfSLlkv6crXf NwsAoI+wAWVWqFiLhM8W7YOpmN6pgpBj =W8Dn -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:10:45 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] [defaced-commentary] `Evil Angelica' Parodies Government Site Hacking Duo Message-ID: ---------- Forwarded message ---------- Date: Tue, 7 May 2002 13:29:36 -0400 (EDT) From: security curmudgeon To: defaced-commentary@attrition.org Subject: [defaced-commentary] `Evil Angelica' Parodies Government Site Hacking Duo `Evil Angelica' Parodies Government Site Hacking Duo http://www.newsbytes.com/news/02/176429.html By Brian McWilliams, Newsbytes LOS ANGELES, CALIFORNIA, U.S.A., 07 May 2002, 9:44 AM CST Mocking the efforts of a defacement team known as the "Deceptive Duo," an online vandal who refers to herself as "Evil Angelica" has stuck at least two Web sites since Monday. The tongue-in-cheek attacker, calling herself "The Mystical Mono," replaced the home pages at Eligance.com and Saad.de with a parody of the document that has been posted at dozens of U.S. government sites by the Deceptive Duo since late April. The Duo's defacements, which included systems operated by the Federal Aviation Administration and the U.S. Navy, stated that the team's mission was to "take necessary measures to ensure that the public is aware of The United States of America's lack of security." According to the Deceptive Duo, "We are two U.S. citizens that understand how sad our country's cybersecurity really is." [snip..] Mirror of one parody defacement: http://www.zone-h.com/defaced/2002/05/05/asp.navair.navy.mil/ - The information and commentary is Copyright 2002, by the individual author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this mail are not necessarily the opinion of all Attrition staff members. Commentary Archive: http://www.attrition.org/security/commentary/ The Attrition Mirror: http://www.attrition.org/mirror/attrition/ Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html Contacting Attrition Staff: staff@attrition.org To subscribe to Defaced Commentary, send mail to majordomo@attrition.org with "subscribe defaced-commentary" in the BODY of the mail (without quotes). To unsubscribe, include "unsubscribe defaced-commentary" in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:23:43 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] The Feds' Top Hacker Speaks Message-ID: http://itmanagement.earthweb.com/secu/article/0,,11953_1040041,00.html By Sharon Gaudin May 7, 2002 One man is known for attacking the computer networks at various government agencies in the United States. His photo, along with a warning to not give him admittance to the building, is posted all around the Beltway. He may not necessarily be the most popular guy in town but 24 government agencies, like the IRS and the Department of Agriculture, are more secure because of him. Keith A. Rhodes, chief technologist with the U.S. General Accounting Office, makes it his business to attack the networks so he can find any holes and seal them up before a malicious attack can take advantage of them. Rhodes and his team run penetration tests 10 times a year, and they never fail to break in. Here he talks about what companies should be doing to protect themselves, what risks are looming ahead and what exciting security technology is coming down the road. Q: How good are U.S. companies at protecting their computer networks and their information? It's uneven. Some firms are very, very good and they tend to be banks, the stock exchange and other financials. The day-to-day run-of-the-mill business is not all that good. That's one of the myths that needs to be dispelled -- that the government is the only one that doesn't know how to do security. Because of the testing work the government does, they actually do it better than the private sector. Q: What are companies doing right? They are laying out firewalls. They are putting routers that filter packets and filter IP addresses. They are doing more employee awareness. They are installing better login authentication systems. They are doing secured conferencing more than the government is. But it's still uneven. You go to some firms and you see all those things in place. You go to some other firms and see next to nothing in place. Q: What isn't working when it comes to corporate security? The chief security officer is not in the boardroom. The CIO is not speaking for security. The CIO is speaking for the business function, and I accept that because he is a business director. What cache does the security officer have with executives in the company? If he doesn't report to a top executive, the company isn't taking security seriously. If the CIO and the CTO are in the top box and the CSO is just outside the box, they've got to rearrange their priorities. If the CSO isn't in the boardroom, then the company goes forward at its own peril. Q: What is the biggest corporate security threat today? Industrial espionage -- someone trying to steal your idea. This is an idea game. Somebody wants to steal your patents, or your first production line item, or how you're going to bid on a contract. They want the normal stuff that any other business wants. Don't try to nail it down to an individual country. Everybody in the global market is in business for themselves, and they'll come after you one way or another. They'll see you at a conference and they'll come after you there. They'll say they're a grad student doing some research. People are going after your information like nobody's business. Q: What security risks are looming ahead that IT executives should be preparing for? One of these days in the not so distant future, your PDA, your laptop and your phone will be one appliance. It will be video and it will be voice. It will be everything to you. When you have everything in one place, then it becomes very dangerous. If somebody does the digital equivalent of a smash and grab, you could lose everything -- all your information. That's what people need to worry about. If you keep your entire digital life and your corporate plan and everything else all in one place, when somebody gets it physically or virtually, then you're done. Q: What security technology is coming down the pike that you're the most excited about? There are some tools that are coming to secure this all-in-one laptop/desktop device. High levels of encryption are coming. We'll be able to get the entire corporate network security structure in a handheld device. I've seen some prototypes and it's really quite exciting. The chips are small and high-powered. You can put them into these smaller devices and it's amazing to see the miniaturization of the technology. And some national labs are working on quantum cryptography -- basing cryptology on sub-atomic particles. They're using the vibrations of atoms to generate random numbers. It's nano technology in terms of very, very small locks for your data. Molecular-size security devices. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:06:12 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Attack on infrastructure Message-ID: Forwarded from: "Ian M. Fraser" [Please direct all replies to Mr. Fraser. - WK] I am currently conducting research for a white paper on defensive IO/IW posture for telecommunications operators. I am seeking information regarding attacks and penetrations of telecom operator systems, in fact any information regarding compromise of the integrity of such systems would be very welcome Ian M Fraser Principal Consultant Manager - Australian Fraud & Security Office Lead, Follow or step aside *+61 8 9488 7225 *+61 414 537 025 *+61 8 9488 7299 * ian.m.fraser=40ericcson.com.au * http://bsa.epa.ericsson.se/bs/afso/default.asp * http://www.ericsson.com.au * Level 3, 5 Mill Street, Perth WA 6000 - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:14:23 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Old Microsoft bug may cause data leaks Message-ID: http://news.com.com/2100-1023-901112.html?tag=fd_top By Bruce Simpson Special to CNET News.com May 7, 2002, 10:20 AM PT A security hole affecting old copies of some Microsoft Office applications may have left a legacy of data leaks with the potential to reveal sensitive information and weaken security on government and commercial Web sites around the world. The Google search engine reports that there are over half a million Microsoft Word .doc files available for download from various Web sites. Of these, a small but significant percentage have been created using versions of the software known to create "leaky" documents. First discovered in 1998, the bug causes random fragments of data from previously deleted files to be included in areas of a document that are otherwise unused. This random data can contain anything that might have once been stored on the creator's computer, including passwords, sections of other documents and correspondence. Anyone downloading affected documents and browsing them with a hex editor--a program that allows a user to look at code--can easily view this extra information, although it otherwise remains invisible. The applications responsible for producing these potentially leaky documents were Microsoft Word 6.0 and 7.0, plus version 7.0 of PowerPoint and Excel. Although a patch was quickly released to plug the hole, documents created before the patch was applied, and not subsequently edited, may still contain the unexpected snippets of sensitive data. U.S. government Web sites also appear vulnerable to these potential leaks, with some 240,000 Word documents and 32,000 PowerPoint files listed by Google under the .gov domain. A small sampling indicates that up to 5 percent of these documents may have been created with the buggy versions of the software. The problem appears to be a global one, although it is more pronounced in areas where the Net was in common use before the flaw was uncovered. Potentially leaky documents have been discovered on the government Web sites of a number of other countries, including Canada, France, Australia and New Zealand. ZDNet Australia's Bruce Simpson reported from Sydney. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:14:50 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] EDS bans IM Message-ID: http://www.theregister.co.uk/content/55/25185.html By John Leyden Posted: 07/05/2002 at 17:42 GMT EDS, the computer arm of the British government, has banned its staff from using Instant Messenger products in the workplace. It cites security concerns, especially over virus transmissions. A memo to staff from EDS' security compliance unit leaked to The Register describes "use of Instant Messenger (IM) products through the Internet" as a "risk to Client EDS' infrastructure and network". The company will block access to public Internet instant message sites at its firewalls from tomorrow (May 8). Security staff can make exceptions to the rule but the policy means that from tomorrow EDS staff will be unable to use popular IM products such as AOL, ICQ and Yahoo! Gateway AV tools or managed services providers can be used to block infectious emails before they reach end users, but instant messages go directly to workstations - so skipping a layer of defence. IM is convenient but it can create holes into an organisation. Instant messaging attacks have become a common method of propagation in recent viral outbreaks, and (as CERT warned back in March) a tool for social engineering, including tricking users into running malicious software (potentially DDoS attack tools) on their machines. Neil Barrett, technical director of security consultancy firm IRM, said IM products are "implicitly clandestine" and make the exchange of files easier - something likely to be frowned on by security-conscious organisations. EDS is not noted for its lightness of touch with staff - and it hasn't always been so cosy with the UK government. In 1986, the company was found out ordering staff, American nationals, to lie to British immigration officials. The staff were told to say they were coming to the UK on holiday, when in reality, their real purpose was to work. That cost EDS one measly UK government contract - or, to be precise, the chance to bid for one contract. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 8 01:10:17 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Security myths costing firms Message-ID: Forwarded from: rferrell@texas.net > A better approach was to employ "synergistic security", which hinged > on the concept of redundancy in security controls, Dr Tippett said. An even better and more effective approach is to stop relying solely on patches, IDS, firewalls, and other software to protect your networks. Human beings with training and experience must be sitting there watching these tools work, and reading the logs they produce. Relying on software (and hardware, for that matter) to keep your enterprise safe is like slapping a motion detector on your front gate and calling it secure. If there's no living person watching your portal, someone circumventing its security is not only possible, it's more or less inevitable. > Better technologies only accounted for a tenfold improvement in > safety; better education and better practices had multiplied this a > hundredfold. Better education and practices of systems administrators and users, to be precise. > At a bare minimum, companies should have either two primary controls > (with greater than 90 per cent effectiveness), or a primary and at > least three synergistic controls for each category of risks. > "Failure of any one control in a scenario like this would still > leave better than 99 per cent effectiveness," Dr Tippett said. Yeah, great, but don't forget the human element. The infosec industry needs to emphasize that people, not computers, are the best defense. Without trained professionals analyzing the data collected by an IDS, for example, it's just not very useful. Until infosec heuristics begin to approach human levels of sophistication, the best hardware on the planet is just a fancy screwdriver. > 'Encryption over the internet is important.' > > But Dr Tippett said the increasing speed and complexity of networks > meant it was almost impossible to inspect traffic for a single > message. Way too general. Encryption of what? If you're in a high risk business or just paranoid about your personal privacy, encryption is quite important. This statement only seems to cover email encryption. The major uses of encryption on the public Internet are SSL, SSH, and VPNs, however, which encrypt all traffic. If you want to send your SSN, credit card numbers, and proprietary data in plaintext, be my guest. This sort of cavalier attitude is what makes online identity theft so easy. > 'More obscure end-user passwords are advisable.' > > There was no measurable benefit, he said. Sorry, my BS detection meter just went off. I hope this statement is simply taken out of context. A quick look at the number of intrusions, expecially of Microsoft-based systems, which began with a cracker brute- forcing a user password will quickly dispel any notion that password construction has no 'measurable benefit' on security. There are a lot of password-cracking programs out there, and the reason people have devoted so much effort to their creation is that cracking passwords is one of the easiest and surest ways into a system. Once you're in, privilege elevation attacks are usually fairly straightforward. > Dr Tippett said daily updates were only 1 or 2 per cent better than > weekly updates. I agree with this. If antivirus companies would stop relying on pattern-matching and start incorporating more heuristics-based detection, however, the need for regular updates would disappear. > Vulnerabilities have to be quantified in terms of the probability of > a threat succeeding. In many cases, a threat would not be worth > worrying about. True. But who's going to look at every vulnerability that is announced and evaluate it in terms of its probability of exploitation on a given system? That requires a trained and dedicated analyst. A human being. See above. > Just get firewalls up to 90 per cent effectiveness and ensure > default router rules are not overridden, Dr Tippett advises. Well, at least change default passwords and community strings. > "It's about concentrating on essential practices, rather than best > practice," Dr Tippett said. And the essence of information security is the human element driving it. RGF Robert G. Ferrell rferrell@texas.net - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:11:33 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Social Engineering: The Human Side Of Hacking Message-ID: http://itmanagement.earthweb.com/secu/article/0,,11953_1040881,00.html By Sharon Gaudin May 7, 2002 A woman calls a company help desk and says she's forgotten her password. In a panic, she adds that if she misses the deadline on a big advertising project her boss might even fire her. The help desk worker feels sorry for her and quickly resets the password -- unwittingly giving a hacker clear entrance into the corporate network. Meanwhile, a man is in back of the building loading the company's paper recycling bins into the back of a truck. Inside the bins are lists of employee titles and phone numbers, marketing plans and the latest company financials. All free for the taking. Hackers, and possibly even corporate competitors, are breeching companies' network security every day. The latest survey by the Computer Security Institute and the FBI shows that 90% of the 503 companies contacted reported break-ins within the last year. What may come as a surprise, according to industry analysts and security experts, is that not every hacker is sitting alone with his computer hacking his way into a corporate VPN or running a program to crack executives' passwords. Sometimes all they have to do is call up and ask. "There's always the technical way to break into a network but sometimes it's easier to go through the people in the company. You just fool them into giving up their own security," says Keith A. Rhodes, chief technologist at the U.S. General Accounting Office, which has a Congressional mandate to test the network security at 24 different government agencies and departments. "Companies train their people to be helpful, but they rarely train them to be part of the security process. We use the social connection between people, their desire to be helpful. We call it social engineering. "It works every time," Rhodes says, adding that he performs 10 penetration tests a year on agencies such as the IRS and the Department of Agriculture. "Very few companies are worried about this. Every one of them should be." Playing Off Trust Social engineering is the human side of breaking into a corporate network. Companies with authentication processes, firewalls, VPNs and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don't know or even by talking about a project with coworkers at a local pub after hours. "Incidents of social engineering are quite high, we believe," says Paul Robertson, director of risk assessment at Herndon, Va.-based TruSecure Corp. "A significant portion of the time, people don't even know it's happened to them. And with the people who are good at it, their [victims] don't even know they've been scammed." Robertson says for companies with great security technology in place, it's almost always possible to penetrate them using social engineering simply because it preys on the human impulse to be kind and helpful, and because IT executives aren't training employees to wary of it. "People have been conditioned to expect certain things," says Robertson. "If you dress in brown and stack a whole bunch of boxes in a cart, people will hold the door open for you because they think you're the delivery guy...Sometimes you grab a pack of cigarettes and stand in the smoking area listening to their conversations. Then you just follow them right into the building." Guard The Perimeter Eddie Rabinovitch, vice president of global networks and infrastructure operations at Stamford, Ct.-based Cervalis LLC, says he is definitely aware and on alert for various types of security attacks -- technical or not. Cervalis is a managed hosting and IT outsourcing company. "We continuously have training about security in general and social engineering in particular," says Rabinovitch. "People are out there looking for information. They're always looking for new ways to get at that information. In many cases, you can deal with it with tools, but it always comes down to procedures and your people." Rabinovitch says he deals with social engineering by focusing a lot of training on his people on the perimeter -- security guards, receptionists and help desk workers. For instance, he says security guards are trained to check on visitors if they go out in the smoking area to make sure they're not handing their admittance badge over to someone else. And he adds that if someone shows up in a utility worker's uniform, his visit is confirmed before he is allowed into the building to do any work. Rhodes, who has focused on computer security, privacy and e-commerce in his 11 years at the GAO, says a lot of companies unwittingly put sensitive information up for grabs. Some companies list employees by title and give their phone number and email address on the corporate Web site. That allows a hacker to call an office worker and say Sally Jones in the Denver accounting office wants you to change my user ID. Or Rhodes says a company may put ads in the paper for high-tech workers who trained on Oracle databases or Unix servers. Those little bits of information help hackers know what kind of system they're tackling. Brian Dunphy, director of analysis operations at Alexandria-Va.-based RipTech Inc., a security analyst and consulting firm, says when they do risk assessments for their corporate customers it's a given that if they use social engineering, they'll be able to break in. "It's never been much of an effort to exploit social engineering and get in," says Dunphy. "Companies may request that we use social engineering. We really only do it for the non-believers." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:06:59 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] "Nessus calls home"? Facts of the matter. Message-ID: Forwarded from: Jay D. Dyson -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Courtesy of Renaud Deraison (forwarded with permission). I believe this should be given wide dissemination to dispel the rumors that flew around CanSecWest. -Jay - ---------- Forwarded message ---------- Date: Wed, 8 May 2002 16:50:09 +0200 From: Renaud Deraison To: nessus@list.nessus.org Subject: "Nessus calls home" Hi, I attended CanSecWest last week and I was told there were rumors of people complaining about Nessus "calling home" when doing a scan. In order to clear the confusion, here's a small explanation of what Nessus does, followed by a short poll asking you what you'd prefer it to do. First, let me emphasizes something : Nessus does *not* call home. It never does, never did and never will. However, the checks have a side effect that may have the naughty side effect to sending some packets to nessus.org, which can make people think I have the ability to monitor their scans - here's the list : 1. SMTP checks Several SMTP checks send an email coming from are going to nessus@nessus.org (also test_1@nessus.org and test_2@nessus.org). These checks are mostly used for bounce or old sendmail attacks. With these checks, the expected behavior of the MTA is either to send a 50x error code or to fail to the attack. Under some rare circumstances however, the mail may be bounced back to nessus@nessus.org, which is a non-existing mailbox on mail.nessus.org. So if I were to spy on my users, one could imagine I'd grep "nessus@nessus.org" in /var/log/maillog and see who's using Nessus. I don't do that, but I admit it could be done. Why do I use "nessus@nessus.org" ? Well, for the relay checks, it sounded good to use a really existing mail domain, so that half smart mailer which do some DNS checks on email address would not reject the mail for the sole reason the email domain is not valid. I was suggested to use example.com, but there's no MX for that domain, so I don't like it. 2. Proxy check A proxy check attempts to establish a connection to www.nessus.org. As for relaying, the point here is to see if we can use the remote proxy to connect to an outside web server. So if I were naughty, I could attempt to differentiate the requests going to www.nessus.org and find out which one were coming from an open proxy, then use that proxy to get my pr0n. Note that in all these cases, even I was bersek, I would not get the results of the scan or even know what other hosts you're testing on your network. I understand however that people may think that means Nessus is "phoning home". Once again, this is not the purpose - I just use the nessus.org domain in some checks because these checks require a valid third party domain (and if I was to change that to microsoft.com or something that does not belong to me, it might be unpopular). Note that these choice make the detection of Nessus quite easier for IDSes. I can change that to www.example.com, I did not know this website existed until last week. So now, this is poll time (please reply privately) : - - Do that issue bothers you ? - - If it does, would you feel safer if Nessus was using example.com as a domain ? (even though it may mean weaker tests as example.com has no MX record). Or would you prefer to have the ability to select the domain name yourself manually ? (with the option defaulting to nessus.org or example.com) -- Renaud -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE82cAnGI2IHblM+8ERArqyAJ0cBNhg69mwz3dwls5DaV5QqvAzlACfb10u +lmCLCIAPsOTMSURibV13hk= =C7BR -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:08:40 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Caution Urged On Corporate Exemptions In Security Bill Message-ID: http://www.informationweek.com/story/IWK20020508S0005 By Eric Chabrow May 8, 2002 A high-ranking Justice Department official cautions that legislation before Congress shouldn't prevent the prosecution of corporate offenders who voluntarily provide authorities with company secrets that could prevent cyberterrorist attacks on the nation's IT infrastructure. The aim of the proposed Critical Infrastructure Information Security Act--the subject of a hearing Wednesday before the Senate Governmental Affairs Committee--is to exempt businesses that voluntarily reveal secrets involving IT or network vulnerabilities from provisions of the Freedom of Information Act. The FOIA often is used by citizens to compel the government to reveal secrets. The bill would limit the use of information disclosed for cyberprotection in potential lawsuits against businesses. Several speakers told the committee they believe the bill, as written, could prevent legal action against companies that voluntarily reveal potentially damning information about their IT infrastructure vulnerabilities. Deputy Assistant Attorney General John Malcom wants the bill changed so such information could be used in criminal cases. "While perhaps legitimate concerns," Malcom says, "let me be clear that the Justice Department would not support legislation that would prohibit the government from using voluntarily provided information in a criminal proceeding." The bill's key sponsor, Sen. Robert Bennett, R.-Utah, said he doesn't want to provide cover for illegal activity. Still, he suggested, the nation would be better off if a few businesses escaped government action if the sharing of information between industry and government prevented terrorists from attacking the nation's IT infrastructure. "What we're talking about is information that otherwise wouldn't have been known," Bennett said. Bennett said potential cyberattacks by American enemies would be waged on networks and computers owned by private companies, since they control between 85% and 90% of the nation's critical IT infrastructure. "The future battlefield is in private hands," he said. Most businesses don't share sensitive information about their IT and network vulnerabilities with federal authorities. An FBI survey released last month revealed that 90% of respondents detected computer security breaches in the previous 12 months, but only 34%--up from 16% in 1996--reported these intrusions to law enforcement. "The two primary reasons for not making a report were negative publicity and the recognition that competitors would use the information against them," Richard Dick, director of the FBI's National Infrastructure Protection Center, told the committee. Bennett's bill would not only exempt businesses that voluntarily share information from FOIA provisions, but provide exemptions from antitrust laws so they could share infrastructure information with competitors in industry forums known as ISACs, or Information Sharing and Assessment Centers, in efforts to thwart cyberattacks. "Companies won't disclose voluntarily if it could bring financial harm to them," said bill supporter Ty Sagalow, a board member of the financial-services industry's ISAC and chief operating officer of insurer American International Group's E-Business Risk Solution unit. "The risk is too great. Better to keep your mouth shut. Better safe than sorry." But Alan Paller, director of research at the Sans Institute, which trains cybersecurity software developers, doubts the bill will get companies to share such secrets. "Companies see no advantage in reporting," he said. "If government wants companies to report more attack data, make reporting mandatory." David Sobel, general counsel of the Electronic Privacy Information Center, said the Bennett bill is unnecessary, noting that provisions in the FOIA and court precedent already provide protections to businesses that want to keep sensitive corporate data secret. The bill could keep secret unsafe practices engaged by private operators of nuclear power plants, water systems, chemical plants, oil refineries, and other facilities that could pose a risk to public health and safety, Sobel said. "In short," he said, "critical infrastructure protection is an issue of concern not just for the government and industry, but also for the public." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:10:41 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Security myths costing firms Message-ID: ---------- Forwarded message ---------- Date: Wed, 08 May 2002 11:11:55 -0400 From: Ian Grigg To: Digital Bearer Settlement List Subject: Re: [ISN] Security myths costing firms > Tippett's Top Net Security Myths > > 'Encryption over the internet is important.' > > But Dr Tippett said the increasing speed and complexity of networks > meant it was almost impossible to inspect traffic for a single > message. Yep. And, Certs won't do anything much for you either. -- iang, who's still waiting for the first recorded theft of a credit card number over the net, thus justifying billions in stock price and other billions in infrastructure costs. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:12:41 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] CERT Cautions On Sun Cachefs Daemon Message-ID: http://siliconvalley.internet.com/news/article/0,2198,3531_1038631,00.html By Michael Singer May 6, 2002 Less than a week since it warned against rwall daemon vulnerabilities, officials with CERT Coordination Center said there are again serious holes that may affect some Sun Microsystems (NASDAQ:SUNW) servers. The Internet watchdog late Monday said a heap overflow in Cachefs Daemon (cachefsd) has been identified and there are credible reports of scanning and exploitation of Sun Solaris 2.5.1, 2.6, 7, and 8 (including SPARC and Intel (NASDAQ:INTC) Architectures) running cachefsd. Cachefsd, which is installed by default with the above servers, caches requests for operations on remote file systems mounted via the use of NFS protocol. A remote attacker can send a crafted RPC request to the cachefsd program to exploit the vulnerability. If left untreated, Sun said the vulnerability might leave a core dump file in the root directory. "The presence of the core file does not preclude the success of subsequent attacks." A Sun Alert Notification reports. "Additionally, if the file exists, it may contain unusual entries." If there is a problem, the networking giant suggests a reboot, or sending a HUP signal to inetd(1M) and kill existing cachefsd processes. CERT/CC said logs of exploitation attempts might resemble the following: * May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped * May 16 22:46:21 victim-host last message repeated 7 times * May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error- core dumped * May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped * May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped * May 16 22:46:59 victim-host last message repeated 1 time * May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped * May 16 22:47:07 victim-host last message repeated 3 times * May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup * May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped So far the vulnerability does not affect similarly classed servers from IBM (NYSE:IBM) or SGI (NASDAQ:SGI) Palo Alto, Calif.-based Sun is asking its customers to check its Alert Notification Web site for the latest patch information. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:07:47 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Midwest Express hackers cause a stir Message-ID: http://www.msnbc.com/news/748369.asp?0si=- By Richard Thieme THE BUSINESS JOURNAL OF MILWAUKEE May 6, 2002 The self-proclaimed "Deceptive Duo" that hacked into Midwest Express Airlines' intranet say their goal was to embarrass the airline, which is part of the nation's transportation infrastructure and therefore essential to homeland defense. THE HACKERS, in an e-mail interview, said penetrating the Midwest Express computer server - from which they stole customer and user profiles, names, e-mail addresses, and passwords - was "easy" and the airline should have a secured site. They said the methods they used are well-known in the hacker community and mostly likely similar to those of terrorists. The incursion was designed to emulate a real terrorist attack, they said. "It should not be this easy to gain access to supposedly secure networks," the duo said. "But system administrators are doing exactly the opposite of what they should be doing." The Deceptive Duo - hacked into the Midwest Express server that is used to test new features for the airline's Web site and then posted evidence of their break-in on their own Web site and the Web site of the U. S. Space & Naval War Systems Command. The identity of the hackers thus far has eluded Midwest Express management and a Chicago computer security firm the airline hired. However, sources confirmed that the parties responding to e-mail questions from The Business Journal were at the same e-mail address as the hackers. The hackers did not access or compromise any other data such as credit-card information, said Lisa Bailey, a spokeswoman for Midwest Express. The airline's management learned of the security breach April 22, said Bailey. The airline asked the hackers to immediately remove their posting from the duo?s Web site, and they complied, said Bailey. The Navy removed the posting as soon as it was detected. SECURITY CONSULTANTS The airline changed all customer passwords, not just those that were compromised, and is working with computer security consultants to evaluate the security of Midwest Express' computer system, Bailey said. Midwest Express executives were not particularly embarrassed by the incident, Bailey said. "But we do realize that that the test server was not as secure as we thought and we are doing whatever we need to do to be sure the information is secure moving forward," she said. Midwest Express does not plan to prosecute the intruders, but Bailey noted that government and military sites were also attacked and the Federal Aviation Administration has indicated its intention to prosecute. FAA officials could not be reached for comment. The airline is focused on using the intrusion to strengthen its security measures. "It is a potential threat for us and our customer data, and we want to be sure it does not happen in the future," Bailey said. The airline plans to review its site security continuously, assess vulnerabilities and change passwords, Bailey said. The hackers offered, via e-mail to Midwest Express, to assist in fixing the flaws they discovered, but the airline declined, Bailey said. The hackers said they were motivated to intrude on the sites of Midwest Express and other corporate and military sites to demonstrate that the U.S. infrastructure is still vulnerable to terrorists even after Sept. 11. Midwest Express and other corporate targets were apparently chosen at random. When asked whether they might achieve their objectives by privately notifying system administrators of vulnerabilities rather than boasting of their intrusion on other sites, they said they tried that with no success. "We've tried subtle ways of informing them, but it seems to take drastic means before they will realize the severity of this," the hackers said. "Unfortunately, it takes action to get a reaction." NO CONTACT Bailey disputed that version of events. She said the hackers did not contact Midwest Express before posting evidence of their conquest of the airline's computer system. "If we'd been contacted prior to posting, we would've obviously acted very quickly," Bailey said. The hackers said they entered the Midwest Express server by guessing right on an elementary security password - they typed a default password commonly used by Microsoft Corp. The duo merely had to access the corporate intranet, then enter the default password to gain entry to the database. The airline uses Microsoft SQL, a standard language for performing tasks on the data base, they said. The hackers said they found flaws in the server page scripts that allowed them to view information that should have been accessible only by authorized Midwest Express insiders. The hackers said they discovered other unauthorized logins, which suggested that other hackers may have been there before them. However, Bailey said the airline found no evidence of other hacker entries or flaws in its server scripts. The duo threatened to continue their strategy for alerting the guardians of the infrastructure. They said Midwest Express was part of the first stage, which scanned targets running on Microsoft products for widely known vulnerabilities. The Department of Defense and other government agencies need to focus on eliminating known vulnerabilities, they said. (MSNBC is a Microsoft - NBC joint venture.) "In general, we are telling our targets to do their jobs correctly," the hackers said. "Doing a system administration job correctly includes researching, analyzing and fixing all known vulnerabilities." Next, the duo intends to use more subtle methods. They said they will attack targets on multiple operating systems "with vulnerabilities that range from the widely known to the little known" with the goal of controlling software "that a terrorist might use to advantage." The third and final leg of their strategy will expose "the most dangerous but least likely scenarios," said the hackers. Such vulnerabilities are not well known, making them difficult to defend against in advance, they said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:08:12 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Top Argentine Court Wants Law Against Hackers Message-ID: http://digitalmass.boston.com/news/wire_story.html?uri=/dailynews/127/technology/Top_Argentine_Court_Wants_Law_:.shtml By Reuters, 5/7/2002 BUENOS AIRES, Argentina (Reuters) - Argentina's Supreme Court wants legislation to outlaw computer hacking after rights activists allegedly vandalized its own Web site but escaped punishment because no law covers digital attacks. A federal court threw out a case in April against a group of hackers, known as the ''X-Team,'' who were charged with defacing the site in 1998 with accusations the South American nation's top judges covered up the murder of a journalist. Argentine law covers only crimes on ''people, things and animals'' but not cyber assaults, according to the ruling. On Tuesday, the Supreme Court said the case did ''harm to the administration of justice'' in a formal request it sent to the government for an anti-hacking law that would send perpetrators to prison. The ''X-Team'' was also accused of posting on the court's site photos of the murdered magazine journalist, Jose Luis Cabezas, whose case has been a cause celebre among groups claiming top Argentine officials cover up human rights abuses. Cabezas was found dead and his body charred into blackened bones during a 1997 probe into Alfredo Yabran, a business tycoon with links to then-President Carlos Menem. Yabran later committed suicide after a judge ordered his arrest. April's ruling exposed the cyber hole in Argentine legislation, underscoring the need for a law that would protect Web site productions in a nation that has been one of Latin America's Internet pioneers. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:04:07 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Working in a network war zone Message-ID: Forwarded from: Kurt Seifried This happens every year at cansecwest. Last year because of the slow ass connection someone took it upon themselves to hack the cisco and prioritize traffic a bit (so a bunch of us ended up camping out on my dialup =). Although last year the wireless network was much more messy then this year, with people scanning/flooding/etc/etc, this year the only glitch was a presenter testing his 802.11 attack software just before his presentation (network kept falling over, quite funny in retrospect). I doubt it is a she for the simple reason women seem to have more common sense, all the useful traffic was encrypted this year anyways (although that didn't stop them from trying mitm ssh attacks, constantly). Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "InfoSec News" To: Sent: Wednesday, May 08, 2002 12:12 AM Subject: Re: [ISN] Working in a network war zone > Forwarded from: bschnzl@bigfoot.com > > This article was brought on by one who tried sniffing in a switched > environment. He (She) had not practiced enough or was not familiar > with the equipment he was manipulating. The sensational writing does > add a bit to the occurance... > > > In a message titled [ISN] Working in a network war zone, > on 7 May 2002 at 3:51, InfoSec News sent these words: > > > http://news.com.com/2100-1001-900511.html?tag=fd_top > > > > By Robert Lemos > > Staff Writer, CNET News.com > > May 6, 2002, 4:00 PM PT > > > > reporter's notebook - VANCOUVER, British Columbia -- Even before the > > CanSecWest security conference started on Wednesday, unknown hackers > > had given the hotel's high-speed network a case of the hiccups. By > > Wednesday evening, the system was laid out flat. > > > > The pros were peeved, and a call for an electronic posse went out. > > > > "We're forming a hunting party," Dragos Ruiu, independent security > > consultant and conference organizer, told the room of nearly 150 > > hackers and security experts late Thursday afternoon. "If anyone wants > > to help us find out who's...poisoning the hotel network, talk to me." > > > > But that evening, the vandal stayed offline and the hotel network was, > > for a little while, glitch free. > > > > Networks don't come much more hostile than those at the CanSecWest > > security conference. The three-day conference brought together > > hackers, security consultants, and government officials to talk tech > > about the latest tools and trends in the online arena. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:06:26 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] ADVISORY: MSN Messenger OCX Buffer Overflow Message-ID: From: "Marc Maiffret" MSN Messenger OCX Buffer Overflow Release Date: 5/8/2002 Severity: High (Remote code execution) Systems Affected: Microsoft MSN Chat Control Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN Chat control Description: A vulnerability has been discovered in the parameter handling of the MSN Messenger OCX. By exploiting this vulnerability, an attacker can supply and execute code on any machine on which MSN Messenger with the activex is installed. The vulnerability exists because of how MSN Messenger handles data passed to it which can lead to a buffer overflow scenario. The buffer overflow can be exploited via email, web, or through any other method where Internet Explorer is used to display HTML that an attacker supplies, including software that uses the web browser ActiveX control. All users of Internet Explorer are potentially affected because this is a Microsoft signed OCX. Users that have not installed Microsoft Messenger or that have not upgraded Microsoft Messenger can only be affected if they accept the pop-up "Install Now" signed by Microsoft. All Internet Explorer users should install the update. Example: Technical Description: MSNChat ocx is an ActiveX object installed with Microsoft Messenger. Proper bounds checking is not in place in the ResDLL parameter. By supplying a very large buffer, we can overwrite a significant portion of the stack, including saved return addresses and exception handlers. Even if users do not have Messenger installed, the ActiveX can be called from the codebase tag which would prompt the user to install the ActiveX with Microsoft's credentials because the OCX is signed by Microsoft. Vulnerability identifier: CAN-2002-0155 Vendor Status: Microsoft has released a security bulletin and patch. For more information visit: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-022.asp Credit: Discovery: Drew Copley Greetings: Mom, Dad, and all of the little people that helped me and believed in me - oh - and a big YO HO to the homeboyz in the h00d. Copyright (c) 1998-2002 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:03:11 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Prosecutors say crime spree wreaked havoc Message-ID: http://www.jsonline.com/news/Metro/may02/41693.asp [While this article has little to do with information security, it lists of some of the 50 odd acts of vandalism/terrorism that Joseph Konopka and his band of vandals commited over the past three years. Knowing this, you have to wonder what Konopka had in mind with the cyanide, laptops, and CTA subway tunnels in Chicago. - WK] By GINA BARTON of the Journal Sentinel staff Last Updated: May 7, 2002 As the self-proclaimed Dr. Chaos threw barbed wire into the electrical system of a central Wisconsin power station, he warned his disciples to close their eyes. One of them didn't listen. A fireball exploded, blinding him for 20 minutes, said Marquette County District Attorney Richard Dufour, who learned of the incident while helping federal authorities investigate a three-year trail of destruction. The November 1998 incident resulted in power failures in 2,000 homes - just one of 53 Wisconsin crimes that federal prosecutors attribute to Joseph D. Konopka, 25, formerly of De Pere. A federal grand jury in Milwaukee on Tuesday returned a 13-count indictment against Konopka. He is accused of conspiring to wreak havoc through 13 counties and causing $800,000 in damage. If convicted, he could face up to 30 years in prison. Konopka remains in custody in Chicago, where he was arrested in March after being caught with cyanide - a potentially deadly chemical - underground near the Chicago subway system. Authorities say his Wisconsin crime spree was far more extensive. Konopka and others are charged with causing about 28 power failures and 20 other service interruptions at power plants throughout Wisconsin, U.S. Attorney Steven M. Biskupic said at a news conference Tuesday. About 30,000 customers were left in the dark. Konopka also is accused of setting buildings on fire, disrupting radio and television broadcasts, disabling an air traffic control system, selling counterfeit software and damaging the computer system of an Internet service provider. Biskupic wouldn't attribute Konopka's alleged acts to a particular motive, but the indictment suggests that they were largely for his own entertainment. Konopka is believed to be the leader of a band of vandalsknown as "The Realm of Chaos," some of whom have been convicted in state courts and have helped investigators build a case against Konopka. Officials believe that he used an online chat room called "Teens for Satan" to contact potential recruits. Recruiting efforts The indictment alleges that Konopka encouraged teenage boys and young men "to join him in ventures designed to entertain themselves by engaging in property damage and then observing the consequences." That seemed to be the case in the November occurrence, which took place as Konopka and his friends were driving home from a rock concert in La Crosse, according to Dufour. "As his name implies, their goal was to create chaos and create anarchy," Dufour said in a telephone interview. Lisa Moller, east region supervisor of corporate security for Alliant Energy, said "these acts of terrorism and anarchy have affected Alliant Energy in an adverse way," resulting in "constant paranoia." Thomas Eells, manager of corporate security for WE Energies, called the group's actions "significant acts of domestic terrorism" that placed people who depend on electrical medical equipment at significant risk. An attack on a WE Energies plant in Shiocton also placed firefighters at risk, said Michael Jenks of the Outagamie County Sheriff's Department. The October 2000 fire spread to an equipment storage facility owned by Bush Brothers and Co., destroying the building during a blaze that lasted several hours. That incident alone resulted in nearly $55,000 in damage. Other actions alleged in the indictment - the result of a joint investigation involving more than a dozen federal and local agencies in two states - include: * Starting a fire in a trash bin at the Heavenly Ham company in Ashwaubenon that spread to a food processing and distribution facility, causing $264,708 in damage. * Turning off the power supply to the equipment at the Wisconsin Air National Guard base at Camp Douglas, interrupting air traffic control communication. * Breaking into the Ledgeview studio of Wisconsin Public Radio and replacing the intended programming with music. As a result, the system switched to emergency broadcast mode. According to the indictment, the incidents began on Valentine's Day in 1998 and continued through January 2001 in Adams, Brown, Calumet, Door, Fond du Lac, Green Lake, Kewaunee, Lincoln, Marquette, Oconto, Outagamie, Shawano and Winnebago counties. Biskupic said he expects Konopka to make his initial Wisconsin federal court appearance within 30 days. Meanwhile, some of Konopka's cohorts already have been convicted in state court in Door, Kewanee, Marquette and Shawano counties. Benjamin E. Nell, 18, of Green Bay and Joseph Lemieux, 19, were convicted of property-related misdemeanors in Door and Kewanee counties and have cooperated with his office, said Kewanee County District Attorney Troy C. Dalebroux. In Marquette County, Shawn P. Sullivan, 20, of Green Bay was convicted of a misdemeanor during a jury trial and sentenced to three years of probation and nine months in jail, Dufour said. Twenty-year-old Chad Reimer of Green Bay, who watched the blinding electrical flash, has cooperated with law enforcement agents, Dufour said. Reimer has not been charged. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 9 02:10:10 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Security UPDATE, May 8, 2002 Message-ID: ******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Reliable Patch Management http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0rf10Ao Connected Home Magazine Virtual Tour http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0LTe0Ak (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: RELIABLE PATCH MANAGEMENT ~~~~ IT Managers scanning systems for security hotfixes and patches are left wondering whether the systems they thought were safely patched are actually vulnerable. UpdateEXPERT(tm) solves this patch management and deployment dilemma. It is the only remediation tool that uses a research database from third party test results and analytical information to make deployment reliable. Research available fixes, scan workstations and servers, deploy updates without remote agents and validate the job, all in a single tool. FREE Live Trial: http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0rf10Ao ~~~~~~~~~~~~~~~~~~~~ May 8, 2002--In this issue: 1. IN FOCUS - Intrusion Cleanup: What's the Cost? 2. SECURITY RISKS - Multiple Vulnerabilities in BEA WebLogic - DoS in ISS's RealSecure Network Sensor 3. ANNOUNCEMENTS - Cast Your Vote for Our Readers' Choice Awards! - Mobile and Wireless Solutions--An Online Resource for a New Era 4. SECURITY ROUNDUP - News: ISS Teams with Network Associates - News: Gartner Says Most Attacks Will Exploit Known Flaws - News: Word Patch Fixes Outlook Email Vulnerability - Feature: Security Bug Fixes 5. SECURITY TOOLKIT - Virus Center - FAQ: What Is Windows Update Corporate Edition? 6. NEW AND IMPROVED - Defend Against Intruders and Malicious Code - Secure Enterprise Servers with Free Beta 7. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Screen Saver Passwords - HowTo Mailing List - Featured Thread: Security Policy Disciplinary Measures 8. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net) * INTRUSION CLEANUP: WHAT'S THE COST? Has your network ever suffered intrusion or misuse? If not, you're among the fortunate few. If so, the cause might have been a virus, worm, or Trojan horse; a workstation, server, or router breach; or an employee misusing company services and bandwidth. In any case, have you ever calculated the cost to clean up such messes and return everything to its prior state? Although you might find calculating such losses tedious, you can find ways to reach a fairly accurate figure. Dave Dittrich's online FAQ "Estimating the cost of damages due to a security incident" (see the first URL below) can help you think of the factors to consider and the costs to associate with each factor in the clean-up process. Dittrich notes that proposed Senate Bill S.2448, "The Internet Integrity and Critical Infrastructure Protection Act of 2000" (introduced in the 106th Congress, see the second URL below), defines how organizations can calculate loss. According to Senate Bill S.2448, "The term 'loss' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." http://staff.washington.edu/dittrich/misc/faqs/incidentcosts.faq http://www.senate.gov/search/index.html According to Dittrich's interpretation of the bill's definition, tallied costs should include all staff time spent cleaning up damage; lost productivity time, including that of users (who lacked working systems) and business partners (who were denied service during this period); lost time in terms of e-commerce revenue; and the price of replacing hardware, software, and other damaged or stolen property. The loss calculation shouldn't include precautionary measures put in place to prevent similar attacks in the future. You should consider such measures part of ordinary systems administration. Dittrich also cites the Incident Cost Analysis & Modeling Project (ICAMP--see the URL below) that the Committee on Institutional Cooperation (CIC) and the University of Chicago conducted. ICAMP figures the basic monetary loss relative to affected users by calculating an hourly wage (dividing an annual salary by 52 weeks, then by 40 hours) and multiplying that wage by hours of work lost. As you'll see, the ICAMP materials calculate additional costs as well. http://www.cic.uiuc.edu/groups/cic/listicampreports.shtml Dittrich's FAQ is short, to the point, and a good place to start to learn how to calculate security-related losses. The FAQ includes a sample Microsoft's Excel spreadsheet that you can use as a model to help build a loss-calculation tool for your enterprise. For more information, read CIO Magazine's February 15, 2002, article "Finally, A Real Return on Security Spending" (see the first URL below), which discusses an approach to calculating Return on Investment (ROI) for Intrusion Detection Systems (IDSs). The February 15 article references another article's sidebar, "Calculating Return on Security Investment" (see the second URL below). The sidebar presents a relatively simple formula for the ROI calculation: (R - E) + T = ALE, in which R is the cost per year to recover from intrusions, E is the dollar savings gained by preventing intrusions, and T is the cost of an intrusion-detection tool. The result is your Annual Loss Expectancy (ALE). To calculate Return on Security Investment (ROSI), subtract your ALE from the annual cost of intrusion. http://www.cio.com/archive/021502/security.html http://www.cio.com/archive/021502/security_sidebar_content.html Many of you have trouble getting your managers to approve budgets for security-related tools. You need clear ways to demonstrate the value of security-related measures and tools. You'll find calculating actual losses from intrusion or misuse a great way to justify a more adequate security budget, especially for preventive measures. ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: CONNECTED HOME MAGAZINE VIRTUAL TOUR ~~~~ THE CONNECTED HOME VIRTUAL TOUR IS BACK AND BETTER THAN EVER! If you think you've already seen the Connected Home Magazine Virtual Tour, think again. Browse through the latest home entertainment, home networking, and home automation options and check out our special feature on wiring your home. Sign up for our prize drawings, too, and you might win a free cinema card courtesy of VisionTek and NVIDIA. Take the tour today! http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0LTe0Ak ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, ken@winnetmag.com) * MULTIPLE VULNERABILITIES IN BEA WEBLOGIC Multiple vulnerabilities exist in BEA Systems' BEA WebLogic 6.1 for Windows 2000 Service Pack 2 (SP2). A problem with the URL parser in BEA WebLogic could let an attacker reveal the physical path to the Web root, cause a Denial of Service (DoS) attack, or reveal the source code of .jsp files. By appending %00.jsp to a normal HTML request, an attacker can in some cases generate a compiler error that prints out the path to the physical Web root. By requesting a DOS device and appending .jsp to the request, an attacker can exhaust working threads, which will cause the Web service to stop parsing HTTP and HTTP over Secure Sockets Layer (HTTPS) requests. An attacker can use several methods to manipulate the URL in a way that will let the attacker read the contents of a .jsp file. For example, a malicious user can append %00x or "+." (exclamation marks excluded) to a request for a .jsp file and read the contents of the .jsp file. BEA has released a patch that resolves these vulnerabilities. http://www.secadministrator.com/articles/index.cfm?articleid=25069 * DoS IN ISS'S REALSECURE NETWORK SENSOR A Denial of Service (DoS) condition exists in Internet Security Systems' (ISS's) RealSecure Network Sensor. Specifically, a vulnerability in the three informational signatures associated with DHCP can result in a segmentation fault or exception error. An attacker can exploit this vulnerability by sending specially crafted DHCP traffic, causing the sensor to malfunction or crash. ISS has issued X- Press Update 4.3, which contains a fix for this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=25070 3. ==== ANNOUNCEMENTS ==== * CAST YOUR VOTE FOR OUR READERS' CHOICE AWARDS! Which companies and products do you think are the best on the market? Nominate your favorites in four different categories for our annual Windows & .NET Magazine Readers' Choice Awards. You could win a T-shirt or a free Windows & .NET Magazine Super CD, just for submitting your ballot. Click here! http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0zMs0Ad * MOBILE AND WIRELESS SOLUTIONS--AN ONLINE RESOURCE FOR A NEW ERA Our mobile and wireless computing site has it all--articles, product reviews, and other resources to help you support a wireless network and mobile users. Check it out today! http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0qsD0AL 4. ==== SECURITY ROUNDUP ==== * NEWS: ISS TEAMS WITH NETWORK ASSOCIATES Internet Security Systems (ISS) and Network Associates have announced an alliance to deliver integrated security products and services. Network Associates will combine its fault isolation and performance management software, Sniffer Technologies, with ISS's intrusion-detection software, RealSecure. ISS said it will combine Network Associates' McAfee antivirus software with RealSecure and also offer customers managed security services. http://www.secadministrator.com/articles/index.cfm?articleid=25088 * NEWS: GARTNER SAYS MOST ATTACKS WILL EXPLOIT KNOWN FLAWS Speaking at the Gartner Symposium/ITxpo in San Diego, Gartner analysts predicted that by 2005, up to 90 percent of attacks will exploit known security vulnerabilities for which patches and workarounds are available but not applied. Gartner said that enterprises don't do enough to prepare for network intrusion. http://www.secadministrator.com/articles/index.cfm?articleid=25089 * NEWS: WORD PATCH FIXES OUTLOOK EMAIL VULNERABILITY Microsoft recommends that Outlook users who use Microsoft Word as their email editor--a configuration known as WordMail--install a new patch for Word. The update fixes a vulnerability that could let harmful scripts run if the user replies to or forwards an HTML message. Microsoft Office XP Service Pack 1 (SP1) or Office 2000 Service Release 1/1a (SR1/1a) is a prerequisite. http://www.microsoft.com/technet/security/bulletin/ms02-021.asp * FEATURE: SECURITY BUG FIXES The security subsystem correctly records account lockout events when a user reaches the bad password threshold while logging on with a domain account; however, a bug in the audit code prevents the system from recording the account lockout when a user reaches the bad password threshold while logging on with a local workstation or server account. The Windows 2000 Post-Service Pack 2 (SP2) file system driver has a bug that might cause ntfs.sys to crash with a stop code of 0x00000003. The blue screen occurs when the file system driver attempts to release the same resource twice. When a system has a bad print driver, you might see several different error messages when you try to print a file or document. To recover from this error, you need to delete the printer, delete the print-driver file, and clean up printing subsystem registry entries. Learn more about these problems in Paula Sharick's article on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=25033 5. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: WHAT IS WINDOWS UPDATE CORPORATE EDITION? ( contributed by John Savill, http://www.windows2000faq.com ) A. Windows Update Corporate Edition, which Microsoft plans to release in second quarter 2002, will let administrators host their own version of the Windows Update Web site on a local intranet. Windows Update Corporate Edition will, at scheduled intervals, pull the latest fixes from the public Windows Update Web site. A client component will let administrators check the intranet-based Windows Update site and use Group Policy settings to automatically download updates to clients. The Windows Update Corporate Edition will help companies preserve bandwidth that they now use to repeatedly download the same fixes and will offer greater control over which updates users can install. For more information, visit the Microsoft Web site. http://www.microsoft.com/technet/ittasks/support/corpwu.asp 6. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, products@winnetmag.com) * DEFEND AGAINST INTRUDERS AND MALICIOUS CODE Network Associates released McAfee Desktop Firewall 7.5, software that inspects inbound and outbound traffic and allows or blocks connections, stops malicious code, detects unauthorized intrusions and application connections, records the event, and alerts the administrator. Desktop Firewall 7.5 also protects remote and broadband users. Desktop Firewall 7.5 runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. For pricing, contact Network Associates at 972-308-9960 or 888-847-8766. http://www.mcafeeb2b.com/products/desktop-protection.asp * SECURE ENTERPRISE SERVERS WITH FREE BETA Turillion Software Technologies released the eServer Secure Manager beta, software designed to help the enterprise manage 100 or more eServer Secure-protected servers from a single console. Turillion's eServer Secure Manager beta software is available now for free to qualified beta testers from Turillion's private beta Web site at http://www.turillion.com/beta. For more information, contact Turillion at 800-604-3228. http://www.turillion.com 7. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Screen Saver Passwords (Three messages in this thread) Claus wants to know how he can ensure that all network users (on systems including Windows 2000, Windows NT, and Windows 98) use password-protected screen savers. http://www.secadministrator.com/forums/thread.cfm?cfapp=64&thread_id=103120#message268910 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Security Policy Disciplinary Measures (One message in this thread) Paul is developing a security policy and wants to include information about disciplinary measures that will apply to users who violate policies (the measures taken would depend upon the associated impact). He's looking for documentation or Web sites that offer generic information about such disciplinary measures. Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?A2=ind0205a&l=howto&p=1230 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- mark@ntsecurity.net * ABOUT THE NEWSLETTER IN GENERAL -- vpatterson@winnetmag.com (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- products@winnetmag.com * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdate@winnetmag.com * WANT TO SPONSOR SECURITY UPDATE? emedia_opps@winnetmag.com ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-|-+-|-+-|-+-|-+-| Thank you for reading Security UPDATE. You are subscribed as isn@c4i.org. MANAGE YOUR ACCOUNT You can manage your entire Windows & .NET Magazine Network email newsletter account on our Web site. Simply log on and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://www.winnetmag.net/email SUBSCRIBE To quickly subscribe, send a blank email to mailto:Security-UPDATE_Sub@list.winnetmag.com. UNSUBSCRIBE To quickly unsubscribe, send a blank email to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:35:46 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] "Nessus calls home"? Facts of the matter. Message-ID: Forwarded from: bschnzl@bigfoot.com Cc: deraison@nessus.org How 'bout letting us specify our own domains, making example.com the default, and putting a notice in the results! You could use nessus.org as the default to make sure DNS did not get in the way. The notice in the results would make that legit. In a message titled [ISN] "Nessus calls home"? Facts of the matter. , on 9 May 2002 at 2:06, InfoSec News sent these words: > Forwarded from: Jay D. Dyson > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Courtesy of Renaud Deraison (forwarded with permission). > > I believe this should be given wide dissemination to dispel the rumors > that flew around CanSecWest. -Jay > > > - ---------- Forwarded message ---------- > Date: Wed, 8 May 2002 16:50:09 +0200 > From: Renaud Deraison > To: nessus@list.nessus.org > Subject: "Nessus calls home" > > Hi, > > I attended CanSecWest last week and I was told there were rumors of people > complaining about Nessus "calling home" when doing a scan. > > In order to clear the confusion, here's a small explanation of what Nessus > does, followed by a short poll asking you what you'd prefer it to do. > > First, let me emphasizes something : Nessus does *not* call home. It never > does, never did and never will. > > However, the checks have a side effect that may have the naughty side > effect to sending some packets to nessus.org, which can make people think > I have the ability to monitor their scans - here's the list : [...] Bill Scherr IV, GSEC, GCIA Electronic Warfare Associates / IIT Lafayette RTI, Camp Johnson Colchester, VT 05446 802-338-3213 - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:33:09 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] AirMagnet 1.2 Reveals WLAN Trouble Spots Message-ID: http://www.eweek.com/article/0,3658,s=712&a=26498,00.asp By Cameron Sturdevant May 6, 2002 AirMagnet Inc.'s AirMagnet Sniffer works right, right out of the box - much to its credit and to network administrators' advantage and earning it an eWeek Labs' Analyst's Choice award. eWeek Labs ran the AirMagnet Version 1.2 protocol analyzer on a device that represents new territory for this genre of product - a handheld computer, namely a Compaq Computer Corp. iPaq. AirMagnet provided "just-the-facts" details about 802.11b traffic it detected - no protocol decodes but 802.11b traffic statistics that are essential to performing wireless network security audits and site surveys. AirMagnet, which started shipping last month (at the same time the company announced it was going into business), costs $2,495 for detection software and an 802.11b card (in our case, a Proxim Inc. Harmony card). The handheld device is not included in this price. The AirMagnet system is not cheap, and IT buyers would be wise to question whether a company this new will be around to support its wares in the future. While AirMagnet is just getting started as a company, however, its founders and designers are all industry pros that developed solid products we tested years ago, including NetXRay from Cinco Networks Inc., which was purchased by Network Associates Inc. We'll go out on a limb and say that the simplicity and elegance of the product make it worth the cost and that the caliber of the company's founders and product developers should ease buyers' minds about future support. Buyers should also bear in mind, however, that Network Associates is slated this week at NetWorld+Interop to announce a handheld version of its Sniffer product line, called Sniffer Pocket. With other wireless sniffers we've tested, we had to set up filters, start and stop captures, wade through piles of documentation, and drag a power-hungry laptop with an even more power-hungry wireless card around the office to get our traffic samples. With AirMagnet, in contrast, we simply loaded the software, recognized the card, turned the system on and started sensing traffic. AirMagnet automatically scanned all the frequencies available in 802.11b and consistently pointed out which channels had real traffic, as opposed to those channels that were carrying spillover radio signals. AirMagnet is not a protocol analyzer in the sense that it can decode TCP/IP application traffic. But that's OK because front-line technicians performing site surveys and network managers doing security audits don't need Layer 3 and 7 information to perform quick checks. That said, we could use AirMagnet to do simple Layer 3 trouble-shooting. For example, we were able to select our access point from among many in our Foster City, Calif., test lab and send a ping over it to make sure it was communicating with the wired network. We were also able to use AirMagnet as a type of rogue access point locator. The coolness factor went up almost immeasurably as we used the AirMagnet-loaded iPaq in full "tricorder" mode to zero in on unauthorized access points. It almost goes without saying that this is the same way that IT managers conducting a site survey can determine where to place access points for the best coverage before installing end-user stations. The AirMagnet is a good security tool for ferreting out rogue access points but should also serve as a reminder to network administrators about the vulnerability of wireless networks. AirMagnet, unlike the very able shareware utility NetStumbler (available from www.netstumbler.com), operates in a completely stealth mode and only "listens" for packets. Malicious users of the product couldn't do much more than discover the existence of a wireless LAN and the location of access points, but the malicious person could do so without network administrators ever knowing. The only exception we found to this was when we used AirMagnet to generate traffic to test the performance of an access point during a site survey. Here, AirMagnet had to associate with the access point and send traffic, which was then detectable. Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevant@ziffdavis.com. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:39:09 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] FIRST 2002 reminder Message-ID: Forwarded from: Roger Safian Greetings, The annual FIRST Conference is the only event of its kind. It focuses on the field of computer security incident handling and response. In recognition of the global spread of computer networks and the common problems faced by computer owners, the conference is held in different parts of the world. The presentations are international in scope and include the latest in incident response and prevention, vulnerability analysis, and computer security. Additionally, these events serve as the foundation for the improvement of computer security worldwide via the sharing of goals, ideas, and information. This year's program features an exciting combination of topical keynote addresses, essential tutorials, and the latest in information security techniques. Complete conference details are available on the FIRST website at , and I hope to see you in Hawaii. Please feel free to contact me if you have any questions. -- Roger A. Safian r-safian@nwu.edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-5690 (Fax) "You're never too old to have a great childhood!" - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:40:59 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] FLIGHT SECURITY: New List for Carryons Message-ID: Forwarded from: Jay D. Dyson -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Courtesy of Rick Forno. (Gee, I feel safer already. Blah.) This week the Transportation Security Administration released its official list of what can and can't be carried aboard a plane. You may carry on nail clippers and nail files (which previously were being confiscated), tweezers, safety and disposable razors, syringes with proper medical labeling, umbrellas, and eyelash curlers. The list for prohibited items remains long and includes golf clubs, knives (any length), metal scissors with pointed tips, and toy weapons. Any changes to the list will be posted on the TSA Web site at: http://www.tsa.dot.gov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE82udNGI2IHblM+8ERAjrOAJ9jyAkXvPZL31oecy+OET10iz2t2QCfZEH+ eg87m3uP51sJaB2fcs+ClzA= =L+2z -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:31:39 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Holes expose retail data Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,70840,00.html Date: May 06, 2002 Author: Bob Brewin and Dan Verton White-hat hackers last week discovered vulnerabilities in the wireless networks of two major retailers' holes that they claimed exposed data that appeared to include customer information. On May 1, an anonymous hacker posted a message on an online security mailing list stating that he had discovered holes in the wireless LANs operated by Best Buy Co. Later that day, Jonas Luster, co-founder of security consultancy D-fensive Networks Inc. in Campbell, Calif., told Computerworld that he had conducted a test of networks operated by a San Jose outlet of The Home Depot Inc. and found similar vulnerabilities. Best Buy said it shut down its wireless LANs shortly after the initial report surfaced. The San Jose Home Depot network, which Luster said exposed what appeared to be SQL database queries, shut down May 2, he said. Don Harris, a Home Depot spokesman, declined to say whether the company had turned off its wireless LAN in the San Jose store. Spokeswoman Jennifer Bohuslavsky said Eden Prairie, Minn.-based Best Buy on May 1 deactivated its "wireless temporary cash registers," which transmit information via a wireless LAN connection. "These registers are not Best Buy's main register terminals and represent a small percentage of our transactions," she said. Bohuslavsky declined to provide any security or deployment details on the wireless network used by Best Buy throughout its 480 stores. Dave Ellis, vice president for information systems at Atlanta-based Home Depot, sharply denied a published report that hackers had captured data from wireless point-of-sale terminals or cash registers in any of the company's 1,200-plus stores. "That dog does not hunt," Ellis said. "All our registers are hard-wired." Ellis declined to discuss Home Depot's wireless LAN security or whether white-hat hackers could have penetrated its wireless network. John Pescatore, an analyst at Gartner Inc., said the fact that someone was able to sniff data from a Best Buy wireless LAN indicated to him that the company hadn't turned on the simplest form of security available on any 802.11b wireless LAN: encryption based on the Wired Equivalent Privacy (WEP) protocol. Not turning on WEP is "just stupid," Pescatore said. Dennis Eaton, chairman of the Wireless Ethernet Compatibility Alliance, a wireless LAN industry group in Mountain View, Calif., said that, in fact, most users fail to turn on WEP, despite widespread publicity about the inherent lack of security in wireless LANs. Rick Doten, a program manager at security consultant NetSec Inc. in Herndon, Va., said that only 30% to 40% of enterprises turn on WEP, though some companies run more powerful forms of encryption. Pescatore said enterprises also routinely fail to change the factory-default Service Set Identifier (SSID) on their wireless LAN access points. Access points broadcast the SSID in packet headers so access cards in PCs or handheld computers can find the LAN. Doten said the failure to properly secure wireless LANs is being exploited by what he called wireless LAN "war drivers" who use freeware tools such as NetStumbler to locate access points. Wayne Slavin, the San Diego-based founder and webmaster of Netstumbler.com, said there have been more than 200,000 downloads of the company's software. He said that to date he has identified over 25,000 access points in the U.S. and Canada, with more than 80% broadcasting in the clear. "[That's] a pretty scary statistic," Slavin said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:41:36 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Microsoft says penalty will let hackers run wild Message-ID: http://www.salon.com/tech/wire/2002/05/08/microsoft/index.html?x By D. Ian Hopper May 8, 2002 WASHINGTON (AP) -- Hackers, virus writers and software pirates could run rampant if Microsoft disclosed the technical product information that nine states have requested as an antitrust penalty, a company executive says. Jim Allchin, who oversees the Windows operating system, said that disclosures sought by the states "would make it easier for hackers to break into computer networks, for malicious individuals or organizations to spread destructive computer viruses and for unethical people to pirate" Microsoft's flagship software. The states want the disclosures so competitors' software can work as well with Windows as Microsoft's own products. The overwhelming market share of Windows gives Microsoft a leg up on other software makers, they say. A lawyer for the states, Kevin Hodges, pointed out that many of the most destructive computer attacks in recent years have targeted Microsoft products regardless of whether Microsoft disclosed particular technical data. "I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." The states gained new hope Tuesday when the judge overseeing the case agreed to let them present more information on one penalty proposal. The nine states want Microsoft to release a version of its Windows operating system that will permit computer manufacturers to replace Microsoft features with competing products. Lawyers for the states asked U.S. District Judge Colleen Kollar-Kotelly to allow them to call an extra witness to show that the "modular" Windows is feasible, despite Microsoft's objections. Kollar-Kotelly berated the states for the late request, calling it an ill-conceived "tactical decision." Nevertheless, she decided to let the witness, independent software tester James Bach of Front Royal, Va., testify. "I think that the information should be submitted to the court, that I should have it," Kollar-Kotelly said. States' lawyer Steven Kuney said Bach will argue that Microsoft's XP Embedded operating system shows that Microsoft can make a modular version of Windows. XP Embedded is designed for small, limited-function devices like cash registers and automatic teller machines. Many Microsoft witnesses, including Chairman Bill Gates, say that Microsoft is unable to make a modular Windows because the different features -- like the Internet browser and media player -- are dependent on each other. Microsoft earlier specifically targeted the penalty proposal in a motion that asked the judge to dismiss it. She has not ruled on the request. Bach's testimony, which includes a video, will come after Microsoft rests its case next week. The states finished their case in April, and Kollar-Kotelly was reluctant to let the states add on another witness. The original judge in the antitrust case ordered Microsoft broken into two companies after concluding that it illegally stifled competitors. An appeals court upheld many of the violations but reversed the breakup order and appointed Kollar-Kotelly to determine a new punishment. States that rejected the government's settlement with Microsoft last fall and are pressing for tougher penalties are Iowa, Utah, Massachusetts, Connecticut, California, Kansas, Florida, Minnesota and West Virginia, along with the District of Columbia. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:36:39 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Social Engineering: The Human Side Of Hacking Message-ID: Forwarded from: rferrell@texas.net > Social engineering is the human side of breaking into a corporate > network. Companies with authentication processes, firewalls, VPNs > and network monitoring software are still wide open to an attack if > an employee unwittingly gives away key information in an email, by > answering questions over the phone with someone they don't know or > even by talking about a project with coworkers at a local pub after > hours. One prime source of information that I seldom see mentioned is vacation messages generated by SMTP agents. Setting aside for now the fact that a lot of brain-dead email programs rudely send out these things in response to every incoming message, no matter the source, a distressing number of people include not only their complete contact information, but details about the projects they're working on (even including internal code names), title and responsibilities of other employees in the company, and even details about their own and other employees' short-term and long-term schedules. Acceptable vacation message policy should quite definitely be spelled out as part of the overall infosec operational plan. RGF Robert G. Ferrell rferrell@texas.net - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:32:06 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Terrorists could launch cyber-war Message-ID: http://news.com.au/common/story_page/0,4057,4286006%255E15318,00.html Wires 09May02 A "CYBER jihad" could be launched against the West as terrorists moved from the real world to an internet-based virtual world, a US expert warns. Michele Zanini, a consultant with the think-tank McKinsey and Company, said terrorist groups such as al-Qaeda were already making huge use of the web for communications, propaganda, recruitment and target data. Another expert, Rand Europe senior policy analyst Kevin O'Brien said there was potential for terrorists to cause huge losses to the West by damaging information technology systems. Dr Zanini and Dr O'Brien were speaking at an international conference on global terror in Hobart. Dr O'Brien said Western-developed IT had become the "great equaliser" as it was exploited by terrorists and rogue states. He said the cyber world was chaotic and without boundaries and Western security agencies were traditionally ill-equipped to deal with its threats. Both experts said newer terrorist groups like al-Qaeda and Hamas were different to earlier ones that had been hierarchical and bureaucratic. Al-Qaeda was a fluid network of semi-autonomous groups, hard to pin down and with links to about 20 other groups. In the wake of September 11, it was clear terrorists were using the internet as a weapon of war, the experts said. Terrorists used the net to gather intelligence, including target information, and counter-intelligence. They made and moved money on it and were suspected of even manipulating stocks for profit. They could also use it for worldwide planning and coordination, propaganda, psychological terrorism and rumour-mongering. Rogue states could equally use it and China and Taiwan were already battling a cyber war, according to the experts. Dr O'Brien said the danger to business was of great concern, with some websites particularly vulnerable. An interruption of a few seconds on the New York foreign exchange market could cost billions of dollars. Companies could also be damaged through extortion, brand destruction and fraud. Dr O'Brien said much more co-operation and information-sharing between governments and business was needed to combat the threats. Australia, Britain and Canada had moved in this direction, but the US response was still hampered by agency turf wars and personal rivalries, he said. However, on the wild world of the web, there's an unlikely ally in the war against terror. Dr Zanini said traditional hackers had a quite different culture to terrorists and the two did not mix well. There was even an organisation called Hackers Against Terrorism, a sort of virtual vigilante group, he said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 10 03:37:55 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Watchdogs on Way Out? Message-ID: http://www.eweek.com/article/0,3658,s=701&a=26381,00.asp By Dennis Fisher May 6, 2002 While much of the high-tech industry has spent the last several months focusing on security - for their information as well as their physical assets - a small but growing number of influential executives has been working toward the long-term goal of making the security industry obsolete. "The security industry as we know it today goes away in 10 years," said Chris Darby, CEO of @Stake Inc., a security consultancy and research company in Cambridge, Mass. As things stand now, the security market is a confusing and fractured m?lange of technologies with exotic-sounding names such as firewall and IDS (intrusion detection system). Vendors in every segment tout their wares as the final piece of the puzzle, the magic potion that promises to make an IT manager's security headaches vanish. They play on customers' fears, telling them there are dozens, if not hundreds, of vulnerabilities in the software on which they're running their enterprises and that the only way to keep corporate data safe is to install yet another layer of security. However, the dirty little secret of the security industry is that if the big software vendors paid more attention to security, security hardware and software vendors would be out of business, according to experts. And that's exactly the scenario that companies such as @Stake, Microsoft Corp. and others are trying to bring about. Microsoft has long been a favorite target of crackers, much to the displeasure of customers that have been burned by vulnerabilities in the company's broad line of software. Microsoft has been quick to issue patches when someone identifies a new flaw in one of its products, but this spring, the company launched Trustworthy Computing, an all-out effort to improve the security of its products during the design and development phase, something its critics have suggested for years. The main focus of the effort is training developers to write secure code and eliminate common and easily exploitable vulnerabilities such as buffer overruns. @Stake, which offers secure-coding training services, has seen a lot of demand for those services in recent months. Such training and coding practices should lead to more secure products in the short term and in the long term, to a marked decrease in the number of vulnerabilities in corporate networks, which will mean fewer successful attacks, security insiders claim. And that, in turn, will mean less demand for security countermeasures such as firewalls and IDSes. "In the long term, over time, as we design more-secure products, what we should see - what we'd better see?is fewer successful attacks, better stability and better security," said Scott Charney, chief security strategist at Microsoft, in Redmond, Wash. "We should be able to measure and say vulnerabilities are going down. Things should improve." But "should" is far different from "will." Many of the common vulnerabilities that crackers use to invade corporate networks and Web servers have been around for years, if not decades. Buffer overruns, for example, were identified as early as the 1960s, and yet they continue to show up in new software packages such as Windows XP. This leads some security experts to challenge the notion that the security industry is on the verge of collapsing. "Today's simple-to-fix vulnerabilities, like buffer overflows, will likely be gone [in 10 years]," said Steven Bellovin, AT&T fellow in the Network Services Research Lab at AT&T Labs Research, in Florham Park, N.J., and a pioneer in network security. "But more complex semantic problems will remain. Most security holes are caused by buggy code. Buggy code is the oldest problem in computer science, and I see no reason to think that will change. "We'll make progress - but it's fundamentally a very hard, and possibly insoluble, problem," Bellovin said. "I also think that the right approach for systems architects is to design their systems differently. A lot more has to be done to understand what the security-sensitive modules are so that they can be made as small as possible and can be properly isolated from the rest of the system." But in the end, @Stake's Darby said he believes that the changes being made by companies such as Microsoft are moving the industry inexorably toward a fundamental shift. "The notion of overlaying security products on networks after the fact is inefficient," Darby said. "And technology in the long run is about efficiency." The changes that Darby, Charney and others envision for the security industry will not happen overnight. But if they do occur, users will eventually be better off, experts say. "I think that Microsoft will apply a lot of effort to fix their security problems because it seems that they have been ridiculed to the point that they have finally decided to get right with God," said Phil Zimmermann, chief cryptographer at Hush Communications Corp., based in Dublin, Ireland, and inventor of the PGP e-mail encryption program. "I think Linux, FreeBSD and Apple [Computer Inc.] will try to reach parity with OpenBSD in security discipline. These changes will take years but will eventually bear fruit. Firewalls and IDS as add-on products will become less needed." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:29:20 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Edinburgh Financial Cryptography Engineering 2002 - CFP Message-ID: Forwarded from: "R. A. Hettinga" --- begin forwarded text Status: U Date: Fri, 10 May 2002 22:31:51 +0200 To: dbs@philodox.com, cryptography@wasabisystems.com, e$@vmeng.com, mac-crypto@vmeng.com From: Fearghas McKay Subject: Edinburgh Financial Cryptography Engineering 2002 - CFP Sender: The Third Edinburgh Financial Cryptography Engineering Conference 28-29 June, 2002 The Signet Library Parliament Square Edinburgh, Scotland C A L L F O R P R E S E N T A T I O N S Edinburgh is again host to the international *engineering* conference on Financial Cryptography. Individuals and companies active in the field are invited to present and especially to demonstrate Running Code that pushes forward the "state of the art". STATEMENT OF INTENT In spite of the excesses and tragedies of the Great Dot Com era, we have come to the realization that the Internet, Commerce, and Technology are inextricably related. We are therefore gathered together to study, as a community, the application of Cryptograpy and Information Security to the world of Finance. For it is Finance that drives Commerce, and Commerce, in the modern era, is based on the 'net. This is a technical, practical meet. Presentations of demonstrable technology in the field of Financial Cryptography are invited. As this is a practical conference, we are hoping to accept every demonstrator. THE RULES OF ENGAGEMENT This conference is about implementations. Presentations are required to demonstrate working code within the first five minutes. Note that we are delighted to accept proposals from work-in-progress projects. If your demo crashes while honorably attempting to execute, the crowd will still love you. THE VENUE Our Venue is the Upper Library, within the Signet Library, which is a listed building housing the Society of Writers to Her Majesty's Signet. This exclusive conference venue is located in the centre of Edinburgh, within the Royal Mile. ADMINISTRATION Included in the conference admission will be breakfast, lunch and tea & coffee breaks. Also included will be the conference dinner in a local Edinburgh establishment. The conference administration will block-book a convenient hotel in the centre of town. Details to be advised. NEXT STEPS FOR PRESENTERS 1. Save the dates 28/29 June 2002, Friday and Saturday on your calendar. It is good to plan on a few extra days, and especially, leaving on the day after, Sunday, will help to get the best fares. 2. Prepare your presentation. Check the evolving programme at http://www.efce.net/programme.html. Propose your presentation by mailing the Programme Chair, Rodney Thayer, at programme@efce.net. 3. Book passage to Edinburgh. Don't forget to stay a few days on either side to see the sights. Check the site for Locatives and Logistics. 4. Work on your presentation. Remember, the main rule is that you demo working code. 5. Get your budget approved / allocated / applied for. Whilst a commercial conference, accepted presenters will pay a deeply discounted fee, to be announced in a forthcoming release. For planning purposes, 200 GBP (approximately 300 dollars or 320 euros) should cover presenter's admission; the hotel should be about 100 GBP ($150 or E160) per night. Also include travel and incidentals in your budget. 6. The call for delegates -- attendees who do not present -- will by published at a later date. If there is someone in your organisation who needs to survey the state of the financially cryptographic art, they can attend as a delegate. For planning purposes, 500 GBP ($750 or E800) should cover the delegate's admission. 7. If you think the conference can benefit your organisation, consider sponsoring. Contact the Sponsorship Chair Fearghas McKay, sponsor@efce.net for more details. 8. Keep an eye on the conference web site (www.efce.net) for evolving details. EFCE2002 COMMITTEE Fearghas McKay General and Sponsorship Chair Rodney Thayer Programme Chair Rachel Willmer Finance Chair SPONSORSHIP EFCE is supported by these companies active in Financial Cryptography: * Intertrader Ltd, an Edinburgh-based e-payments middleware and applications company. http://www.intertrader.com/ * Declarator.net, a supplier of Distributed Trust Appliances. http://www.declarator.net/ --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:32:10 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Kansas Teen Sentenced After Hackings Message-ID: http://www.newsbytes.com/news/02/176526.html By Dick Kelsey, Newsbytes OVERLAND PARK, KANSAS, U.S.A., 12 May 2002, 10:43 PM CST A Kansas teenager has pleaded guilty to hacking the official Web site of Stockton, Calif. and telling city officials he would secure it if they gave him a laptop computer. Matthew Kroeker, 18, was sentenced to serve two years probation and pay at least $18,000 restitution, his attorney Kevin Moriarty told Newsbytes. Kroeker pleaded guilty to four felony counts of computer crime in Johnson County District Court last week. Kroeker has learned a "valuable lesson" in the three years since the episodes began, Moriarty said. He was charged in March with 11 felony counts for allegedly defacing more than 50 sites during 2000 under the name "Artech." State prosecutors had intended to charge him as an adult under Kansas' computer crime statutes. Among Kroeker's targets was the Internet home page of the City of Stockton, Calif., which was replaced in June 2000 with one that simply said "Tard." Soon city webmaster Cathy Sloan received an e-mail signed "Matt," who took credit for the defacement and offered to help secure the site in exchange for a laptop computer. She played along with Kroeker while Stockton technology staffers tried to trace Kroeker's e-mail. The case was first given to the FBI because he was suspected of defacing federal agency Web sites, but went back to local authorities due to Kroeker's age. Kroeker defaced the U.S. Department of Transportation's information services Web site with the words, "Artech - America's biggest screw up!" - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:38:08 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Linux Advisory Watch - May 10th 2002 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 10th, 2002 Volume 3, Number 19a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were releaed for mod python, tcpdump, imlib, sysconfig, webmin, netfilter, and dhcp. The vendors include Conectiva, Red Hat, and SuSE. FTP Attack Case Study Part I: The Analysis This article presents a case study of a company network server compromise. The attack and other intruder's actions are analyzed. Computer forensics investigation is undertaken and results are presented. The article provides an opportunity to follow the trail of incident response for the real case. http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html * FREE SSL Guide from Thawte - Are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. --> http://www.gothawte.com/rd249.html +---------------------------------+ | mod python | ----------------------------// +---------------------------------+ As stated[1] by Allan Saddi in the mailing list of mod_python, there was a vulnerability which would allow a publisher to access an indirectly imported module, thus allowing a remote attacker to call functions from that module (which is an unexpected and potentially dangerous behavior). Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ mod_python-2.7.8-1U8_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2051.html Red Hat 7.3 i386: ftp://updates.redhat.com/7.3/en/os/i386/ mod_python-2.7.8-1.i386.rpm 9b9e4a43002cd22f9a8df7fd9784e925 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2056.html +---------------------------------+ | tcpdump | ----------------------------// +---------------------------------+ tcpdump buffer overflows: during a tcpdump code auditing done by FreeBSD developers, several buffer overflows were discovered[2] in tcpdump versions prior to 3.5. New versions (including 3.6.2) are also vulnerable to another buffer overflow[3] in AFS RPC decoding functions, as pointed out by Nick Cleaton. Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ libpcap-0.6.2-4U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ libpcap-devel-0.6.2-4U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ libpcap-devel-static-0.6.2-4U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ tcpdump-3.6.2-3U8_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2052.html +---------------------------------+ | imlib | ----------------------------// +---------------------------------+ Imlib could, under certain circumstances, revert to using a netpbm library which is well known to have security problems and should not be used for handling untrusted data. Furthermore a heap corruption could occur in the imlib code. SuSE: PLEASE SEE VENDOR ADVISORY FOR UPDATE SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2053.html +---------------------------------+ | sysconfig | ----------------------------// +---------------------------------+ The ifup-dhcp script which is part of the sysconfig package is responsible for setting up network-devices using configuration data obtained from a DHCP server by the dhcpcd DHCP client. It is possible for remote attackers to feed this script with evil data via spoofed DHCP replies for example. This way ifup-dhcp could be tricked into executing arbitrary commands as root. The ifup-dhcp shellscript has been fixed to not source the file containing the possible evil data anymore. SuSE-8.0 ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/ sysconfig-0.23.14-60.i386.rpm 4d6a9f1a3e1a461ebbea9a6e98f4e894 SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2054.html +---------------------------------+ | webmin | ----------------------------// +---------------------------------+ A vulnerability lies in the communication between the parent process and the child process of Webmin and Usermin, which could allow an attacker to spoof a session ID as any user already logged in. This results in the possibility for users who are not logged in, to be able to use these software tools. PLEASE SEE VENDOR ADVISORY FOR UPDATE Webmin Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2055.html Webmin Vendor Advisory 2: http://www.linuxsecurity.com/advisories/other_advisory-2064.html +---------------------------------+ | netfilter | ----------------------------// +---------------------------------+ When a NAT rule applies to the first packet of a connection and that packet later causes the system to generate an ICMP error message, the ICMP error message is sent out with translated addresses included. This address information incorrectly gives the IP address to which the connection would have been forwarded if the ICMP error message wasnot generated, which exposes information about the netfilter configuration (which ports are being translated) and about the network topology (which address the ports are being forwarded to). Also, the incorrect ICMP packets may be dropped by other intervening stateful firewalls as malformed packets. Red Hat: PLEASE SEE VENDOR ADVISORY FOR UPDATE Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2057.html +---------------------------------+ | dhcp | ----------------------------// +---------------------------------+ Versions ranging from 3 to 3.0.1rc8 (inclusive) have a format string vulnerability[1] that could be exploited remotely. Considering the usage of the DHCP service, this usually means the local area network in this case. Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ dhcp-3.0-3U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ dhcp-doc-3.0-3U8_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2058.html DHCP Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2065.html +---------------------------------+ | OpenBSD | ----------------------------// +---------------------------------+ On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition. PLEASE SEE VENDOR ADVISORY FOR UPDATE http://www.linuxsecurity.com/advisories/openbsd_advisory-2062.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:43:15 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Midwest Express hackers cause a stir Message-ID: Forwarded from: rferrell@texas.net > The hackers said they were motivated to intrude on the sites of > Midwest Express and other corporate and military sites to > demonstrate that the U.S. infrastructure is still vulnerable to > terrorists even after Sept. 11. Midwest Express and other corporate > targets were apparently chosen at random. OK folks, it's time to give up this pointless charade. These Web page defacers don't give two hairs off a rodent's backside about the "security of the U.S. infrastructure." What they care about is publicity: the glory of seeing themselves in countless news stories. Their message, if it means anything to them at all, is a rationalization designed to ease their own consciences and perhaps to generate public sympathy for their blatantly criminal actions. If I rob someone at gunpoint, does explaining that I'm doing it to protest against people who commit robberies make it more acceptable? These puerile escapades are hardly a novel approach, and quite frankly, they just aren't news. If the press will ignore these little twerps, they'll probably go away. RGF Robert G. Ferrell rferrell@texas.net - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:42:28 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Security myths costing firms Message-ID: Forwarded from: Jay D. Dyson -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 7 May 2002, InfoSec News wrote: > SECURITY guru Peter Tippett loves to shock people. > He said no security system was ever going to be 100 per cent effective. That's a shock? Hell, even the vault doors on Fort Knox have caveats on their failure conditions. Anybody with a lick of sense knows that. Anyone who thinks that any digitial security is 100% fool-proof only shows that they are a fool. > The costs involved in reacting to every alert or vulnerability would be > prohibitive, in any case, he said. Rubbish. Following any recommendation of every market droid out there is cost-prohibitive; meaningful security is definitely _not_ cost- prohibitive...it's cost-effective. > A better approach was to quantify security risks, and take steps to > realistically address them - bearing in mind the costs of doing so. Or, even more radically, actually *implementing* security recommendations once you get them. I can't tell you how many times I've seen businesses buy firewalls and never implement them. Even worse are the ones who do implement them, but never bother looking at the firewall logs. Still worse are those who make no critical assessment of the marketing claims made by the snake oil salesmen who foist this stuff onto them. > Dr Tippett said companies were spending more money on security every > year, but the problems of web defacements, intrusions, viruses and > denial of service attacks still became worse. It was a mindset problem, > he said. Companies were focusing on the wrong things and failing to get > the basics right. Or doing their usual thing by spending money and then never following through. I can't tell you how many times my government employer has thrown good money after bad on "security audits" only to never do anything about the problems discovered until they get their asses 0wn3d six ways to Sunday. Thus, the problem isn't any perceived shortcomings in security modalities; it's a shortcoming in actual *action* on the part of the current and future victims. > A better approach was to employ "synergistic security", which hinged > on the concept of redundancy in security controls, Dr Tippett said. How about more security and less buzzwords? I for one would definitely welcome that. > Now airline safety has improved 1000-fold, largely due to improved > safety practices. Bull. The FAA has been, still is, and always will be a tombstone agency. Changes are not made until enough people die. Ask anyone who's worked with or for the FAA and they'll tell you the same thing. Asking the computer security industry to be modeled after the FAA isn't a step in the right direction...it's just codification of the idiocy we have today. > "There's no formal mechanism for distributing information about problems > and what must be done to fix them." By doing what? NIPC, Part 2? That's a laugh. > TruSecure is positioning itself in that space, as an information > repository and advisory service. Dr Tippett said the company monitored > the activities of some 800 hacker groups and collected 200 gigabytes of > net traffic a day, to keep ahead of the problems. I knew it...more marketing dreck. Saw it coming a mile away. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-' `--' `--' `-- They know the rules. We know the loopholes. --' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE83ZjqGI2IHblM+8ERAmYqAKCLrkMrJ2/a/jt6hfaOPSfMdgqoqwCgkQex Yt1rgPUJc6WCzeunp0YDFzA= =LHf7 -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:29:46 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Security Still an 'Afterthought' Message-ID: http://www.eweek.com/article/0,3658,s=701&a=26622,00.asp By Dennis Fisher May 9, 2002 LAS VEGAS -- Despite the current emphasis on security in the IT industry, CIOs and IT managers are still not paying enough attention to the problems facing their organizations, a panel of security experts said Wednesday. "Security is still very much an afterthought," said Robert Thomas, CEO of Netscreen Technologies Inc., of Sunnyvale, Calif. "It's reactive and not proactive." Thomas' comments came during a keynote panel discussion at the NetWorld+Interop show here that also included representatives from Network Associates Inc., Enterasys Networks and Internet Security Systems Inc. The other panelists echoed Thomas' sentiments, saying that although security currently is getting a lot of attention, the basic infrastructure of the Internet and corporate networks is still fundamentally vulnerable. "The reality is, everything is vulnerable. I just don't believe that we'll ever get ahead of the attacks," said John Roese, chief technology officer of Enterasys, of Portsmouth, N.H. "There will always be a threat, and you'll never be completely protected. I'm disturbed that most enterprises don't have the mechanisms to react to things like Code Red and Nimda." That lack of readiness extends to the government and its vital networks, said Christopher Klaus, co-founder and CTO of ISS, of Atlanta. "Any system that the government says isn't connected to the Internet, that's false," said Klaus, whose company does quite a bit of work with the government. "There's always some engineer who needs to get his e-mail and he plugs the machine into the Internet." And, although many enterprises revisited their security plans after Sept. 11, that hasn't necessarily translated into a boon for security vendors. "The increase in spending on security products hasn't been that big," said Sandra England, vice president of business development and strategic research at Network Associates, of Santa Clara, Calif. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:41:09 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Smith Bill Raises Police Power Concerns Message-ID: Forwarded from: Bob http://dc.internet.com/news/print/0,,2101_1107691,00.html By Roy Mark dc.internet.com 10 May 2002 For Alan Davidson, the associate director of the Center for Democracy and Technology, the greater issue involving H.R. 3482 -- the Cyber Security Enhancement Act of 2001 -- is not increased surveillance of Internet users by Internet service providers (ISPs), but, rather, giving greater police powers to law enforcement agencies. The bill passed the House Judiciary Committee Wednesday and now awaits a floor vote of the full membership. Under current law, ISPs can face civil damages for disclosing user activity unless that activity presents an immediate risk of death or physical injury. Under H.R. 3482, sponsored by Rep. Lamar Smith (R.-Tex.) ISPs would be able to report threats that are "not immediate" and be protected from privacy violation lawsuits. According to Davidson, who is also an adjunct professor at Georgetown University's graduate program in communications, culture and technology, the privacy threat to Internet users is more likely to come from law enforcement agencies than from ISPs spying on users. "What concerns me is that police will come to an ISP and claim an emergency or a broad definition of an emergency and ISPs, being good citizens, will voluntarily give them user information because they will be protected from civil litigation," Davidson said. The bill aims to better coordinate cyber security efforts between federal, state and local agencies, make information more readily available to law enforcement agencies and slap harsher penalties on cyber criminals. Criminal punishment for cyber crimes is currently based on the amount of economic damage caused by the attack. Smith's legislation would allow the U.S. Sentencing Commission to increase punishment when considering a perpetrator's intent and whether sensitive government data is involved in the crime. The bill also directs the Attorney General, acting through the Federal Bureau of Investigation (FBI), to establish and maintain a National Infrastructure Protection Center to serve as a national focal point for threat assessment, warning, investigation, and response to attacks on the nation's critical infrastructure, both physical and cyber. It further establishes within the Department of Justice (DoJ) an Office of Science and Technology to work on law enforcement technology issues, addressing safety, effectiveness and improved access by federal, state, and local law enforcement agencies. The bill abolishes the Office of Science and Technology of the National Institute of Justice, transferring its functions, activities, and funds to the newly formed DoJ office. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:36:27 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Team tackles Windows security Message-ID: http://www.fcw.com/fcw/articles/2002/0506/web-micro-05-09-02.asp By Dan Caterinicchia May 9, 2002 Government, industry and academia have teamed up to secure the most popular type of system being deployed on servers in the public and private sectors: Microsoft Corp.'s Windows 2000. The National Security Agency and National Institute of Standards and Technology, in cooperation with the Center for Internet Security, the SANS Institute and Microsoft, have reached an initial agreement on a benchmark for securing Windows 2000 computers, said Alan Paller, director of research at the SANS Institute, a security education and consulting organization. Paller said the joint action on Windows 2000 will lead to testing applications to ensure they work on securely configured systems and don't require users to sacrifice usability for security. "Their effort will lead to automation of security configuration and testing, and it will lead to procurement language that allows federal agencies and commercial organizations to order securely configured versions of Windows 2000," Paller said, speaking May 8 at a Senate Governmental Affairs Committee hearing focused on critical infrastructure protection through public/private information sharing, The NSA/NIST-led group also is working on security benchmarks for Sun Microsystems Inc. Solaris and Cisco Systems Inc. systems, Paller said, adding that "benchmarks for several other operating systems are in the pipeline." He said that once the benchmarks are shared and tools become available to test systems, defending the nation's critical infrastructure will be made easier, especially when it comes to: * Distributing patches. * Stopping worms. * Fixing infected systems (because there will be fewer of them). * Stopping distributed denial of service attacks (because there will be fewer victims to use). "If this committee can help ensure that federal agencies use their purchasing power to acquire safer systems form the vendors using consensus benchmarks, you will have an enormous effect on federal cybersecurity," Paller said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 13 01:37:39 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:08 2008 Subject: [ISN] Terrorists could launch cyber-war / RFF Reply to First-Rate FUD Message-ID: Forwarded from: Richard Forno Regarding: > http://news.com.au/common/story_page/0,4057,4286006%255E15318,00.html > A "CYBER jihad" could be launched against the West as terrorists > moved from the real world to an internet-based virtual world, a US > expert warns. Sensational, fear-mongering term here. "CyberJihad" ??? Crikey, we better run for the hills..... > Michele Zanini, a consultant with the think-tank McKinsey and > Company, said terrorist groups such as al-Qaeda were already making > huge use of the web for communications, propaganda, recruitment and > target data. Never heard of them, but it must be a think-tank full of stagnant thoughts and conventional thinking. The web and internet is a communication medium.....a tool.....criminals use it to plan traditional crimes, it's only natural that a terrorist would use it for such purposes too. Doesn't mean it's the end of the world. Prior to 0911, a civilian airliner was used to fly between airports, not serve as human-guided missiles against skyscrapers. But we don't see talk about "aerojihads" being the next harbringer of evil against the West, do we? How quickly we forget that anything that can be used by a human can be turned into a weapon. This is NOT new. What we also forget is that just because something CAN be used as a weapon doesn't mean it WILL, either. > Another expert, Rand Europe senior policy analyst Kevin O'Brien said > there was potential for terrorists to cause huge losses to the West > by damaging information technology systems. We have that now, but nobody seems to give a hoot. It's called Microsoft and the incessant amount of security problems costing how many billions to address, and most of the problems NEVER FULLY GO AWAY. If you're worried about cyber-security, why not point the finger and take action against a known cause of repeated and quite significant problems and vulnerabilities we ALREADY KNOW where they come from? I guess it's still easier to point the fingers for our INFOSEC problems at shadowy cyber-terrorists and such, thereby ducking blame and avoiding responsibility for the current state of world information insecurity. > Dr Zanini and Dr O'Brien were speaking at an international > conference on global terror in Hobart. > > Dr O'Brien said Western-developed IT had become the "great > equaliser" as it was exploited by terrorists and rogue states. Yeah, and the electron is the ultimate guided weapon, like former DCI Deutch said. What a crock. > He said the cyber world was chaotic and without boundaries and > Western security agencies were traditionally ill-equipped to deal > with its threats. Agreed. They have a hard enough time keeping their own systems secured. > In the wake of September 11, it was clear terrorists were using the > internet as a weapon of war, the experts said. "Weapon of war"??? Sensational fear-mongering. They also used airplanes as a real and quite deadly 'weapon of war' but nobody here seems to remember that. Under these guys' definitions, a USG visa, fraudulent drivers' licenses, and a copy of the Koran would be 'weapons of war' too..... > Terrorists used the net to gather intelligence, including target > information, and counter-intelligence. Net notwithstanding, it didn't take a genius to know where the WTC was. They didn't need the Net, GPS, or Mapquest to find it. After 0911 we saw the USG rush to strip the GPS and map coords of nuke plants off the Web -- so what? What real good did that do to thwart terrorism? You can go to the library and look it up. Or, if the library's database was destroyed (per USG orders post-0911) they can go to 7-11 and buy a Rand Mcnally driving map. Or, golly gee, they could get in a car and drive around, following road signs and look for the cooling towers found at a nuke facility. They don't need GPS coordinates to attack something as large as a nuke plant or skyscraper. The web may have made it easier to communicate between terrorists, but it wasn't a major force multiplier these guys say it was. > They made and moved money on it and were suspected of even > manipulating stocks for profit. Gee. Maybe al-Qaeda sat on the Enron Board... > They could also use it for worldwide planning and coordination, > propaganda, psychological terrorism and rumour-mongering. Old news. Regarding propaganda, psyops, and rumor-mongering, the net's been used for this for years. Anyone remember ELF, Electrohippies, or the Zapatistas? The transparancy of the net, plus the number of ways to confirm/deny such rumors/propaganda is a countermeasure that's already built-in to the net and the information age. No real danger. > Dr O'Brien said the danger to business was of great concern, with > some websites particularly vulnerable. > > An interruption of a few seconds on the New York foreign exchange > market could cost billions of dollars. Dollars lost in a momentary hiccup on the Exchange will still not concern the population, or stick in their minds, like knowing that thousands were killed when 2 110-story skyscrapers went tumbling down in NYC, or when the Pentagon was attacked. I'll prolly not remember where I will be if/when NYSE get's hacked, but you can bet I'll be telling my grandkids EXACTLY what I was doing and where I was minute-by-minute the morning of 0911. While billions lost in a hiccup is problematic - face it, it's tragic, and it's angering, but hacking NYSE or NASDAQ is essentially an inconvienience. Nobody probably will be killed during such an event, unlike a physical attack like we saw on 0911. > Companies could also be damaged through extortion, brand destruction > and fraud. That already happens, but terrorists aren't to blame. > Australia, Britain and Canada had moved in this direction, but the > US response was still hampered by agency turf wars and personal > rivalries, he said. Yep - that is not likely to change anytime soon. > However, on the wild world of the web, there's an unlikely ally in > the war against terror. > > Dr Zanini said traditional hackers had a quite different culture to > terrorists and the two did not mix well. > > There was even an organisation called Hackers Against Terrorism, a > sort of virtual vigilante group, he said. Zanini is WAY OFF the mark here. Hackers Against Terrorism was a scam by German dotcom playboy Kim Schmitz - who after a brief time on the lam, was returned to Germany and is currently awaiting trial. He's not a hacker, he's a charletan who enjoys the images of a fast global lifestyle. This Register article tells part of the story. http://www.theregister.co.uk/content/55/22457.html An April 11, 2002 this Business Week story tells the rest, including describing in more detail his alleged wrongdoings and activities over the past few years. Be your own judge....but I think it's pretty clear he's not the 'unlikely ally in the war against terror' that Zanini says he is. http://www.businessweek.com/bwdaily/dnflash/apr2002/nf20020411_3688.htm Its this kind of short-range, sensational, half-witted analysis and proclaimations that muddies the waters in developing and implementing an effective information assurance strategy for the country. Unfortunately, this kind of tripe is heard all the time in the halls of Congress, DoD, and by various firms that claim to provide commerical 'cyber-intelligence' services. It terrifies me that such advice and analysis is actually believed by those in-charge of our countries -- talk about the blind leading the blind. I need more coffee now. Rick infowarrior.org (c) 2002. Permission granted to reproduce in entirety. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:19:12 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Credit Card Theft Thrives Online as Global Market Message-ID: http://www.nytimes.com/2002/05/13/technology/13CARD.html By MATT RICHTEL May 13, 2002 Tens of thousands of stolen credit-card numbers are being offered for sale each week on the Internet in a handful of thriving, membership-only cyberbazaars, operated largely by residents of the former Soviet Union, who have become central players in credit-card and identity theft. The marketplaces - where credit card prices fluctuate with supply and demand in a sort of black stock market - offer a window into a crime that costs the financial system $1 billion or more a year. They also show how readily personal information is being stolen and traded in the computer age. But the same Internet technology that has enabled the theft and sale of credit cards also provides a veritable transcript of the criminal activity, and a real-time peephole into the attitudes, ethic - and sometimes honor - among the thieves. The chat forums indicate as well that several dozen of the top participants recently have discussed gathering at a credit-card reseller's conference in Odessa, Ukraine, at the end of this month. "It's straight out of Capitalism 101 - it's become a big industry," said one high-technology executive who surreptitiously monitors the Internet card markets, and who noted that the market price of credit cards fluctuates daily based on supply ? which, he said, is copious. "There appears to be an endless supply of cards out there," he said. In recent days, the cost of a single credit card has been between 40 cents and $5 depending on the level of authenticating information provided. But the credit-card numbers typically are offered in bulk, costing, for example, $100 for 250 cards, to $1,000 for 5,000 cards, with the sellers offering guarantees that the credit-card numbers are valid. Security experts say the buyers of the card numbers in these forums are all over the world, but often come from the former Soviet Union, Eastern Europe and Asia, specifically Malaysia. The buyers use the numbers in a variety of frauds, including making purchases over the Internet, having them fenced in the West, or even extracting cash advances directly from the credit-card accounts. Security experts say the people living in the former Soviet Union - often in Russia and Ukraine - who are operating the marketplaces are typically buying the card numbers from so-called black-hat computer hackers. These hackers obtain the card numbers by breaking into computer systems of online merchants and getting access to thousands of credit-card records at a time. "This is highlighting a tremendous lack of security," said Richard Power, editorial director of the Computer Security Institute, an association of computer security professionals that recently published a report with the Federal Bureau of Investigation on computer crime. "In the old days, people robbed stagecoaches and knocked off armored trucks. Now they're knocking off servers." The ultimate cost of this is hard to estimate, according to financial analysts, though they say it is a fraction of the total size of the credit-card industry. A recent survey from Celent Communications, a market research firm, found that credit-card payment fraud will cost online merchants a minimum of $1 billion a year, which is not insignificant, though it pales in comparison to the more than $900 billion that Visa alone processes annually. The cost to individual businesses, however, can be dramatic. In January 2000, an extortionist based in Russia demanded $100,000 from an Internet music retailer, CD Universe, by posting credit-card numbers stolen from the company's database to a Web site, which was subsequently shut down by the F.B.I. Last year, people close to Flooz.com, a bankrupt purveyor of certificates used for online purchases, said one reason the company failed was that it had unknowingly sold $300,000 of its currency to credit-card thieves in Russia and the Philippines. Generally speaking, the Celent report found that the fraud rate on the Internet is 0.25 percent for Visa and MasterCard transactions, significantly higher than the 0.08 percent for Visa and 0.09 percent for MasterCard in the offline world. The typical consumer is generally protected from these costs, since consumers are not held liable for most fraudulent charges, but credit-card interest rates can rise because of crime, and consumers may have to deal with the aggravation of removing charges they did not make. Mr. Power, from the Computer Security Institute, said: "You don't want to be an alarmist and say, `The sky is falling, and Visa is going to crumble.' But the financial losses involved in this kind of theft are underestimated, underreported and underacknowledged," estimating the worldwide cost is in the "double-digit billions." "There's a lot more hemorrhaging going on than some people believe," he said. The Internet sites of the online marketplaces are mostly known only to their participants ? though that number can run as high as 2,000 registered users. The site operators change their online addresses frequently to prevent monitoring by law enforcement. In the past, credit-card traffickers did business in private chat rooms on the Internet Relay Chat, a communication network, and now they also use the World Wide Web, where it is easy to start and shut down sites to avoid detection. But there are security professionals who surreptitiously listen in, tracking the supply of card numbers and prices. John Shaughnessy, senior vice president for risk management and fraud control at Visa USA, said the company was aware of online marketplaces and sought to monitor them, when it could find them. He said it appeared that many of the buyers and sellers of cards were in Asian countries and the former Soviet Union. Some people familiar with the trend have also said that stolen credit cards were being purchased by people in Saudi Arabia and Dubai, United Arab Emirates. Mr. Shaughnessy said Visa had worked closely with the F.B.I. on these issues. Officials at the F.B.I. did not return calls for comment. Even though the activities of the marketplace can be monitored, this does not mean participants can be easily caught, since they do not use their real names or give their whereabouts, and they make their payments through secure money transfers over the Internet that are not easily traced. But the Web sites offer a profile of the typical participant and of the way they do business. A security expert who monitors several of the bazaars said one of the most active was run by a Ukrainian 18 or 19 years old who went by the name "Script." The operator lives in Odessa. He is among about nine members of a clique, whose members call it "the family," and who are considered the most powerful and reliable of the middlemen. In a recent transcript, the dealer who operates the forum posted in a typical note: "I am selling Visa and MC (American cards)." He added, "The minimal deal size is 40$." He also listed a higher price if the deal included the card's CVV2 code, a printed security code that appears on credit cards and is supposed to prevent fraud. Merchants are not supposed to record the code in their databases, but they sometimes do, which means that hackers can get access to this higher level of information. On the online forum, the seller noted that 100 cards with the CVV2 code cost $300. A discussion then ensued involving his former buyers, attesting to the seller's reliability. One buyer wrote, "This guy's always slightly more expensive, but his stuff is good." Another wrote: "This guy is awesome. He always gave me three times the number of cards I paid for." The endorsements are a somewhat surreal reproduction of the rankings given to sellers on legitimate e-commerce sites, like the auction site eBay, or to authors by readers on Amazon.com. The feel of the site is one of pure capitalism, replete with marketing. The seller who operates the site sometimes posts online banner advertisements for his service. The sellers usually ask for payment to be made through online accounts, like www.WebMoney.ru, where money can be electronically deposited, wired, then transferred to a bank account. The discussions on the forum have a definite anti-Western bent, particularly anti-American. They are critical of American foreign policy. Some of the members of the forum also express anti-Semitic views. There is not much social interaction, but it is not unheard of. The participants will brag about using their spoils to take vacations, for instance, to Bulgaria or Dubai. Recently, there was a discussion that nearly 40 members of the group would meet in Odessa on May 31, at the first "World Carders" conference, though the organizers appear to have moved the talk to a more private setting. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:18:39 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Cyber-spies needed for Ottawa jobs Message-ID: Forwarded from: William Knowles http://www.nationalpost.com/home/story.html?f=/stories/20020513/207625.html Kathryn May and Jim Bronskill Ottawa Citizen and Southam News May 13, 2002 OTTAWA - Canada's electronic spy agency is coming out of the shadows for its biggest recruitment campaign since the Cold War. The clandestine Communications Security Establishment expects to expand its workforce of cyber-spies and high-tech whizzes by at least one-third over the next 18 months, a surge of unprecedented growth for the agency whose roots stretch back to the Second World War. The Ottawa-based CSE, a secretive wing of the Defence Department, monitors foreign radio, telephone, fax, satellite and computer traffic for information of interest to Canada. The intelligence is used in support of federal crime-fighting, defence and trade policies. CSE's other key role is the protection of federal computer systems and information networks, including the new "government online" project so Canadians can securely do any two-way transaction with government when completed by 2005. It's also a key player in protecting Canada's critical infrastructure, from power grids to telecommunication networks, that increasingly relies on information technology. Demand for the agency's expertise has mushroomed since security jumped to the top of the national agenda in the aftermath of the September terrorist attacks on the United States. "Since Sept. 11, working for national security has become attractive for people, they feel like they're doing something vital for the country," said Simon Gauthier, CSE's deputy chief of information technology security. The government gave the agency, expert in making and breaking code, an additional $280-million in the last budget to be used over the next six years. Half has been earmarked for staff and salaries, said Barbara Gibbons, director general of CSE's corporate services. Already splitting at the seams, with nearly 1,000 employees, the agency is also looking for new office space. "To our knowledge, this is the biggest [recruitment] in our history," Ms. Gibbons said. Bill Robinson, a defence policy expert and long-time observer of CSE, said the hiring drive marks the third major expansion in the spy agency's history, the previous ones coming in the early years of the Cold War and during the global military buildup of the Reagan era. "It's huge, it's a really big change." CSE is seeking highly skilled specialists, often the most advanced in their fields, whose talents can be adapted to both intelligence gathering and protecting government information and networks. It is also facing a major turnover among executives when more than half retire in the next several years. It's looking for computer scientists, programmers and developers; engineers, mathematicians, IT security consultants, language analysts, physicists, intelligence and policy analysts, cryptologists, and linguists fluent in Asian, African, Middle Eastern and European languages. CSE computer specialists, math whizzes and language experts sift through intercepted data to create thousands of intelligence reports for government agencies annually. Military listening posts across the country assist the agency's efforts to eavesdrop on suspected spies, terrorists and other criminals as well as process information helpful to Canada's foreign policy interests and troop deployments abroad. A federal report warned last year that easily obtainable encryption technology was suddenly making it extremely difficult for CSE to monitor communications. Claude Bisson, watchdog over the spy agency, said rapid advances in wireless, fibre-optic and Internet technologies were helping criminals and other targets shield their messages from interception. The dizzying change has also made it a challenge to stay a step ahead of the hackers and cyber-terrorists who could threaten Canada's computer infrastructure. That means CSE not only has to attract the hottest cryptologists and computer programmers but also make sure existing workers are up-to-date on the latest advances. This week, CSE is hosting a major IT security symposium in Ottawa, bringing in industry leaders to discuss the latest security challenges and possible solutions. A conference that attracted barely 125 people 14 years ago is bursting this year with more than 1,500 registrants. But few Canadians have even heard of CSE. It is not listed in the phone book. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:17:30 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Linux Security Week - May 13th 2002 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 13th, 2002 Volume 3, Number 19n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Decoding IPsec: Understanding the Protocols of Virtual Private," "SSL Certificates HOWTO," "Buffer Overflows - What Are They and What Can I Do About Them," and "5 minutes to a Linux firewall." * SHOW CUSTOMERS THEY'RE SAFE ON YOUR SITE * Secure your Apache servers with an SSL digital certificate from Thawte, a leading global certificate provider for the Open Source community. Get our FREE Guide to learn more about why keeping your e-business secure helps keep it profitable. --> http://www.gothawte.com/rd254.html This week, advisories were releaed for mod python, tcpdump, imlib, sysconfig, webmin, netfilter, and dhcp. The vendors include Conectiva, Red Hat, and SuSE. http://www.linuxsecurity.com/articles/forums_article-4961.html Find technical and managerial positions available worldwide. Visit the LinuxSecurity.com Career Center: http://careers.linuxsecurity.com +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * SSL Certificates HOWTO May 10th, 2002 A first hand approach on how to manage a certificate authority (CA), and issue or sign certificates to be used for secure web, secure e-mail, or signing code and other usages. This HOWTO will also deal with non-linux applications: there is no use to issue certificates if you can't use them. http://www.linuxsecurity.com/articles/cryptography_article-4967.html * How secure is your password? May 10th, 2002 In order to access computer networks, online bank or e-mail accounts, we need a wide range of usernames and passwords. Constant attention is required to track what our name is in each virtual environment, and what password is needed at that moment to access personal information. http://www.linuxsecurity.com/articles/network_security_article-4963.html * Buffer Overflows - What Are They and What Can I Do About Them? May 6th, 2002 Buffer overflows have been a problem in software-based systems and applications for a long time. One of the first significant computer break-ins that took advantage of a buffer overflow was the Morris worm, and that happened in November 1988. The worm took advantage of a buffer overflow in the finger service, a service that dispenses information about the set of users logged into a UNIX-based computer system. http://www.linuxsecurity.com/articles/general_article-4932.html +------------------------+ | Network Security News: | +------------------------+ * Decoding IPsec: Understanding the Protocols of Virtual Private Networks May 10th, 2002 Acquiring a deeper understanding of how virtual private networks (VPNs) operate can be a daunting task. It traditionally has required sorting through scattered information and deciphering technical standards that contain a potentially confusing assortment of acronyms and algorithms. http://www.linuxsecurity.com/articles/cryptography_article-4964.html * Simplicity and Awareness - Keys to Network Security May 9th, 2002 Few people believe that maintaining a sound network security posture is easy. Those who do are deluding themselves, unless they practice two fundamental tenets of security: simplicity and awareness. http://www.linuxsecurity.com/articles/network_security_article-4956.html * Firestarter: 5 minutes to a Linux firewall: Part 2 May 8th, 2002 The following article is part two of a two part series. "Alternately, you could create limit rules to accept only a certain number of requests every second. Or if you have monitoring software that requires your box to be "pingable," you could accept ICMP requests from only a certain IP or set of IP addresses." http://www.linuxsecurity.com/articles/firewalls_article-4946.html +------------------------+ | Cryptography: | +------------------------+ * Security IC suppliers split over encryption methods May 12th, 2002 Growing security concerns within the enterprise communication market are challenging chipmakers to develop advanced, silicon-based encryption techniques that will not erode processor performance. http://www.linuxsecurity.com/articles/vendors_products_article-4969.html +------------------------+ | Vendor/Products: | +------------------------+ * OpenSSL 0.9.6d beta 1 released May 10th, 2002 A first hand approach on how to manage a certificate authority (CA), and issue or sign certificates to be used for secure web, secure e-mail, or signing code and other usages. http://www.linuxsecurity.com/articles/cryptography_article-4968.html * GnuPG 1.0.7 released May 8th, 2002 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. http://www.linuxsecurity.com/articles/cryptography_article-4950.html +------------------------+ | General: | +------------------------+ * Sharing seen as critical for security May 9th, 2002 The private sector manages more than 85 percent of the nation's critical infrastructure and must therefore collaborate with the government to protect those resources, according to government and industry leaders speaking at a May 8 Senate Governmental Affairs Committee hearing. http://www.linuxsecurity.com/articles/government_article-4959.html * Social Engineering: The Human Side Of Hacking May 9th, 2002 A woman calls a company help desk and says she's forgotten password. In a panic, she adds that if she misses the deadline on a big advertising project her boss might even fire her. http://www.linuxsecurity.com/articles/hackscracks_article-4954.html * Security experts swarm to Honeynet challenge May 9th, 2002 Reverse engineering project to unravel binary caught in the wild The Honeynet Project, which has been monitoring black hat hacking activity over the past year, has set up a new challenge to help develop reverse engineering skills throughout the security community. http://www.linuxsecurity.com/articles/intrusion_detection_article-4957.html * Security myths costing firms May 8th, 2002 SECURITY guru Peter Tippett loves to shock people. He invites IT professionals to seminars on network security and then says you don't need more network security - at least, you don't need as much as vendors want to sell to you. Spend up on anti-virus software if you want to, he said. http://www.linuxsecurity.com/articles/general_article-4948.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:25:58 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Madison, military team up to boost PC security Message-ID: http://rtnews.globetechnology.com/servlet/RTGAMArticleHTMLTemplate/C/20020513/gtcenturion?tf=tgam%252Frealtime%252Ffullstory_Tech.html&cf=globetechnology/tech-config-neutral&slug=gtcenturion&date=20020513&archive=RTGAM&site=Technology By IAN JOHNSON Globe and Mail Update Monday, May 13 2002 Keith McNally says "divine intervention" led his company to team up with the Canadian military to build a new computer security device. "I would love to say we did it all ourselves, but the [military] engineers were the ones who were the key to making this all come together," Mr. McNally, president of Madison Systems Inc., said. "It really came about a bit by fluke, we were just in the right place at the right time while the same idea was turning through everyone's head." Several years ago, the Aurora, Ont.-based company developed the Centurion Network Security Switch RJ45/11 to protect network connections against hackers. But Mr. McNally, a security buff, had bigger plans for the company's next product, the Centurion II. He wanted to protect hard drives with a piece of virus- and hack-proof hardware so that even if network security was breached, there would be no way to steal or alter the files. While on a trip to the NORAD military base under Cheyenne Mountain in Colorado Springs, Colo., for another project in 1999, Mr. McNally happened to bring up his pet project in a conversation with some of the engineers and military brass. He was given a contact at Canada's Communications Security Establishment, the equivalent of the U.S. National Security Agency. "I kept banging on their door and getting put off, but finally they gave me an interview. An engineer said I had 15 minutes so I'd better make it quick, and when I showed him the diagrams and rough drafts, it turned into a three-and-a-half hour meeting," Mr. McNally said. The engineer showed him a patented prototype card that worked along similar lines to Madison's proposal, a concept device that had been developed for the military but never put into production. "It was disheartening, because we'd been working on something similar for more than a year. I asked if they'd sell the patent and he said no, but then he said a partnership of some sort might be possible," he said. The groups negotiated over the course of several months, and a deal was hammered out on April 4, 2000. Since then, Madison has been tweaking the technology to make it marketable, and tracking down hard-to-find components for full-scale manufacturing. "The card was so archaic when we first got it, the prototype board was about two feet long with wires and things all over it. Now we've miniaturized everything into a standard PCI or ISA card to fit any PC," Mr. McNally said. "Without word of a lie, it was just breadboarded in a single logic-type chip design, I've never seen anything like it," said software designer James Mitchell, head of Aurora-based Mitchell consulting and engineering, who has been helping Madison perfect the product. "But Madison took the basic idea and they've completely redesigned it." The result of Madison's efforts is the Centurion II. The card is basically a sophisticated I/O controller that oversees the operation of a PC or server's hard drives. It allows a user to set certain read and/or write functions in order to enable or disable file access, acting like a gatekeeper for the hard drive that is independent of the operating system, the company said. "The patent is for functions that give the capability to logically partition a drive in a way to create read-only access areas," Mr. Mitchell said. "With that advantage, you can secure data, which is especially important for machines connected to Internet ... it's a physical block between any command or block of data being sent from the outside to the hard drive." The Centurion II can lock entire IDE drives (a SCSI version is in development), or just certain parts areas of the drive on everything from PCs to Web servers, the company said. It can give selective access to specific directories, sub-directories or individual files. "When proper protocols and procedures are followed, the unit is dislocated from virae, hackers and overall intrusion or malicious code," Mr. McNally said. "The card is independent of everything running on the machine. We don't protect the operating system from attacks, we protect the hard drive's files themselves, so you can't alter them or reformat the drive or anything like that." The Canadian Department of National Defence still holds the patent for the technology, and Madison has the licence to further develop and commercialize it. In return, the DND will get a portion of the net income from Centurion II's sales. "We have added bells and whistles to give it the versatility that is needed for the average user or an administrator," Mr. McNally said. This includes password system to let authorized users log on to the computer, and a special key that administrators can plug into the card (along with a password) to alter its configuration, then remove so that nobody can play with the settings. "We purposely made it simple to operate so that anyone can use it - home users, businesses, government workers, anyone," Mr. Mitchell said. If someone tries to write to the drive, it creates a log file that tells where the request came from on the network, and it can be set up to notify an administrator by pager or e-mail. If they write to a drive that isn't fully locked, the log file tells administrators what was written where on the drive so they can go back and remove it if necessary. "The card locks out outside interaction with the hard drive altogether if you choose, and the background software listens to the card to warn of illegal access attempts," Mr. Mitchell said. The Centurion II will be officially launched at the Canadian Information Technology Security Symposium (CITSS) in Ottawa this week, and is expected to sell in the $350 range initially. Mr. McNally said the goal is to bring the price down to the $200 range when volumes increase. Windows 98 and NT software is available for Centurion II now, and versions that run with Windows XP and Linux are in development, Mr. Mitchell said. The company is negotiating reseller agreements, with a particular focus on the government market, but it is also selling the Centurion II on its Web site. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:32:22 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Microsoft says penalty will let hackers run wild Message-ID: Forwarded from: Aj Effin Reznor "InfoSec News was known to say....." > http://www.salon.com/tech/wire/2002/05/08/microsoft/index.html?x > > By D. Ian Hopper > May 8, 2002 > > WASHINGTON (AP) -- Hackers, virus writers and software pirates could > run rampant if Microsoft disclosed the technical product information > that nine states have requested as an antitrust penalty, a company > executive says. > > Jim Allchin, who oversees the Windows operating system, said that > disclosures sought by the states "would make it easier for hackers > to break into computer networks, for malicious individuals or > organizations to spread destructive computer viruses and for > unethical people to pirate" Microsoft's flagship software. All this tells me is that Trustworthy Computing has left enough holes riddling the code to allow for many entries. If the code were secure, it could be easily combed over and.... what would be found then? MS is keeping the hood on their little car locked down tight lest anyone see the hamsters and figure out how to poison them. Blah. -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:17:45 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Microsoft violates Mean Value Theorem Message-ID: ---------- Forwarded message ---------- Date: Mon, 13 May 2002 11:12:25 -0700 From: glen mccready To: 0xdeadbeef@petting-zoo.net Subject: Microsoft violates Mean Value Theorem Resent-Date: Mon, 13 May 2002 11:12:38 -0700 (PDT) Resent-From: 0xdeadbeef@petting-zoo.net Forwarded-by: Nev Dull From: Greg Rose While investigating a VPN problem, I ran "ping" from a Windows2000 box across a lossy link which crosses the Pacific Ocean 4 times to get the response back to me. Ping statistics for xx.xx.xx.xx: Packets: Sent = 120, Received = 99, Lost = 21 (17% loss), Approximate round trip times in milli-seconds: Minimum = 550ms, Maximum = 691ms, Average = 468ms So, the average time for those packets is significantly less than the minimum time, eh? They've clearly divided the total time for successful replies by the number of total packets *sent*, not *received*. Smart, huh? It certainly looks like that Windows ping command is much more efficient than the competition! Greg. Greg Rose INTERNET: ggr@qualcomm.com Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/ Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:18:14 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Pentagon alienating elite science advisers Message-ID: Forwarded from: William Knowles http://www.siliconvalley.com/mld/siliconvalley/3252347.htm By Jim Puzzanghera Mercury News Washington Bureau May 13, 2002 WASHINGTON - For more than 40 years, an elite group of academic scientists has provided the federal government with largely classified advice on the most vital issues of national security. Every summer they have met behind closed doors for almost two months near San Diego, emerging with judgments that have helped shape the nation's policies -- from ending nuclear testing to preparing for the danger of bioterrorism. But when the Pentagon tried to redirect the group, known simply as ``Jason,'' toward information technology and force it to accept Silicon Valley executives in its ranks, the scientists balked. And now this highly secret group of advisers and the independent science-based analysis it provides may be in jeopardy. Many in the scientific community say the federal government still desperately needs such unbiased assessments, especially in a time of war. Some have criticized the Bush administration for endangering this unique source of analysis for classified national security projects. Some of the group's findings are at odds with the administration on two key issues: the feasibility of a national missile-defense system and the potential need to resume nuclear testing to ensure the weapons stockpile remains usable. ``The Jasons are a national resource. Republican and Democratic presidents have found their advice invaluable. It's a real shame,'' said Joseph Cirincione, a senior associate at the Carnegie Endowment for International Peace, a Washington think tank. ``These are not defense critics, these are technical experts who are providing their technical assessment of things ranging from `star wars' weaponry to designs for defensive armor.'' Source of dispute The dispute, according to members of Jason, stems from an attempt by the director of the Defense Advanced Research Projects Agency, known as DARPA, to force the traditionally self-selecting group to accept three members. Among the three are two executives from Silicon Valley, one from an Internet-related company and another from a computer firm, said one member of the group, who, like other Jason members, declined to name the individuals. The third person is an engineer from the Washington, D.C., area. The Jasons, named after the mythical Jason and the Argonauts, said the three did not meet the group's rigid standards, which include having significant research accomplishments, being a tenured professor at a research university and being willing to commit to a lengthy annual summer research session. When the group refused to accept the three earlier this year, DARPA revoked its $1.5 million annual funding, Jason members said. The loss of the main source of money for Jason has put the group's future in jeopardy. Members say they are close to securing a new main sponsor at the Pentagon, but no agreement has been reached. Even if a deal can be worked out, the funding problems already have delayed important research, according to Jason. ``The Jasons are a very active and patriotic lot and would like to continue their work,'' said Steven Block, a member of Jason and a professor of applied physics and biological sciences at Stanford University. ``It's really quite a pity that what I believe is political influence is having such a deleterious effect at a time when our nation should be pulling together, and not apart, to deal with issues of international terrorism.'' DARPA Director Tony Tether declined to comment on the dispute. Agency media officer Jan Walker also would not comment on the accusations that Tether tried to force members into Jason. She said the reason DARPA ended its financial support for the group was because Jason failed to adapt to the times. ``The Jasons were very valuable during the Cold War. They looked at things such as submarine detection, things that were highly physics-oriented,'' Walker said. ``After the Cold War ended, a lot of the technology development moved toward information technology, and the Jasons chose not to lose their physics orientation to focus on DARPA's current needs.'' Jason members say that assertion is wrong, noting that nearly 40 percent of its scientists have doctoral degrees from fields other than physics. Among those fields are computer science, biology and chemical engineering, Block said. Jason produced 10 reports on biological issues alone between 1997 and 2001. ``To suggest that somehow Jason is a group of aging Cold Warriors that are increasingly irrelevant flies in the face of the known expertise of Jason, the known makeup of Jason and the recent product of the group,'' Block said. DARPA, the Pentagon's risk-taking research arm that created the Internet, for decades has been the main sponsor of Jason, which was founded in 1959. The ad hoc group's roughly 40 members work part time for the government, taking leaves from their universities to work on projects, mostly during a six- to eight-week session each summer in La Jolla, the beach community north of San Diego. Jason keeps an intentionally low profile, largely because of its classified work. There is no comprehensive list of members, and professors who are Jasons rarely mention the job on their r?sum?s. Started by midcareer scientists who felt it was time for a new generation to become involved in national security issues, Jason tries to remain young. New scientists are routinely rotated in and older members become less-active senior advisers when they turn 65. Originally all male because of the era in which it was formed and the heavy emphasis on the male-dominated field of physics, Jason has branched out into other fields, and about 10 percent of its members are women. The vast majority of Jason's 20 to 30 annual studies remain classified, making its impact hard to gauge. But shortly after the group's partially declassified 1995 report that low-yield nuclear tests were not necessary to maintain the nation's weapons stockpile, former President Bill Clinton declared his support for a comprehensive nuclear test ban treaty. After a 1997 Jason report that questioned whether the government would be able to map the human genome by its 2005 deadline, the pace of the program greatly accelerated. Jason has been scrambling to replace DARPA's sponsorship in time to save this summer's session, set to begin in mid-June. The chair of the group's steering committee, Steven Koonin, said Jason is close to an agreement with the Defense Research and Engineering agency, the arm of the Pentagon that, ironically, oversees DARPA. Delay on key projects As it is, the funding problems have already delayed work on projects important to national security, said Koonin, a professor of theoretical physics at the California Institute of Technology who also is the Pasadena college's provost. ``Some are relevant to counterterrorism,'' Koonin said. ``They're important in both short and long term, and we are frankly pretty frustrated.'' Among those preaching the value of the group's continued existence is John Marburger, director of the White House Office of Science and Technology Policy. ``This is a group of scientists who are among the most talented and experienced in the nation, and the scientific standards that they maintain are very high. And you would always want to have a group like that available to advise the government on issues that may arise that require that type of analysis,'' Marburger said. Koonin said the group does not take policy positions in its research but simply makes scientific assessments of government projects. ``We still write reports that have equations in them. I don't think there's any other group that does that,'' said Koonin, who has been a Jason for about 15 years. ``Our job is to provide honest, technical advice, and we're not going to shrink from doing that.'' *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:22:55 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Smith Bill Raises Police Power Concerns Message-ID: Forwarded from: "Huggins, Michael" The full documentation is worth reading if one has a chance go to the committees home page and read all the documentation. EPIC and others scream infringement anytime someone tries to do what is for the good of the whole. FIDNET was defeated by their liberal tirade. Let's not be one sided, use our minds to solve issues. http://www.senate.gov/~gov_affairs/050802witness.htm Michael H. Huggins CISSP CTOC USN (ret) First Command Information Security Manager 817 569 2435 -----Original Message----- From: InfoSec News [mailto:isn@c4i.org] Sent: Monday, May 13, 2002 1:41 AM To: isn@attrition.org Subject: [ISN] Smith Bill Raises Police Power Concerns Forwarded from: Bob http://dc.internet.com/news/print/0,,2101_1107691,00.html By Roy Mark dc.internet.com 10 May 2002 For Alan Davidson, the associate director of the Center for Democracy and Technology, the greater issue involving H.R. 3482 -- the Cyber Security Enhancement Act of 2001 -- is not increased surveillance of Internet users by Internet service providers (ISPs), but, rather, giving greater police powers to law enforcement agencies. The bill passed the House Judiciary Committee Wednesday and now awaits a floor vote of the full membership. Under current law, ISPs can face civil damages for disclosing user activity unless that activity presents an immediate risk of death or physical injury. Under H.R. 3482, sponsored by Rep. Lamar Smith (R.-Tex.) ISPs would be able to report threats that are "not immediate" and be protected from privacy violation lawsuits. According to Davidson, who is also an adjunct professor at Georgetown University's graduate program in communications, culture and technology, the privacy threat to Internet users is more likely to come from law enforcement agencies than from ISPs spying on users. "What concerns me is that police will come to an ISP and claim an emergency or a broad definition of an emergency and ISPs, being good citizens, will voluntarily give them user information because they will be protected from civil litigation," Davidson said. The bill aims to better coordinate cyber security efforts between federal, state and local agencies, make information more readily available to law enforcement agencies and slap harsher penalties on cyber criminals. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:31:03 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Terrorists could launch cyber-war / RFF Reply to First-Rate FUD Message-ID: Forwarded from: H C Cc: rforno@infowarrior.org > > A "CYBER jihad" could be launched against the West > > as terrorists moved from the real world to an internet-based > > virtual world, a US expert warns. > > Sensational, fear-mongering term here. "CyberJihad" ??? Crikey, we > better run for the hills..... Crikey? Really, Rick?! Have you taken to wearing khaki shorts and speaking w/ an Aussie accent? I think it's also important to point out the operative term in the above quote, which is "could". Yeah, a lot of things "could"...but how likely is this "cyberjihad"? Does the intel community still hold on to the belief that terrorists are staying away from computer networks as weapons simply b/c they aren't as reliable or poignant as, say, a suicide bomber? > > Michele Zanini, a consultant with the think-tank > > McKinsey and Company, said terrorist groups such as al-Qaeda > > were already making huge use of the web for communications, > > propaganda, recruitment and target data. > > Never heard of them, but it must be a think-tank full of stagnant > thoughts and conventional thinking. The web and internet is a > communication medium.....a tool.....criminals use it to plan > traditional crimes, it's only natural that a terrorist would use it > for such purposes too. Not only is this "think-tank" largely unheard of (what happened...the magazine couldn't get a sound bite from Gartner or RAND?), but it's old news. Wasn't it about a year ago that a "news" story about terrorists using steganography and porno Usenet groups to communicate? > This is NOT new. What we also forget is that just because something > CAN be used as a weapon doesn't mean it WILL, either. Correct. Maybe it's better to chalk this one up to the author of the article (a media-hound looking for something sensational) rather than to whomever he quoted. I'm sure most folks who do authorize a quote or two have found that many times the quotes are used out of context. > > Another expert, Rand Europe senior policy analyst > > Kevin O'Brien said there was potential for terrorists to > > cause huge losses to the West by damaging information technology > > systems. > > We have that now, but nobody seems to give a hoot. At least it's a quote from an organization we've heard of. But again, we're back to "potential"..."could"...that sort of thing. > It's called Microsoft and the incessant amount of security problems > costing how many billions to address, and most of the problems NEVER > FULLY GO AWAY. If you're worried about cyber-security, why not > point the finger and take action against a known cause of repeated > and quite significant problems and vulnerabilities we ALREADY KNOW > where they come from? While Microsoft does produce products that are full of holes, one thing needs to be understood. Take a look at the recent articles about the "Deceptive Duo" and the nmap scans of some of their "victims" on AllDas.org. Microsoft systems with NetBIOS ports exposed to the Internet. At least one article quoted the DD as saying they broke in by way of weak passwords on user accounts. In one case, MS-SQL server was exposed to the Internet w/ an admittedly (by a spokesman for the victim) "weak password". At that point, whose fault does it become? MS for producing products, or the admins for not allowing two neurons to interact and pass chemical messages back and forth, thereby allowing them to form a "thought" to protect their networks? After all, even MS put out information on how to protect IIS servers...one of the instructions was to disable unnecessary script mappings. Code Red demonstrated that most IIS admins seem to be illiterate. > I guess it's still easier to point the fingers for our INFOSEC > problems at shadowy cyber-terrorists and such, thereby ducking blame > and avoiding responsibility for the current state of world > information insecurity. Not easier. Remember, Rick, it's the media that's doing this sort of finger pointing. Why? B/c it's "cool" and sensational. Take this Kevin O'Brien from RAND...he's an "expert", reportedly, but of what? Who recognizes Mr. O'Brien's credibility as an "expert" at anything? I'm not trying to disparage Mr. O'Brien, b/c I don't know him...but the author of the original article simply expected his readers to accept this fact, that's all. > > Dr Zanini and Dr O'Brien were speaking at an international > > conference on global terror in Hobart. > > > > Dr O'Brien said Western-developed IT had become > > the "great equaliser" as it was exploited by terrorists > > and rogue states. > > Yeah, and the electron is the ultimate guided weapon, like former > DCI Deutch said. What a crock. Yeah, Deutch. The DCI who took classified info home to his unprotected PC...the one his kid played games on. Great source. Perhaps Dr. O'Brien's quote has significance...after all, anyone can call up Dell and order a bunch of systems. In fact, someone purchasing a gross of computer systems from Dell today will be an a far better footing than some corporations who haven't upgraded their systems in...6 months. A year. > > He said the cyber world was chaotic and without boundaries > > and Western security agencies were traditionally ill-equipped > > to deal with its threats. > > Agreed. They have a hard enough time keeping their own systems > secured. Sure. But I don't think this is an issue just for Western security agencies. Wasn't it the Brits who had a laptop stolen during Desert Shield? Sure, I know the State Dept. has done a much better job of loosing laptops, but it's not an issue unique to the West. > > In the wake of September 11, it was clear terrorists were using > > the internet as a weapon of war, the experts said. > > "Weapon of war"??? Sensational fear-mongering. No doubt! Who is this clear to? Not to me! Obviously not to you, Rick. So...who? > They also used airplanes as a real and quite deadly 'weapon of war' > but nobody here seems to remember that. Under these guys' > definitions, a USG visa, fraudulent drivers' licenses, and a copy of > the Koran would be 'weapons of war' too.... So would an ATM debit card. But how do the trips to WalMart and T&A bars fit in? > > Terrorists used the net to gather intelligence, including target > > information, and counter-intelligence. > > Net notwithstanding, it didn't take a genius to know where the WTC > was. Yeah, big deal. Anyone can use the 'Net to gather intelligence. There are plenty of books and sites out there that talk about this. But like you said, it doesn't take a genius to see the Pentagon or WTC from the air, particularly when you're right over it. > > They made and moved money on it and were suspected of even > > manipulating stocks for profit. > > Gee. Maybe al-Qaeda sat on the Enron Board... More FUD..."suspected". By whom? If they were suspected, and it wasn't proven, why mention it? Or, why not quote whomever stated this? Nope, can't do that...not sensational enough. Rick, I think you're really pointing out here that it isn't weaknesses in the infrastructure...we know this, and they're more political than technological...but the need for far too many "journalists" to justify their existance with over-sensationalized garbage. Just the fact that we're discussing (or rebutting) the article gives it credence. After all, it's clear that the "journalist's" intention wasn't to produce an accurate article...it was to get paid. > > They could also use it for worldwide planning and coordination, > > propaganda, psychological terrorism and rumour-mongering. > > Old news. Regarding propaganda, psyops, and rumor-mongering, the > net's been used for this for years. Rumor-mongering? Interesting...isn't that exactly what the media is doing with this article? > > Dr O'Brien said the danger to business was of great concern, > > with some websites particularly vulnerable. Yeah, some are. So what? They're web sites. The NYSE isn't tied directly into their public web site. The author of this article doesn't seem to realize that defacing web sites is as passe as the graffiti on highway overpasses. > > Companies could also be damaged through extortion, brand > > destruction and fraud. > > That already happens, but terrorists aren't to blame. Yeah, no doubt. Wait...wouldn't that make the senior management of companies like Enron and Winstar "terrorists"? I mean, both companies laid off thousands of workers and for all intents and purposes have disappeared due to fraud, etc. > I need more coffee now. Me, too. See you at Starbucks... - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:26:13 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Two Virginia Universities To Join Forces Against Cybercrime Message-ID: http://www.newsbytes.com/news/02/176552.html By Brian Krebs, Washtech WASHINGTON, D.C., U.S.A., 13 May 2002, 8:25 PM CST Two Virginia schools on Tuesday will launch a $6.5 million project to help sort out the myriad legal, technical and policy challenges involved in steeling the nation's most vital computer systems against cyber-attacks. The Critical Infrastructure Protection Project - to be housed at the George Mason School of Law in Arlington - is a collaborative effort between GMU's National Center for Technology and Law and researchers and academicians at James Madison University. The project will be led by John A. McCarthy, a former member of a Clinton administration team that facilitated government and private-sector collaboration in preparing key computer systems for the Y2K conversion. Among the more pressing problems the new center will tackle are legal issues that have stymied plans to establish more fluid and open information-sharing networks between the public and private sector. Tech companies have indicated they would be more willing to share information with the government if they could be assured that data would not be leaked to the public through the Freedom of Information Act (FOIA). Lawmakers in both the House and Senate are pushing legislation that would guarantee such protections. But consumer and privacy watchdog groups say FOIA case law adequately protects any of the information concerning cyber-security issues that should legitimately be withheld from the public. Rather, they argue, the legislation could end up exempting companies from legal liability for security lapses. "The information-sharing plan has been on the table for six years and we still haven't come up with a workable solutions because of legal obstacles," McCarthy said. "We hope that by putting our third-party hat on we'll be able to bring together the right constituencies to broker lasting and useful solutions to long-term problems." The center also plans to offer congressional testimony and become the central clearinghouse for data and research on cybersecurity and critical infrastructure protection. "We want to become the center that researchers and government leaders can come to that centralizes a lot of data and findings on cybersecurity," McCarthy said. "Right now, that data is all over the map, and we're planning to bring that together in one place." In addition, the group plans to work with other schools to coordinate research and development on cyberterrorism issues. The program is being paid for through the National Institute for Standards and Technology (NIST), an arm of the U.S. Department of Commerce. The $6.5 million was allocated under the FY2002 Commerce-State-Justice appropriations bill, which funds the center for the next two years. Rep. Frank Wolf, R-Va., chairman of the U.S. House Subcommittee on Commerce, Justice, State and Judiciary, and author of the original funding measure, is looking to give the center more money through the appropriations process, an aide said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 15 03:01:03 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Bug centre monitors real-time threats Message-ID: http://www.vnunet.com/News/1131665 By James Middleton [10-05-2002] Internet Storm Centre offers latest security alerts The Sans Institute's Incidents.org security watchtower has launched a new monitoring centre to keep track of threats in the wild. The Internet Storm Centre lives at isc.incidents.org and informs network administrators of the latest security alerts and real-time threats. Currently we're well in the green on the threat level meter and there are no current alerts. But the Storm Centre is warning that widespread port 80 scans, still being caused by Nimda and Code Red, are dominating all other activity. The Storm Centre is also keeping its eyes peeled for exploits of yesterday's Dynamic Host Configuration Protocol Daemon (DHCPD). An advisory from the Computer Emergency Response Team (Cert) warned that a format string vulnerability in the Internet Software Consortium's DHCPD could allow a remote attacker to execute code with root privileges on the server that allocates network addresses and assigns configuration parameters to hosts. The Storm Centre is located here [1]. The Cert advisory on the ISC DHCPD can be found here [2]. [1] http://isc.incidents.org/ [2] http://www.cert.org/advisories/CA-2002-12.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 15 03:00:18 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Crackers deface Ferrari Message-ID: http://www.theregister.co.uk/content/6/25260.html By John Leyden Posted: 13/05/2002 at 16:48 GMT Defacers turned motor sport fans yesterday in a protest against the controversial decision to gift Michael Schumacher victory at the Austrian Grand Prix. Ferrari-group.com was defaced by a group called S4t4n1c_Souls after the race with a profane message criticising Ferrari's management for ordering Rubens Barichello, who dominated the race, the make way for Schumacher on the last corner, handing him an undeserved victory. "BARRICHELO ROX FERRARI SUX," the message reads, in part. Defacement archive Alldas.org records eight attacks against Ferrari in recent months. Drivers have been handed victory before but the end of the race at the A1 ring was widely has sparked particular criticism because it was seen as a particularly cynical ploy, that went against any notion of sportsmanship in F1. The Ferrari team have been summoned to appear before the sport's governing body, the FIA (International Automobile Federation), on 26 June. Schumacher may be docked points for Ferrari's tactics during the race, the BBC reports. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 15 03:03:05 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] EDS postpones instant message ban Message-ID: http://www.theregister.co.uk/content/6/25271.html By John Leyden Posted: 14/05/2002 at 11:12 GMT EDS has postponed its proposed ban on instant messaging after staff told its techies that it was an important tool for communicating with clients. Last week, EDS told staff that IM products (such as AOL, ICQ and Yahoo!) would be blocked at its firewall from May 8. It cited security concerns, especially the fears that viruses which would otherwise be blocked by gateway AV protection would slip through to user workstations via instant messages. EDS has now postponed the blocking order. In a memo to staff, Paul Clark, EDS' chief information security officer said "due to the nature of this change, we are aware of several clients that are affected and are working to co-ordinate alternative solutions for those clients. Blocking instant messenger capability at the firewall will not occur as previously scheduled on 08 May 2002." "We will follow-up when a new date has been determined," he added. EDS is not alone in its attempts to curtail users' of chat and instant messenger services at work. Last week we reported how Samsung has commissioned its systems integration arm to create filters that prevent workers from accessing portals such as MSN Messenger and Daum Messenger, and also to intercept inbound chat and IM traffic from outside the company. The move created discontent among employees, the Korea Times reports. Alcatel workers in the US have been banned from using instant messaging for some time, a Reg reader who works for the company informs us. IM is convenient but it can create holes into an organisation. Instant messaging attacks have become a common method of propagation in recent viral outbreaks, and (as CERT warned back in March) a tool for social engineering, including tricking users into running malicious software (potentially DDoS attack tools) on their machines. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 15 02:58:28 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Latest privacy threat: Monitor glow Message-ID: http://news.com.com/2100-1001-912785.html By Robert Lemos Staff Writer, CNET News.com May 14, 2002, 6:05 AM PT BERKELEY, Calif.--Law enforcement and intelligence agents may have a new tool to read the data displayed on a suspect's computer monitor, even when they can't see the screen. Marcus Kuhn, an associate professor at Cambridge University in England, presented research Monday showing how anybody with a brawny PC, a special light detector and some lab hardware could reconstruct what a person sees on the screen by catching the reflected glow from the monitor. The results surprised many security researchers gathered here at the Institute of Electrical and Electronics Engineers' (IEEE) Symposium on Security and Privacy because they had assumed that discerning such detail was impossible. "No one even thought about the optical issues" of computer information "leakage," said Fred Cohen, security practitioner in residence for the University of New Haven. "This guy didn't just publish, he blew (the assumptions) apart." Many intelligence agencies have worried about data leaking from classified computers through telltale radio waves produced by internal devices. And a recent research paper outlined the threat of an adversary reading data from the blinking LED lights on a modem. Kuhn's research adds the glow of a monitor to the list of dangers. Eavesdropping on a monitor's glow takes advantage of the way that cathode-ray tubes, the technology behind the screen, work. In most computer monitors, a beam of electrons is shot at the inside of the screen, which is covered in various phosphors, causing each pixel to glow red, green or blue, thereby producing an image. The beam scans from side to side, hitting every pixel--more than 786,000 of them at 1024-by-768 resolution--in sequence; the screen is completely scanned anywhere from 60 to 100 times every second. The light emitted from each pixel of phosphor will peak as the pixel is hit with electrons, creating a pulsating signal that bathes a room. By averaging the signal that reflects from a particular wall over nearly a second and doing some fancy mathematical footwork, Kuhn is able to reconstruct the screen image. Not so fast Yet Kuhn, who is still completing his doctoral thesis, is quick to underscore the problems with the system. "At this point, this is a curiosity," he said. "It's not a revolution." First off, Kuhn performed the experiments in a lab at a short distance--the screen faced a white wall 1 meter away, and the detector was a half meter behind the monitor. There have been no real-world tests where, for example, other light sources are present and the detector is 30 feet across a street. Other light sources, including the sun, make things much more difficult if not impossible. Normal incandescent lighting, for example, has a lot of red and yellow components and tends to wipe out any reflections of red from the image on a screen. And several countermeasures are effective, including having a room with black walls and using a flat-panel liquid-crystal display. LCD monitors activate a whole horizontal line of pixels at once, making it immune to this type of attack. Still, other researchers believe that Kuhn may be on to something. "Anyone who has gone for a walk around their neighborhood knows that a lot of people have a flickering blue glow emanating from (their) living rooms and dens," said Joe Loughry, senior software engineer for Lockheed Martin. While Kuhn calculated that the technique could be used at a range of 50 meters at twilight using a small telescope, a satellite with the appropriate sensors could, theoretically, detect the patterns from orbit, said several security experts. That could open a whole new can of worms for privacy. If Kuhn's technique proves to be practical, the result of the research could be a new round of battles between law enforcement agencies and privacy advocates in the courts over whether capturing the faint blue glow from a home office is a breach of privacy. Until that's resolved, the safest solution is to compute with the lights on. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 15 02:59:56 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Museum's Cyberpeeping Artwork Has Its Plug Pulled Message-ID: http://www.nytimes.com/2002/05/13/arts/design/13ARTS.html By MATTHEW MIRAPAUL May 13, 2002 An Internet-based artwork in an exhibition at the New Museum of Contemporary Art was taken offline on Friday because the work was conducting surveillance of outside computers. It is not clear yet who is responsible for the blacking out - the artists, the museum or its Internet service provider - but the action illuminates the work's central theme: the tension between public and private control of the Internet. The shutdown also shows how cyberspace's gray areas can enshroud museums as they embrace the evolving medium. The work in question is "Minds of Concern: Breaking News," created by Knowbotic Research, a group of digital artists in Switzerland. The piece is part of "Open Source Art Hack," an exhibition at the New Museum that runs through June 30. The work can be viewed as an installation in the museum's SoHo galleries or online at newmuseum.org. Although the installation is still in place, and the work's Web site remains live, the port-scanning software that is its central feature was disabled Friday evening and was inactive yesterday afternoon. Port scanning sounds like a cruise-ship captain's task. The term actually refers to a technique for surveying how other computers are connected to the Internet. The software essentially strolls through the neighborhood in search of windows that have been left open. Merely noticing where they are is no crime. Things get dicier, though, if what is seen is conveyed to a ne'er-do-well relative, who then breaks in somewhere, rearranges the furniture and makes off with a gem-encrusted putter. One court has ruled that port scanning is legal so long as it does not intrude upon or damage the computers that are being scanned. Internet service providers, however, generally prohibit the practice, which can cause online traffic jams. That prohibition appears to be what led to the shutdown. After the Knowbotic work started its peeping, the Internet service provider for one of the targets of the scan complained to the museum's Internet service provider, Logicworks. In turn, Logicworks notified the museum that port scanning violated its policies. On Friday, Lauren Tehan, a museum spokeswoman, said the museum was seeking a creative technical solution to keep the work online. That effort did not succeed. Ms. Tehan said the museum, at Logicworks' request, shut down the work after the museum closed on Friday evening. On Saturday morning, Christian H?bler of Knowbotic Research said the group realized the port-scanning software had been disabled and decided to move the work's Web site to an Internet service provider in Germany. Ms. Tehan said that the museum suggested a way to put the work back online but that Knowbotic rejected the proposal. The dispute calls attention to one of the very points the piece is intended to make. Because the lines between public and private control of the Internet are not yet clearly defined, what artists want to do may be perfectly legal, but that does not mean they will be allowed do it. Before the New Museum exhibition opened on May 3, Knowbotic Research had already decided to remove the most troublesome features of the port-scanning software. Mr. H?bler said the group changed the work after consulting with a lawyer who specializes in Internet law. "I wanted to know the situation I'm in," Mr. H?bler said, "because when I work with the border as an artist, I want to know at least what the border might be." When it is functioning, "Minds of Concern" resembles a slot machine. Viewers are prompted to scan the computer ports of organizations that protested in February against the World Economic Forum. While colored lights flash, a list of the vulnerable ports and the methods that might be employed to "crack," or penetrate, them to gain access to private information scrolls across the bottom of the screen. No internal information is exposed, but the threat is suggested. European digital artists are more politicized than their American counterparts, and "Minds" is designed to advance a social agenda. By choosing to explore the computers of anti-globalization groups instead of Nike or Coca-Cola, Knowbotic is warning those groups that they are at risk of losing sensitive data. But to present the work at the New Museum, Knowbotic had to defang it. At first, the group reviewed the 800 tools in the port-scanning program and removed 200 it deemed intrusive or malicious. After consulting with a lawyer, the group then encrypted the name of the organization being scanned because it was unsure if publishing the information was illegal. In place of the name on the screen, one saw the phrase "artistic self-censorship." The group's disappointment in having to scale back the work was obvious in a message to an electronic mailing list: "Due to the ubiquitous paranoia and threat of getting sued, the museum and the curators made it very clear to us that we as artists are 100 percent alone and private in any legal dispute." There is a sense of a missed opportunity here. The dozen works in "Open Source Art Hack" are intended to prompt discussion about the public versus the private in cyberspace while demonstrating how artists "hack," or misuse technology, to creative effect. Port-scanning software, for instance, is meant to be used for reconnaissance, yet Knowbotic has made it a political tool. But "Minds of Concern" is also the only online work in the exhibition to operate in a legal gray area. In its fully functional state, it had the potential to cause a ruckus that might have yielded some black-and-white rulings. But instead, the exhibition commits no real transgressions. Steve Dietz, the new-media curator at the Walker Art Center in Minneapolis, was one of the exhibition's curators. Its goal, he said, "was more nuanced than bringing cracking to the dull havens of a museum." "Being bad and doing something illegal hold very little interest for me," he said, "but being tactical and creative hold a great deal.` Artists like to be bad, and although museums are sometimes their targets, they can also serve as shields when artists become controversial. A recent example was the exhibition "Mirroring Evil: Nazi Imagery/Recent Art," for which the Jewish Museum, not the participating artists, took most of the heat. As museums embrace cyberspace, its fuzzy rules are posing unfamiliar problems, and "Minds of Concern: Breaking News" is a case in point. As for how well those issues can be raised within a museum's walls, Lisa Phillips, director of the New Museum, said: "That really is the dilemma. We can only go so far." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 15 02:56:01 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Smith Bill Raises Police Power Concerns Message-ID: Forwarded from: Marjorie Simmons Alan Davidson's helpful testimony regarding H.R. 3482 follows my remark, and is reported by the CDT at: http://www.cdt.org/testimony/020212davidson.shtml the GPO bill is at http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3482: My experience with responses to requests for information and subpoenas I and others have drafted in civil matters seeking information from ISPs in the last several years has been interesting. ISP responses have been all over the map, varying from the alarming (too much data handed over) to the absurdly secretive (contempt charged). ISPs so often founder in a quagmire with this stuff -- hopefully Mr. Davidson's comments will have the desired impact and (whatever the outcome of H.R. 3482, the "Cyber Security Enhancement Act of 2001"), will prompt the codification of a useful comfort zone that will cascade to civil litigants. I won't, however, hold my breath in any case, as it often seems possible that the tortoise called Osmosis may finish the race before the hare called Post-911-Statute-Making. Marjorie Simmons lawyer@carpereslegalis.com ________________________________ Testimony of Alan Davidson (Associate Director CDT) before the Subcommittee on Crime of the Committee on Judiciary U.S. House of Representatives 2-12-02 [snip preamble] . . . Our nation is at a point where revolutionary changes in communications and computer technology have created new concerns about public safety, security, and privacy online. In the aftermath of September 11, cybersecurity is a serious problem that demands a real response from government. At the same time, such responses must be respectful of the protections for personal privacy and from overly broad governmental authority, enshrined in our Constitution and electronic surveillance laws. If we are forced to give up essential liberties fundamental to our American way of life than our country will truly have lost something important. With this need to protect both security and Constitutional privacy principles, CDT offers the following comments on H.R. 4382: First, CDT commends this committee for holding this hearing, and for the relatively measured approach taken in HR 3482. We agree that computer crime and security is a serious problem that requires serious government response. In the USA PATRIOT Act, passed this fall, substantial changes were made to the computer crime and government surveillance statutes that raised serious privacy concerns and are to this date still not fully understood. In contrast and with one notable exception - the emergency disclosures provision of Section 102 - H.R. 4382 takes a more modest approach to these laws that does not raise the same types of privacy concerns. Second, the emergency disclosure provision of Section 102, as drafted, is overly broad and would eviscerate important privacy protections in current law. Current law protects the privacy of electronic communications by prohibiting service providers from revealing those communications to anyone without proper lawful orders. Emergency disclosure provisions exist in the current law based on a reasonable idea - ISPs who reasonably believe there is an imminent threat of death or serious injury should be able to reveal communications to law enforcement agencies on an emergency basis even without judicial oversight. Sec. 102 would substantially expand this ability to reveal private communications without any judicial authority or oversight. In practice, however, we have heard reports from large and small providers, universities, and libraries, that the emergency disclosure is being used in a different way. Providers are often approached by government agents and asked to voluntarily disclose communi- cations or other subscriber information for investigations that the government claims involve a danger to life and limb. Providers are then faced with a Hobbesian choice - either turn over sensitive private communications of subscribers without any court order, or say no to a government request. Of course many comply with the requests. Small providers have few legal resources to evaluate such requests. Others receive requests from the same agents they may seek help from the next day regarding hacking attacks or other problems. Without proper restrictions, such "voluntary disclosure" provisions risk becoming a major loophole. Current law, passed just four months ago, confines these extraordinary disclosures to law enforcement agents in limited circumstances. As drafted, Sec. 102 would threaten the privacy of communication by substantially broadening these disclosures: It allows these disclosures to any governmental entity, not just law enforcement agents. That could include literally thousands of federal, state, and local employees - perhaps even foreign government officials. It no longer requires imminent danger for disclosure. It would allow these extraordinary disclosures when there is some danger, which might be far in the future and far more hypothetical. It no longer requires a reasonable belief that there is a danger on the part of the ISP. Section 102 would allow these sensitive disclosures if there is any good faith belief - even if unreasonable-of danger. Thus as drafted, Sec. 102 would allow many more disclosures of sensitive communications without any court oversight or notice to subscribers. It would allow these disclosures to (and based on requests from) potentially hundreds of thousands of government employees, ranging from local canine control officials to school- teachers to Agriculture Department cotton inspectors to foreign government officials. We urge the committee to carefully rethink this expansion. We understand the argument that in some narrow circumstances disclosures to some entities - such as the Center for Disease Control - might be warranted. As supported in current law, in cases of imminent threats of death or serious injury, law enforcement agencies - trained to deal with such situations and cognizant of legal strictures- should be the first contact point for concerned citizens. We also urge the committee to maintain the requirements of a reasonable belief in imminent danger. We are confident that if other disclosures are needed they can be carefully crafted, and we look forward to working with the Committee as well as experts in industry and other interested parties to find a more balanced approach. In addition, we strongly encourage this Committee to add accountability mechanisms for this extraordinary power. Congress should consider requiring notice to the subscriber, after the fact (and deferrable based on a judicial order), as a means of providing subscribers with some way of knowing that their communications have been disclosed. And at a bare minimum Congress should mandate a reporting requirement for these emergency disclosures to federal law enforcement, to give Congress some method of evaluating their use. Third, we urge the Committee to continue its work to balance powerful surveillance authorities with appropriate privacy protections. An essential element of security in cyberspace is trust. If Internet users cannot trust that their most sensitive personal and business communications will be private, than we cannot realize the promise of the Internet as a communications medium. Powerful new surveillance authorities require powerful oversight and accountability. In addition, the digital age is making more personal information available than ever before, also increasing the need for a legislative framework that protects personal information from inappropriate surveillance. The USA Patriot Act passed this fall provides substantial new government capabilities to conduct surveillance on Americans and to combat terrorism and cyber crime. H.R. 4382 also provides additional and powerful new resources and tools. But in both cases there are virtually no new measures for oversight and accountability, or any protections for all the sensitive personal information increasingly available in the digital and wireless age. (We note that this committee's own admirable efforts to strike a greater balance in the PATRIOT Act were largely ignored.) We urge this committee to adopt a more comprehensive approach to cybersecurity that recognizes the urgent need for additional privacy protections. The Congress could start by taking up the helpful changes to surveillance law developed and passed by the House Judiciary Committee in the last Congress, under H.R. 5018, including: Heightened protections for access to wireless location information, requiring a judge to find probable cause to believe that a crime has been or is being committed. Today tens of millions of Americans are carrying (or driving) mobile devices that could be used to create a detailed dossier of their movements over time - with little clarity over how that information could be accessed and without an appropriate legal standard for doing so. An increased standard for use of expanded pen registers and trap and trace capabilities, requiring a judge to at least find that specific and particularly facts reasonably indicate criminal activity and that the information to be collected is relevant to the investigation of such conduct. Addition of electronic communications to the Title III exclusionary rule in 18 USC ?2515 and add a similar rule to the section 2703 authority. This would prohibit the use in any court or administrative proceeding of email or other Internet communications intercepted or seized in violation of the privacy standards in the law. Require statistical reports for ?2703 disclosures, similar to those required by Title III. Require high-level Justice Department approval for applications to intercept electronic communications, as is currently required for interceptions of wire and oral communications. In addition, other issues - some of broader scope - need to be addressed: Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions. Provide enhanced protection for personal information on networks: probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access. Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage. The bills put before this Committee last Congress were efforts towards a modest improvement in privacy protections without in any way denying the government any investigative tools. They should serve as a starting point, and we hope that you will consider including them to address the privacy concerns of many Americans and the imbalance that exists in today's electronic surveillance laws. In conclusion, we urge to Subcommittee to Substantially narrow the new emergency disclosure provisions of Section 102. If retained, they should greatly limit the scope of governmental entities that can receive such disclosure, could provide deferred notice to the subscribers whose communications were revealed, and should absolutely require reporting to Congress on their use. Take a more balanced approach by including some of the privacy protections passed by this committee last Congress. Among the most urgent of these: a need for clearer protection of wireless location information, clearer definitions of what constitutes content for pen/trap orders online, and additional statistical reporting requirements. Protecting national security and public safety in this digital age is a major challenge and priority for our country. On balance, however, we believe that new sources of data and new tools available will prove to be of great benefit to government surveillance and law enforcement. It is essential that we offer a measured response to these concerns, and urgently take up the need for additional privacy protections in the electronic surveillance laws. Powerful new government surveillance and law enforcement capabilities demand powerful oversight, accountability, and privacy protection mechanisms. We look forward to working with the Subcommittee and other interested parties to craft an approach that protects both security and privacy online. ___________________________________________ On Sunday, May 12, 2002 11:41 pm, InfoSec News [SMTP:isn@c4i.org] wrote: | Forwarded from: Bob | | http://dc.internet.com/news/print/0,,2101_1107691,00.html | . . . - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Tue May 14 02:31:03 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Terrorists could launch cyber-war / RFF Reply to First-Rate FUD Message-ID: Forwarded from: H C Cc: rforno@infowarrior.org > > A "CYBER jihad" could be launched against the West > > as terrorists moved from the real world to an internet-based > > virtual world, a US expert warns. > > Sensational, fear-mongering term here. "CyberJihad" ??? Crikey, we > better run for the hills..... Crikey? Really, Rick?! Have you taken to wearing khaki shorts and speaking w/ an Aussie accent? I think it's also important to point out the operative term in the above quote, which is "could". Yeah, a lot of things "could"...but how likely is this "cyberjihad"? Does the intel community still hold on to the belief that terrorists are staying away from computer networks as weapons simply b/c they aren't as reliable or poignant as, say, a suicide bomber? > > Michele Zanini, a consultant with the think-tank > > McKinsey and Company, said terrorist groups such as al-Qaeda > > were already making huge use of the web for communications, > > propaganda, recruitment and target data. > > Never heard of them, but it must be a think-tank full of stagnant > thoughts and conventional thinking. The web and internet is a > communication medium.....a tool.....criminals use it to plan > traditional crimes, it's only natural that a terrorist would use it > for such purposes too. Not only is this "think-tank" largely unheard of (what happened...the magazine couldn't get a sound bite from Gartner or RAND?), but it's old news. Wasn't it about a year ago that a "news" story about terrorists using steganography and porno Usenet groups to communicate? > This is NOT new. What we also forget is that just because something > CAN be used as a weapon doesn't mean it WILL, either. Correct. Maybe it's better to chalk this one up to the author of the article (a media-hound looking for something sensational) rather than to whomever he quoted. I'm sure most folks who do authorize a quote or two have found that many times the quotes are used out of context. > > Another expert, Rand Europe senior policy analyst > > Kevin O'Brien said there was potential for terrorists to > > cause huge losses to the West by damaging information technology > > systems. > > We have that now, but nobody seems to give a hoot. At least it's a quote from an organization we've heard of. But again, we're back to "potential"..."could"...that sort of thing. > It's called Microsoft and the incessant amount of security problems > costing how many billions to address, and most of the problems NEVER > FULLY GO AWAY. If you're worried about cyber-security, why not > point the finger and take action against a known cause of repeated > and quite significant problems and vulnerabilities we ALREADY KNOW > where they come from? While Microsoft does produce products that are full of holes, one thing needs to be understood. Take a look at the recent articles about the "Deceptive Duo" and the nmap scans of some of their "victims" on AllDas.org. Microsoft systems with NetBIOS ports exposed to the Internet. At least one article quoted the DD as saying they broke in by way of weak passwords on user accounts. In one case, MS-SQL server was exposed to the Internet w/ an admittedly (by a spokesman for the victim) "weak password". At that point, whose fault does it become? MS for producing products, or the admins for not allowing two neurons to interact and pass chemical messages back and forth, thereby allowing them to form a "thought" to protect their networks? After all, even MS put out information on how to protect IIS servers...one of the instructions was to disable unnecessary script mappings. Code Red demonstrated that most IIS admins seem to be illiterate. > I guess it's still easier to point the fingers for our INFOSEC > problems at shadowy cyber-terrorists and such, thereby ducking blame > and avoiding responsibility for the current state of world > information insecurity. Not easier. Remember, Rick, it's the media that's doing this sort of finger pointing. Why? B/c it's "cool" and sensational. Take this Kevin O'Brien from RAND...he's an "expert", reportedly, but of what? Who recognizes Mr. O'Brien's credibility as an "expert" at anything? I'm not trying to disparage Mr. O'Brien, b/c I don't know him...but the author of the original article simply expected his readers to accept this fact, that's all. > > Dr Zanini and Dr O'Brien were speaking at an international > > conference on global terror in Hobart. > > > > Dr O'Brien said Western-developed IT had become > > the "great equaliser" as it was exploited by terrorists > > and rogue states. > > Yeah, and the electron is the ultimate guided weapon, like former > DCI Deutch said. What a crock. Yeah, Deutch. The DCI who took classified info home to his unprotected PC...the one his kid played games on. Great source. Perhaps Dr. O'Brien's quote has significance...after all, anyone can call up Dell and order a bunch of systems. In fact, someone purchasing a gross of computer systems from Dell today will be an a far better footing than some corporations who haven't upgraded their systems in...6 months. A year. > > He said the cyber world was chaotic and without boundaries > > and Western security agencies were traditionally ill-equipped > > to deal with its threats. > > Agreed. They have a hard enough time keeping their own systems > secured. Sure. But I don't think this is an issue just for Western security agencies. Wasn't it the Brits who had a laptop stolen during Desert Shield? Sure, I know the State Dept. has done a much better job of loosing laptops, but it's not an issue unique to the West. > > In the wake of September 11, it was clear terrorists were using > > the internet as a weapon of war, the experts said. > > "Weapon of war"??? Sensational fear-mongering. No doubt! Who is this clear to? Not to me! Obviously not to you, Rick. So...who? > They also used airplanes as a real and quite deadly 'weapon of war' > but nobody here seems to remember that. Under these guys' > definitions, a USG visa, fraudulent drivers' licenses, and a copy of > the Koran would be 'weapons of war' too.... So would an ATM debit card. But how do the trips to WalMart and T&A bars fit in? > > Terrorists used the net to gather intelligence, including target > > information, and counter-intelligence. > > Net notwithstanding, it didn't take a genius to know where the WTC > was. Yeah, big deal. Anyone can use the 'Net to gather intelligence. There are plenty of books and sites out there that talk about this. But like you said, it doesn't take a genius to see the Pentagon or WTC from the air, particularly when you're right over it. > > They made and moved money on it and were suspected of even > > manipulating stocks for profit. > > Gee. Maybe al-Qaeda sat on the Enron Board... More FUD..."suspected". By whom? If they were suspected, and it wasn't proven, why mention it? Or, why not quote whomever stated this? Nope, can't do that...not sensational enough. Rick, I think you're really pointing out here that it isn't weaknesses in the infrastructure...we know this, and they're more political than technological...but the need for far too many "journalists" to justify their existance with over-sensationalized garbage. Just the fact that we're discussing (or rebutting) the article gives it credence. After all, it's clear that the "journalist's" intention wasn't to produce an accurate article...it was to get paid. > > They could also use it for worldwide planning and coordination, > > propaganda, psychological terrorism and rumour-mongering. > > Old news. Regarding propaganda, psyops, and rumor-mongering, the > net's been used for this for years. Rumor-mongering? Interesting...isn't that exactly what the media is doing with this article? > > Dr O'Brien said the danger to business was of great concern, > > with some websites particularly vulnerable. Yeah, some are. So what? They're web sites. The NYSE isn't tied directly into their public web site. The author of this article doesn't seem to realize that defacing web sites is as passe as the graffiti on highway overpasses. > > Companies could also be damaged through extortion, brand > > destruction and fraud. > > That already happens, but terrorists aren't to blame. Yeah, no doubt. Wait...wouldn't that make the senior management of companies like Enron and Winstar "terrorists"? I mean, both companies laid off thousands of workers and for all intents and purposes have disappeared due to fraud, etc. > I need more coffee now. Me, too. See you at Starbucks... - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 15 03:00:41 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Virus writers get behind Gigabyte Message-ID: http://www.vnunet.com/News/1131707 By James Middleton [13-05-2002] Sharp author gets the plaudits The virus-writing community made something of an about-turn last week as an increasing number of authors gave their support to female virus writer, Gigabyte. Previously the teenage coder had been lambasted by male members of the community for her creation of the Sharp virus that attacks Microsoft's .Net platform. Eighteen-year-old high school student Gigabyte created the second virus to affect the .Net platform in March. Although the code was only proof of concept and not released into the open, Gigabyte managed to attract less-than-welcome attention from some of the more sexist members of the virus-writing community. But Steven Sundermeier, of antivirus firm Central Command, said that in recent weeks he had seen more virus coders praising Gigabyte. "We have seen an increasing trend of virus authors praising and giving their support to Gigabyte, whether in a message box or remarked in the code," he said. Recent examples of such commendation include the ChatIRC virus that spreads over Internet Relay Chat (IRC) and includes the remark: "I love viruses, I love Gigabyte!" in its code, and the Orkiz mass mailing worm, which displays a message in Spanish proclaiming admiration for Gigabyte. Gigabyte's Sharp virus was the second of its kind to infect .Net files. A writer going by the name of Benny from virus group 29A got there first with the Donut virus in January. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Wed May 15 03:02:27 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] War on cybercrime--we're losing Message-ID: Forwarded from: William Knowles http://zdnet.com.com/2100-1106-912780.html By Greg Sandoval Special to ZDNet News May 14, 2002, 5:50 AM PT The nightmare for Ecount, an online gift certificate service, began last year when a hacker broke in to the company's system and stole personal information belonging to its customers. Nine months later, the criminal is still at large. The thief has brazenly taunted executives with repeated e-mails while staying ahead of investigators, deftly wiping away his electronic fingerprints and covering his tracks at every turn. "We're sick to death of hearing from him," Ecount Chief Executive Matt Gillin said of the intruder, who has offered to return the information for a fee. Although law enforcement agencies are quick to trumpet their occasional victories against cybercriminals, they are rarely able to track down hackers sophisticated enough to pull off such complicated heists. Few hackers of this caliber are arrested, and fewer still spend time behind bars. The resulting frustration for investigators, companies and consumer victims raises a question that has persisted for years: Why are hackers able to elude capture so easily? The answer, according to security analysts and fraud investigators, is that the Internet has bred an elite class of criminals who are organized, well funded and far more technologically sophisticated than most law enforcement officials. "It's a world-class business," said Richard Power, editorial director of the Computer Security Institute, a private research firm that tracks electronic crime. "Al-Qaida and serious narcotic terrorists are using credit card fraud to finance their groups." Fraud cost e-tailers $700 million in lost merchandise last year, says Avivah Litan, a financial analyst for research firm Gartner. Some large Internet retailers have software that screens transactions and refuses to sell to customers who appear suspicious. Litan estimates that this costs Web stores between 5 percent and 8 percent of sales. A Gartner study also shows that 5.2 percent of online shoppers have been victimized by credit card fraud and 1.9 percent by identity theft. "These are huge numbers. This is scary stuff," Litan said. "The Internet has got an albatross around its neck." Skilled hackers shake off investigators by shuttling between multiple servers before launching an attack. After fleeing a targeted site with credit card numbers or other bounty, the intruders immediately begin deleting the log files of each server they have passed through, eliminating any record that they were there. It is the equivalent of "vacuuming up the crime scene," said independent fraud investigator Dan Clements, who runs a Web site devoted to catching hackers called CardCops.com. Only about 10 percent of active hackers are savvy enough to work this way consistently, he said, but they are almost always successful. Having grown up with the breakneck pace of "Internet time," hackers of this digital generation use speed as a primary weapon. As with all criminal investigations, pursuing online suspects means time-consuming records searches that often require subpoenas--a process that can give hackers an insurmountable advantage. FBI agents can swiftly get subpoenas from the courts but often lose critical time trying to serve them. Agents can spend days sorting through digital smoke screens created by multiple servers, requiring agents to obtain and serve multiple subpoenas. In the meantime, valuable evidence is often lost, and by then, hackers are long gone. The federal government is taking steps to improve its fight against criminal activity online. FBI Director Robert S. Mueller created a new cybercrime unit in December, and the Bush administration has added 50 new federal prosecutors to address the problem nationwide. Unsolved hacks Still, few believe that these measures will eradicate a problem that's become so deeply entrenched. The FBI confirmed, for example, that no arrests have been made in any of six recent high-profile cases: * Playboy.com: An intruder slipped past the Web site security systems of the adult entertainment company last November and obtained the personal information of an undisclosed number of customers of the site's e-commerce store. The hacker notified customers that he or she had pilfered the information and, as proof, gave them their credit card numbers. * Ecount: Last summer, a hacker circumvented the Internet defenses of the Philadelphia-based company's gift certificate service and notified customers of the breach in an e-mail that included their home addresses. The hacker then demanded $45,000 from the company to keep him from exposing the personal information of 350,000 customers. * Egghead.com: A hacker infiltrated the e-tailer's system in December 2000. After three weeks of investigation, the company said the intruder did not obtain the personal information of its 3.7 million customers, but many banks said they spent millions of dollars to issue new credit cards in the meantime. * Creditcards.com: Also in December 2000, a hacker broke in to systems maintained by the company, which enables merchants to accept payments online, and made off with about 55,000 credit card numbers. The hacker tried to extort the company and, when executives refused to pay, exposed the numbers by posting them on the Web. * Western Union: In September 2000, a hacker exploited an opening in the Web site of the financial services company and got away with more than 15,000 credit card numbers. Human error left "performance management files" open on the site during routine maintenance, allowing the hacker access. * CD Universe: About 350,000 credit card numbers were stolen from the online music company in January 2000, one of the first large-scale hackings of its kind. The thief, identified only as "Maxus," held the card numbers hostage and demanded a $100,000 ransom. When the company refused, the hacker posted the numbers on a Web site. Without commenting on these specific cases, law enforcement officials say many online merchants may be partly to blame for the lack of arrests because they do not devote enough resources to prevent intrusion or facilitate investigations in the event of a crime. "If there is any message to get out there, it would be for companies to upkeep their antivirus and firewall software," said Laura Bosley, a spokeswoman for the FBI's Los Angeles field headquarters. Jennifer Granick, litigation director at the Stanford Law School Center for Internet and Society, said security is often neglected by companies more interested in making a quick buck. E-commerce companies "rushed online during the dot-com boom, and they saw the money that was to be had and didn't give a thought to security," she said. "They were too busy trying to capture eyeballs to secure their sites." Even if they have fortified their Web sites against attack, many companies are still unaware of the importance of preserving evidence if a crime occurs--ignorance that can kill any hope of catching a perpetrator, said Bruce Smith, an investigator for Pinkerton Consulting & Investigations and a former FBI agent who worked on computer crime cases for six years. Frequently, Smith said, agents will scan the Web logs of a hacked company only to find a blank record that leaves the intruder's trail stone cold. Sometimes, he said, the shopkeeper accidentally destroys the logs, covering the hacker's tracks with other records. More often, the online store never turns on the logging feature to begin with because it could slow a Web site's performance. "You cross your fingers when you start looking at the logs," Smith said. "Sometimes you get lucky, sometimes not." Moreover, precious time can be lost when companies hesitate to contact authorities immediately after an intrusion. The reason for the delay is often rooted in business, not justice. "Fear," Smith said. "They're reluctant to admit that they've been victimized. You can imagine the bad press. Here's someone who's telling clients their information is safe at the same time their site is getting hacked." Security experts blasted Egghead for taking weeks to investigate whether the personal information of its customers had been compromised. A company with good logging capability should have been able to determine the extent of the intrusion within a few days, security specialists said, perhaps saving banks a cost of between $5 and $25 for each new credit card issued out of precaution. "I think there was some things that we wished we did before the attack," said Jeff Sheahan, the former chief executive of Egghead. "We thought we had a tight oversight system. We asked ourselves how we missed this. It was just focusing on other things and not sensing that there was a big enough risk." The investigation was expensive for Egghead, but the intrusion exacted a much higher price in the form of lost confidence among its customers. "When you're an e-commerce business, trust is important. I don't think there is any doubt that trust level took a hit to some degree," Sheahan said. Other online merchants would do well to learn from Egghead's mistakes, for the number of hackings is growing. To gauge this trend, CardCops' Clements posted fake credit card numbers on the Web and then spread the word at sites popular with "carders"--those who traffic in stolen credit cards--that a Web site had accidentally divulged the information. In less than a half-hour, the site had 74 visitors from 31 countries. Within a couple of days, the number of visitors had grown to 1,600. No one can say how many came to the site with criminal intent, but Clements believes most did. "There's a war raging online," he said, "and the bottom line is that law enforcement is losing." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 16 02:13:30 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] "Deceptive Duo" suspects hit in FBI raid Message-ID: http://news.com.com/2100-1001-914848.html?tag=fd_top By Robert Lemos Staff Writer, CNET News.com May 15, 2002, 6:10 PM PT update - The FBI has issued search warrants against two former online vandals it believes to be the members of a "patriot" hacking group called the Deceptive Duo. As first reported by CNET News.com, agents raided the homes of two teenagers earlier this week. The FBI on Sunday seized equipment in Florida from The-Rev, a former member of the hacking group Sm0ked Crew, according to a friend of the Deceptive Duo hackers. Separately, the Contra Costa county district attorney's office confirmed that agents acting on a warrant issued in the Deceptive Duo case confiscated computer equipment from Robert Lyttle, the previously convicted pro-Napster defacer, in California on Monday. The California raid prompted a Wednesday juvenile parole hearing for Lyttle, who is now 18. Lyttle has been confined to his home as a result of the criminal hearing. "He has been placed on a higher level of supervision," said a source familiar with the proceedings, who asked not to be identified. "He has to wear an ankle bracelet, which tells them where he is. If he walks away from the house, it sends a signal to the probation department." The Deceptive Duo has defaced dozens of U.S. government and military sites with pro-American messages lambasting the poor security of the nation's critical systems. The hacked sites have included those of the Defense Department and the Sandia National Laboratories, which is associated with the U.S. Department of Energy's National Nuclear Security Administration. No charges have yet been filed against either suspect, said Chris Murray, a spokesman for the FBI's Washington Metropolitan Bureau. However, the search warrants and affidavit used in the case have been sealed and are not available for public viewing, he said. Because the Deceptive Duo hit government and military sites, the case is being administered from the Washington D.C. Metropolitan office of the FBI. An FBI representative in San Francisco confirmed that the bureau had issued a search warrant on Monday. A spokesperson for the FBI office in Miami Beach, Florida, could not be reached. Dodie Katague, deputy district attorney for California's Contra Costa county, confirmed that Lyttle had appeared in a probation hearing Wednesday to discuss how his probation status would be affected by the new charges. "Now that he is an adult--he is 18--we are letting the Feds handle it," said Katague. "And he is going to be in a lot more trouble than before." Lyttle was convicted of defacing dozens, and perhaps hundreds, of Web sites with a pro-Napster message. He is on probation. Kelly Hallissey, a Las Vegas resident who bills herself as an "online mom" to several hackers including the two suspects, said she argued with The-Rev and Pimpshiz--Lyttle's online monicker--to stop defacing, but they wouldn't. "They knew that they were going to get caught," she said. Hallissey worried that the teenagers would be made an example under new laws passed as part of the U.S.A. Patriot Act and maintains that they truly thought they were helping the security cause. "This is their part in helping after 9-11," Hallissey said. "A lot of kids they knew went into the service after 9-11. Their skills lie in hacking, however. It sounds corny, but they mean it and they believe it." The Deceptive Duo's defacements mimicked a secret agent file. In the first hack in late April, the Duo wrote: "We are two U.S. Citizens that understand how sad our country's cybersecurity really is. The Deceptive Duo's continuous mission is to define the weaknesses that lie upon us. Our lives revolve around the use of electronic communication, we must protect our formation of controlling technology one way or another." Many security experts have been critical of the tactics employed by the duo in the name of helping computer security. "There are probably better ways to tell people that their security sucks," said Dragos Ruiu, an independent security consultant. "In one way, it's an excuse to play around, because they probably would have done it anyway." Yet in a previous e-mail interview with CNET News.com, the Deceptive Duo said they believed they had already helped the cause of U.S. security. "There is quite an improvement in security," they wrote. "Because the systems we were once able to breach are no longer susceptible to attack...Not only are our targets more secure, but we strongly believe that witnesses to this entire ordeal will see that everything is a bit more realistic. This will force them to act on their own system security if so inclined." Lyttle's attorney, San Francisco-based Omar Figaeroa, believed that the 18-year-old hacker will be released in the end. "When all the facts are in, Robert will be exonerated, because he had no criminal intent," he said. "He was acting in good faith." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 16 02:16:11 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Control phreaks Message-ID: http://www.timesonline.co.uk/article/0,,7-296267,00.html [I like the one quote "I've never seen a cyber-criminal drive up in a Porsche, but I've seen lots of people in the computer industry making lots of money". Apparently this fellow has never heard about being caller #102 and winning the Porsche. :) - WK] by Stefanie Marsh May 15, 2002 They are often described as 'cyber-vandals', yet hackers claim they are driven not by malice, but by intellectual curiosity and a hunger for power If he were so inclined, kp could hack into your bank account, access your personal e-mails or shut down your computer from a distance. At a push, he claims, he could hack into your medical records and insert the letters HIV+ under the "any serious illnesses" category. "That would seriously f*** up your insurance policy, wouldn't it? Perhaps even your life," he says. So far he hasn't "seriously f***ed up" anybody's life but the knowledge that he could gives him a warm glow. It's nice to know that all those years in front of his computer have yielded him such power. By day kp is a reasonably well-paid systems operator. The moment he gets home, he becomes a black-hat hacker - or cyber-criminal, -vandal or -terrorist, if you prefer. Black-hat hackers such as kp (his "handle") use their computer knowledge with malicious intent. Why does he do it? "Because I'm morally bankrupt and I don't give a f*** about being caught," he says. kp already has a criminal record for obtaining goods fraudulently. This was more than ten years ago when, aged 16, his friend "Enigma" taught him how to hack into the phone network and obtain free calls. Despite the upset with the law, "phone phreaking" remains kp's true love. He claims to have control over 50,000 lines. His aim: to dominate the entire network. kp talks fondly about the time he shut down the lines between England and Scotland for three seconds. "I can listen in on calls, reroute them, anything. I could shut down the emergency services. I wouldn't do it, but you've got to realise how serious an issue this is." Bob Ayers, head of the computer security company @stake, agrees that hacking is serious but prefers the term "delinquent little weasel b*****s" to black hats. As a former project director for the US Department of Defence, Ayers has spent almost 20 years trying to put people like kp behind bars. "People think of these cyber criminals as cute little blond boys who break into computers to change their grade in mathematics," he says. "That just isn't accurate. They are thugs. They ruin your credit ratings, steal identities, steal intellectual property or deface websites so they can brag to their friends." Although the FBI has identified the average black hat as 26 years old, white and male, Ayers points out that there are anomalies. He recalls being called in to one British financial institution whose computer system had been attacked by a particularly lethal virus, introduced into the company by an employee: not, as it turned out, a hard-done-by underling, but a senior manager bent on discrediting the head of systems. What Ayers fails to acknowledge is the significant proportion of black hats whose motives are relatively "innocent". Teenage newcomers or "script-kiddies", might get their intellectual kicks from trespassing on a company's network without any malicious intent. Dr K, once a black-hat hacker and now author of The Complete Hacker's Handbook, thinks the vast majority of black hats are under 16 and "poking about". Furthermore, "if you can't keep a teenager out of your network, whose fault is that?" "Computer crime is exaggerated," he says, often by those who might profit from reinforcing the security of a company's network. "I've never seen a cyber-criminal drive up in a Porsche, but I've seen lots of people in the computer industry making lots of money. The best security experts have all been black hats at some point." (Ayers insists that few black hats swap sides.) However, kp has no intention of quitting. For his next stunt, he plans to sabotage the enormous video screens at a football stadium by interrupting the live coverage with a huge picture of his best friend's backside. He looks down on the "scriptkiddies" for their greenness, and cyber-activists (many of whom use kp's programs to hack into sites) for bringing politics back into illegal hacking. "There are a lot of people who feel that they need to justify their actions and adopt a critical political stance: 'I'm Leninist. I believe the state should be smashed", that kind of thing. They lack the guts to do it for the sake of doing it. "Hacking for me is a control thing. The initial buzz is the most amazing feeling, but you know that you're not going to be happy unless you gain more control. I'm still going to be hacking when the police break down my door." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 16 02:14:05 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Hoax virus alert could cripple Windows Java Message-ID: http://www.theregister.co.uk/content/55/25294.html By John Leyden Posted: 15/05/2002 at 17:21 GMT Antivirus experts are warning of a hoax virus alert which might trick users into deleting an important file on their Windows machines. The fake warning tells users to search their hard drives and delete a file called jdbgmgr.exe, a filename used by Microsoft's Debugger Registrar for Java, which may be present quite legitimately on many computers. But the Magistr-A virus is capable of sending infected copies of jdbgmgr.exe, and this seems to have spawned the misplaced warning, which is gaining ground. Deleting Microsoft's Debugger Registrar for Java may result in Java programmes failing to run after the user has deleted legitimate copies of jdbgmgr.exe. Rob Rosenberger's Virus Myths first reported on the jdbgmgr.exe hoax alert (which he says should more properly be called an urban myth) last month. Anti-virus vendor Sophos backed up his analysis today, by warning that it has "received enquiries from thousands of concerned computer users about the subject". The rule of thumb here is if you find a copy of jdbgmgr.exe on your computer, then it's probably not infected; but if you receive jdbgmgr.exe as an email attachment, then it probably is infected. If you receive an unsolicited executable file in your email, delete the email. One other source of reassurance is that most AV packages have been able to detect Magistr-A for over a year, so if your anti-virus software is up to date, you will be protected from the Magistr virus anyway. The panic caused by messages about jdbgmgr.exe is similar in many ways to the sulfnbk.exe hoax alert last year, which like the latest panic is believed to have been caused by a clueless - but well-meaning - user. Users should avoid passing on virus warnings to friends, instead checking out the facts on an anti-virus Web site (or Vmyths.com). Alternatively they could forward the warning whoever in their company is responsible for virus protection, so that they can decide if it is valid. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 16 02:14:28 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Open source review would aid Windows security: Gartner Message-ID: http://www.theregister.co.uk/content/4/25291.html By John Leyden Posted: 15/05/2002 at 14:12 GMT Microsoft should dump security via obscurity, and submit its software to open source review, according to Gartner. The open source review bit is something so utterly alien, communist and horrible to the mind of Bill Gates that it's almost worth us running a competition to find what he'd rather do (Sacrifice of firstborn? Auction mother on eBay? Tell Steve Jobs he was right?) - but actually, Gartner is perpetrating a small piece of sensationalism by saying it agrees with Gates about security, "and believes that open source review of Microsoft's code is necessary to meet security goals." Which is not the same as saying this is what Bill believes, but they had us going for a moment there. Gartner contrasts the assertion by Jim Allchin, Microsoft's senior vice president for Windows, that Windows boxes would be more vulnerable to attack if the company had to disclose technical information to rivals with previous pronouncements by his Billness. But computer hackers have had little difficulty breaking into Microsoft's closed-source software, it notes. Gartner analyst John Pescatore writes : "a strategy of relying on security through obscurity (hiding source code) has already proven a failure for Microsoft. To make future products more trustworthy, Microsoft will have to become more expert at developing code that can withstand external review." Over the long term open documentation and public review of program interfaces between OSs and applications will lead to better security for Microsoft, Gartner believes, even though it notes some short term problems. "Attackers may exploit the exposed interfaces in the short term as the process brings to light existing yet undiscovered vulnerabilities. But this approach simply means that insecure code will become secure more rapidly," Pescatore writes. Allchin's belief that security offers a valid reason to reject making source code visible is misplaced, the analysts conclude. The disclosure by Microsoft of technical information to rivals, which would allow them to make sure their software works better with Windows, is among the remedies put forward by the nine dissenting states during the current anti-trust trial. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 16 02:12:28 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Re: [defaced-commentary] Crackers deface Ferrari Message-ID: ---------- Forwarded message ---------- Date: Wed, 15 May 2002 14:24:38 -0400 (EDT) From: security curmudgeon To: defaced-commentary@attrition.org Subject: Re: [defaced-commentary] Crackers deface Ferrari [Once again, Mr Rodrigues does some good digging on the latest high profile defacement.] ---------- Forwarded message ---------- From: Giordani Rodrigues To: security curmudgeon Date: Wed, 15 May 2002 10:41:38 -0300 Subject: Re: [defaced-commentary] Crackers deface Ferrari Hi, Brian. Every major site posted an article about it, here in Brazil. And the reasons are: Barrichelo and the defacers are Brazilians. But, IMHO, everybody made a mistake, including Mr. Leyden from The Register. As far as I know, the sites don't belong to the real Ferrari, and I said it in my article (in colaboration with Eva Mothci and Fernando Sousa, from Terra/Lycos): http://www.infoguerra.com.br/infonews/viewnews.cgi?newsid1021323288,70815,/ There were 3 defaced sites: ferrari-group.com and ferrari-group.biz, defaced by S4t4n1c_Souls and ferrari.co.jp, defaced by Silver Lords. The mirrors are: http://www.zone-h.org/defaced/2002/05/12/www.ferrari.co.jp/ http://www.zone-h.org/defaced/2002/05/12/www.ferrari-group.com/ http://www.zone-h.org/defaced/2002/05/12/www.ferrari-group.biz/ Click on www.ferrari-group.com (it's restored now). Do you really think this site belongs to Ferrari? (The title of the page is "new domain"!!) Ferrari is located at Maranello, Italy, and its company's name is Ferrari S.p.A. But, take a look at these whois: Ferrari-group.biz and ferrari-group.com (the domain ferrari-group.com was created in 2001-09-27, only 6 months ago!!!): Domain Name.......... ferrari-group.com Creation Date........ 2001-09-27 Registration Date.... 2001-09-27 Expiry Date.......... 2002-09-27 Organisation Name.... Ferrari Group srl Organisation Address. via T. Gallio, 3 Organisation Address. Organisation Address. Cittadella Organisation Address. 35013 Organisation Address. PD Organisation Address. ITALY xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx FERRARI-GROUP.BIZ Domain ID: D2348143-BIZ Sponsoring Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE Registrant ID: B10128418300782 Registrant Name: Ferrari Group srl Registrant Organization: Ferrari Group srl Registrant Address1: Via T. Gallio, 3 Registrant City: Cittadella Registrant State/Province: PD Registrant Postal Code: 35013 Registrant Country: Italy Registrant Country Code: IT Registrant Phone Number: +39.0498056830 Registrant Facsimile Number: +39.0498056834 Registrant Email: domains@seven.it [snip] Technical Contact Email: inww@register.it Name Server: NS.SEVEN.IT Name Server: NS2.SEVEN.IT Created by Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE Last Updated by Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE Domain Registration Date: Mon Feb 04 16:57:11 GMT 2002 Domain Expiration Date: Tue Feb 03 23:59:59 GMT 2004 Domain Last Updated Date: Tue Feb 05 16:33:59 GMT 2002 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxx Ferrari.co.jp Domain Information: a. [Domain Name] FERRARI.CO.JP g. [Organization] KATO INC. l. [Organization Type] Corporation m. [Administrative Contact] SS535JP n. [Technical Contact] MA129JP p. [Name Server] ns.ferrari.co.jp p. [Name Server] ns2.birthday.co.jp y. [Reply Mail] info@d-wing.co.jp [State] Connected (2002/06/30) [Registered Date] 1997/06/30 [Connected Date] 1997/07/02 [Last Update] 1998/07/29 21:29:30 (JST) yazaki@d-wing.co.jp xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The real Ferrari (Ferrari.it): domain: ferrari.it x400-domain: c=it; admd=0; prmd=ferrari; org: Ferrari SpA descr: Fabbrica Automobili Sportive e da corsa admin-c: MS2780-ITNIC tech-c: MS2780-ITNIC tech-c: BC339 postmaster: IM175-ITNIC zone-c: BC339 nserver: 193.42.138.2 dns.ferrari.it nserver: 194.196.14.4 genius.intesa.it mnt-by: INTESA-MNT created: before 960129 changed: michele.delucia@intesa.it 19990726 changed: hostmaster@nic.it 19990630 changed: hostmaster@nic.it 20000817 source: IT-NIC person: Mauro Sabbatini address: Via Abetone Inferiore, 4 address: I-41053 Maranello (MO) address: Italy phone: +39 0536 949230 fax-no: +39 0536 949414 nic-hdl: MS2780-ITNIC changed: hostmaster@nic.it 19980120 source: IT-NIC xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The real Ferrari at USA: Ferrari North America (FERRARI6-DOM) via Abetone Inferiore 4 Maranello, MO 41053 ITALY Domain Name: FERRARI.COM Administrative Contact: Sala, Alessandro (ASV707) asala@FERRARI.IT ferrari s.p.a. via Abetone Inferiore 4 Maranello, MO 41053 IT +39 0536 949792 (FAX) +39 0536 949011 Technical Contact: Ciaoservice Domain Registration Staff (CD3998-ORG) cshostmaster@CIAOWEB.IT Ciaoservice s.p.a. Strada 3 - Palazzo B/2 - 20 Piano Assago, 20090 ITALY +39 02 575591 Fax- +39 02 57559319 Regards, Giordani Rodrigues http://www.infoguerra.com.br - The information and commentary is Copyright 2002, by the individual author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this mail are not necessarily the opinion of all Attrition staff members. Commentary Archive: http://www.attrition.org/security/commentary/ The Attrition Mirror: http://www.attrition.org/mirror/attrition/ Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html Contacting Attrition Staff: staff@attrition.org To subscribe to Defaced Commentary, send mail to majordomo@attrition.org with "subscribe defaced-commentary" in the BODY of the mail (without quotes). To unsubscribe, include "unsubscribe defaced-commentary" in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 16 02:15:28 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Securing The Center Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,71121,00.html Date: MAY 13, 2002 Author: JAIKUMAR VIJAYAN Heightened concerns about cyberterrorism and the increasing need to open internal networks to outside access are pushing corporations to bolster data center security, both on the IT front and physically. The goal is to add multiple layers of protection and redundancy around the data center infrastructure and software while still maintaining the levels of service demanded by the business. On the physical side, companies are boosting their business continuity and disaster recovery capabilities by buying and building redundant hardware and facilities and geographically separating their IT assets. The technology effort, meanwhile, is focused on supplementing traditional firewall protection with newer intrusion monitors, access control tools and tougher IT usage polices. The need for such protection is being driven by cyberthreats and the growing use of the Internet to link companies with partners and customers, says David Rymal, director of technology at Providence Health Systems in Everett, Wash. "There is an increasing pressure to enable wide and unfettered access from our business units. We are getting so many requests to open up ports in our firewall that pretty soon it is going to look like Swiss cheese," Rymal says. "The more of them you have open, the more vulnerabilities you create." The whole notion of Web services, under which companies link their systems with those of external partners and suppliers, is only going to increase the need for better security, users say. Adding to the pressures is the growing number of remote workers and the trend toward wireless applications. This has meant finding better ways of identifying and authenticating users and controlling the access they have on the network. "You have to keep in mind that the minute you open your servers or services to the Internet, you are going to have bad people trying to get in," says Edward Rabbinovitch, vice president of global networks and infrastructure operations at Cervalis Inc., a Stamford, Conn.-based Internet hosting service. While it's impossible to guarantee 100% security, companies should make things as difficult as possible for outsiders or insiders to steal or damage IT assets, IT managers say. Cervalis' security, for instance, begins at its ingress points?where the Internet meets its networks. The company uses strict port control and management on all of its Internet-facing routers to ensure that open ports don't provide easy access for malicious attackers. Redundant, load-balanced firewalls that are sandwiched between two layers of content switches filter all traffic coming in from the Internet. Network-based intrusion-detection systems are sprinkled throughout the Cervalis network. Cervalis is beta-testing an anti-denial-of-service attack tool from Israeli start-up Riverhead Networks. The tool will let Cervalis quickly isolate denial-of-service traffic that's directed against a particular Web site or server belonging to a hosted customer, without affecting the rest of the network. Companies are also building "air gaps" between their outside-facing applications and back-end data. Providence, for instance, doesn't permit external Internet connections or wireless access to terminate on any internal machine. It's far safer to end such connections outside the firewall and then tunnel all requests through secure services, Rymal says. Antivirus and e-mail filtering tools are being supplemented in many companies with new measures aimed at reducing the risk of attack via e-mail. "E-mail, to me, is always the weakest link, because you are open to just about anything and everything that comes over the [Web]," says George Gualda, CIO at Link Staffing Services Inc. in Houston. Link prohibits attachments of certain types and sizes on its network. All Internet-based chatting is banned, and users aren't allowed to download and install software. Scripting functions are disabled to prevent unauthorized scripts from wreaking havoc, says Gualda. Link uses a secure virtual private network (VPN) service from OpenReach Inc. in Woburn, Mass., to connect its 45 remote sites. The OpenReach VPN provides firewall and encryption services, but Link placed an extra firewall in front of the VPN anyway. Compartmentalizing networks based on the services they run makes it easier to isolate and respond to security breaches, says Lee Robertson, chief of IT security at Schlumberger Network Solutions in London. Schlumberger used this approach?together with a slew of access control, user authentication, strict port management and intrusion-monitoring techniques?to secure the internal network at the Winter Olympics in Salt Lake City earlier this year. "If we saw an attack, we would have been able to rapidly shut off that portion of the network which was affected and bring the service back up [on a redundant network]," Robertson says. Good security also requires good systems configuration management, says Tony DeVoto, systems manager at Montvale, N.J.-based Volvo Finance North America. Breaches often occur because companies fail to securely configure systems, or stick systems with easily crackable default configurations out on the Internet. Volvo uses Enterprise Configuration Manager from Woodland Park, Colo.-based Configuresoft Inc. to monitor configuration variables from each of its Windows NT and Windows 2000 servers. Physical Security Companies are also boosting the physical security around data centers, especially after Sept. 11. Computer Horizons Corp. (CHC), a Mountain Lakes, N.J.-based company that offers human resources management software and managed hosting services for clients such as AT&T Corp. and Sabre Inc., has signed up to have Equinix Inc. host several of its managed application servers. Mountain View, Calif.-based Equinix maintains a series of fortresslike data centers called Internet Business Exchanges, where clients connect to high-bandwidth lines from a variety of service providers. Armed guards patrol each facility. Concrete bulwarks around each of the anonymous, warehouselike buildings protect the facilities from being rammed by vehicles laden with explosives. The walls of each Equinix data center - which are also hardened against earthquakes and fire - are lined with Kevlar, a material used in bulletproof jackets. The facilities are also windowless to protect against scanning. "It would have been an enormous cost for us to have tried to do all this ourselves," says James Dipasupil, CHC's director of infrastructure services. Running a data center out of such hardened facilities can greatly increase the comfort level of people who want to do business with you, says Mike Colon, IT manager at Simpata Inc. Folsom, Calif.-based Simpata does human resources and salary-related processing services for employers. Simpata houses all of its data center equipment in a hardened facility managed by Intel Corp. Apart from extensive physical security, Intel also provides a suite of disaster recovery and backup services, Colon says. Like many other users these days, Simpata encrypts all data that flows from its hosted servers and client systems to protect against cracking. The servers are also constantly monitored against intruders. The result is far better security and peace of mind, not just for Simpata, but for its clients as well, Colon says. Augmenting physical and electronic security measures with policies that are clearly articulated and enforced is also crucial, Gualda says. Link has a tough IT usage policy that employees must abide by. Failure to comply can result in termination, says Gualda, who has fired two employees for this reason in the past. To enforce the policy, the company uses monitoring and auditing tools to inventory employee computer usage. Securing operations also means regularly going through a checklist of maintenance items, IT managers say. Periodic reviews and external audits are also needed to ensure that there is adequate security. "There is never going to be a 100% security solution; there is always a theoretical way for someone to find their way through," Rabbinovitch says. "The task, therefore, is to make it as challenging as possible for the hacker." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 16 02:11:43 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Security UPDATE, May 15, 2002 Message-ID: ******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ FREE Security eBook from NetIQ--HOT off the Press! http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw01ux0AB Windows & .NET Magazine Webinar: Understanding PKI http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rcc0Ab (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: FREE SECURITY EBOOK FROM NETIQ--HOT OFF THE PRESS! ~~~~ Need real-world, in-the-trenches advice on securing your Microsoft Windows .NET servers? Register now for "The Tips and Tricks Guide to Securing .NET Server." You'll gain best practices and technical advice that will open your eyes to Microsoft Windows .NET security. Get the inside scoop on legacy systems, .NET group policy, resource management, secure remote access and emerging .NET enhancements. Don't take chances with your .NET security. Register for the FREE eBook now! http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw01ux0AB ~~~~~~~~~~~~~~~~~~~~ May 15, 2002--In this issue: 1. IN FOCUS - IM Security Considerations in the Enterprise 2. SECURITY RISKS - Unchecked Buffer in MSN Messenger Chat ActiveX Control - Buffer Overflow in Macromedia's Flash Player ActiveX Control 3. ANNOUNCEMENTS - Get Valuable Info for Free with IT Consultant Newsletter - Immediate Access to T-SQL Solutions! 4. SECURITY ROUNDUP - News: Microsoft Remedy Hearings: Allchin Explains Genesis, Scope of Trustworthy Computing - Feature: Guarding Your CAs - Feature: Using the MBSA 5. INSTANT POLL - Results of Previous Poll: Security Information Notification - New Instant Poll: IM Use 6. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Modify the Installation Credential Settings in Win2K? 7. NEW AND IMPROVED - Integrated Security Appliance - Universal Antivirus Rescue System 8. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Blocking IM - HowTo Mailing List - Featured Thread: Not Recovering from a Missing SAM Database 9. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net) * IM SECURITY CONSIDERATIONS IN THE ENTERPRISE Does your organization use Instant Messaging (IM) software? IM has become an incredibly popular tool in the corporate world. Several companies that offer IM networks, including AOL, ICQ ("I Seek You"), Microsoft, and Yahoo!, have IM client packages with various features and capabilities. However, some administrators virtually ignore IM security considerations. For example, IM communications often traverse a network in plain text format, which means someone could eavesdrop easily on private business communications. If you don't have IM software on your network, don't install it without planning. IM use carries considerable risk and requires not only the implementation of company policies, but also diligent ongoing attention to IM's vulnerabilities. For example, last week Microsoft reported that its MSN Chat Control software contains a buffer-overflow condition that could let intruders run the code of their choice on a user's machine. The problem affects MSN Chat Control, MSN Messenger, and Microsoft Exchange IM and is the third MSN chat security problem that Microsoft has reported this year. (See the related Security UPDATE story at the URL below.) But Microsoft isn't alone in having IM software security problems. So far this year, reports have documented eight security problems with AOL Instant Messenger (AIM), four with Yahoo! Messenger, and five with ICQ (which AOL owns). http://www.secadministrator.com/articles/index.cfm?articleid=25168 You can address one IM security risk, for example, by using security software that protects IM's plain text transport. Cerulean Studios has an IM security solution that's definitely worth a look: Trillian (see the URL below). Among many security-related IM software packages, this solution stands out for two reasons: Trillian permits messaging between several popular IM networks--including AOL, ICQ, Internet Relay Chat (IRC), MSN, and Yahoo!--and it encrypts communications by using continually regenerated encryption keys. Trillian's encryption feature, SecureIM, uses the Blowfish encryption algorithm to generate a new encryption key each time the user begins a new secure chat session. After the software generates a key, it stores the key only in memory and never to disk, making it harder for an attacker to compromise the key. http://www.ceruleanstudios.com AOL recently announced its encrypted messaging client, Enterprise AIM. According to a Washington Post Newsbytes story, AOL has partnered with VeriSign to create the new IM client, which AOL intends to sell to enterprise users. In addition to encrypted communications, Enterprise AIM will use VeriSign's certificate technology to authenticate users, which will help prevent user impersonation. http://www.newsbytes.com/news/02/176517.html If you subscribe to the Security Administrator monthly print newsletter, you might have read Roger A. Grimes' article in the May issue, "IM Security Primer," InstantDoc ID 24665, which offers a detailed overview of the major IM networks and information about the security concerns they raise for the enterprise. (To learn more about the print newsletter, visit the Security Administrator Channel home page at the URL below.) http://www.secadministrator.com We're conducting a new Instant Poll this week: If your organization uses IM, we want to know which IM software you've standardized on. Stop by our home page and give us your answer. http://www.secadministrator.com ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: WINDOWS & .NET MAGAZINE WEBINAR: UNDERSTANDING PKI ~~~~ ATTEND OUR FREE WEBINAR: UNDERSTANDING PKI Implementing PKI successfully requires an understanding of the technology with all its implications. Attend the latest Webinar from Windows & .NET Magazine and develop the knowledge you need to address this challenging technology and make informed purchasing decisions. We'll also look closely at three possible content encryption solutions, including PKI. Register for FREE today! http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rcc0Ab ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, ken@winnetmag.com) * UNCHECKED BUFFER IN MSN MESSENGER CHAT ACTIVEX CONTROL eEye Digital Security discovered that a buffer-overflow condition exists in MSN Messenger Chat control that can result in unauthorized code execution. Even if users haven't installed MSN Messenger, an attacker can call the control from the codebase tag, which would prompt users to install the control with Microsoft's credentials because Microsoft signs the OLE custom control (OCX). eEye's advisory gives a detailed explanation of this vulnerability. Microsoft has released Security Bulletin MS02-022 (Unchecked Buffer in MSN Chat Control Can Lead to Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=25168 * BUFFER OVERFLOW IN MACROMEDIA'S FLASH PLAYER ACTIVEX CONTROL A buffer-overflow condition exists in Macromedia's Flash Player 6.0 ActiveX Control. An attacker can use this vulnerability to execute code through email, a Web site, or any other way that Microsoft Internet Explorer (IE) displays HTML. eEye Digital Security's advisory gives a detailed explanation of this vulnerability. Macromedia has released an updated version of Flash Player that addresses this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=25152 3. ==== ANNOUNCEMENTS ==== * GET VALUABLE INFO FOR FREE WITH IT CONSULTANT NEWSLETTER Sign up today for IT ConsultantWire, a FREE email newsletter from Penton Media. This newsletter is specifically designed for IT consultants, bringing you news, product analysis, project management and business logic trends, industry events, and more. Find out more about this solution-packed resource and sign up for FREE at http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rfb0Ad * IMMEDIATE ACCESS TO T-SQL SOLUTIONS! Exclusive in-depth articles, tips, tricks, and code samples all at your fingertips. Content you can't get anywhere else--brought to you by the SQL Server experts you trust such as Kalen Delaney, Itzik Ben-Gan, and others. Increase your productivity today! Go to the following URL. http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0Kqz0AZ 4. ==== SECURITY ROUNDUP ==== * NEWS: MICROSOFT REMEDY HEARINGS: ALLCHIN EXPLAINS GENESIS, SCOPE OF TRUSTWORTHY COMPUTING Microsoft Group Vice President Jim Allchin admitted something yesterday that I've suspected ever since I first read the "Trustworthy Computing" email, a missive that Chairman and Chief Software Architect Bill Gates sent to Microsoft employees and that the company purposefully leaked to the press. Under questioning during cross- examination at the Microsoft remedy hearings, Allchin said that it was he, not Gates, who originally came up with the Trustworthy Computing idea. Allchin also described the Windows products that the initiative covers. http://www.secadministrator.com/articles/index.cfm?articleid=25159 * FEATURE: GUARDING YOUR CAs With the growing emphasis on information security, many companies turn to digital certificates to help increase the level of security on their networks. If your network relies on digital certificates, however, you need to implement some disaster-prevention and -recovery techniques to protect your digital certificates and the Certificate Authorities (CAs) that issue them. A brief review of public key infrastructure (PKI) and an introduction to digital certificates and their CAs will get you started. Then, let's examine some methods designed to help you better guard your certificates, your CAs, and the certificate databases that contain your CAs. http://www.secadministrator.com/articles/index.cfm?articleid=25156 * FEATURE: USING THE MBSA If you follow the news about Microsoft security tools, you probably know that 6 weeks ago Microsoft released Microsoft Baseline Security Analyzer (MBSA), which has received a fair amount of negative press coverage. The complaints echo what David Chernicoff wrote last year about the Microsoft Personal Security Advisor (MPSA) tool: The information the tool provides isn't as useful as it could be, and you need to understand what each reported entry means before you'll find the tool useful. The MBSA tool that replaced the MPSA has similar problems, which isn't surprising because it uses the same design philosophy. http://www.secadministrator.com/articles/index.cfm?articleid=25161 5. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: SECURITY INFORMATION NOTIFICATION The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "How should Microsoft notify its customers about new service packs and new or updated security-related rollup packages, tools, and TechNet articles?" Here are the results (+/-2 percent) from the 378 votes: - 63% Microsoft should issue security bulletins for all security- related matters - 34% Microsoft should add a mailing list for non-bulletin security matters - 3% Microsoft needn't notify customers in any additional ways * NEW INSTANT POLL: IM USE The next Instant Poll question is, "If your organization uses Instant Messaging (IM), which IM choice have you standardized on?" Go to the Security Administrator Channel home page and submit your vote for a) AOL Instant Messenger (AIM), b) ICQ, c) MSN Messenger, d) Yahoo! Messenger, or e) Other. http://www.secadministrator.com 6. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I MODIFY THE INSTALLATION CREDENTIAL SETTINGS IN WIN2K? ( contributed by John Savill, http://www.windows2000faq.com ) A. An administrator can lock down a system to prevent a user from installing new software, or the administrator can configure the system so that the user can provide credentials and continue the installation. To modify the installation credential settings for one machine, perform the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the following subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer. 3. Double-click the NoRunasInstallPrompt value; set it to 1 to disable credentials or 0 to allow credentials. 4. Click OK. To modify the installation credential settings for network installations, perform the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the following subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer. 3. Double-click the PromptRunasInstallNetPath value; set it to 1 to disable credentials or 0 to allow credentials. 4. Click OK. 7. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, products@winnetmag.com) * INTEGRATED SECURITY APPLIANCE Symantec announced Symantec Gateway Security, a security appliance that integrates firewall, gateway-level antivirus, intrusion-detection, content-filtering, and VPN capabilities in a single solution. Although designed for small and midsized offices, administrators can also manage local and remote appliances over the Internet including advanced configurations, rule sets, and cluster parameters, which reduces total cost of ownership (TCO). Symantec Gateway Security Model 5110 offers throughput of up to 40Mbps with a 50-node license for $11,790; Model 5200 offers a throughput of up to 80Mbps with a 250-node license for $23,590; Model 5300 provides a throughput of up to 80Mbps with an unlimited node license for $51,990. Contact Symantec at 408-517-8000. http://www.symantec.com * UNIVERSAL ANTIVIRUS RESCUE SYSTEM Central Command released Vexira Antivirus Rescue Disk System, a free virus scanner that can scan Windows, Linux, UNIX, DOS, and OS/2 from a single CD-ROM or disk set. Vexira can remove more than 64,463 viruses, Trojan horses, and other malicious applications, thereby providing users with a safety net when they ca''t start a computer because of file corruption, alterations to the registry, or damaged partition tables. Contact Central Command at 330-723-2062. http://www.centralcommand.com 8. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums Featured Thread: Blocking IM (Five messages in this thread) John wants to know whether he can prevent his network users from loading Yahoo! Messenger and similar Instant Messaging (IM) programs onto their systems for use through the company Internet connection. http://www.secadministrator.com/forums/thread.cfm?thread_id=81118 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Not Recovering from a Missing SAM Database (Two messages in this thread) Kit writes that with Windows 2000, if the SAM database is corrupted, the OS politely makes its own blank copy of the SAM and starts up--so you can immediately restore from backup. On some machines, he d'''''t want that to happen. Is there a registry setting he can change to prevent this behavior? Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205a&l=howto&p=503 9. ==== CONTACT US ==== '''''s how to reach us with your comments and questions: * ABOUT IN FOCUS -- mark@ntsecurity.net * ABOUT THE NEWSLETTER IN GENERAL -- vpatterson@winnetmag.com (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums * PRODUCT NEWS -- products@winnetmag.com * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdate@winnetmag.com * WANT TO SPONSOR SECURITY UPDATE? emedia_opps@winnetmag.com ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email |-+-|-+-|-+-|-+-|-+-| Thank you for reading Security UPDATE. You are subscribed as isn@c4i.org. MANAGE YOUR ACCOUNT You can manage your entire Windows & .NET Magazine Network email newsletter account on our Web site. Simply log on and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://www.winnetmag.com/email SUBSCRIBE To quickly subscribe, send a blank email to mailto:Security-UPDATE_Sub@list.winnetmag.com. UNSUBSCRIBE To quickly unsubscribe, send a blank email to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! __________________________________________________________ Copyright 2002, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Thu May 16 02:13:02 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Sustainable Computing Consortium "foolish" if it doesn't embrace open standards Message-ID: http://newsforge.com/newsforge/02/05/13/1857235.shtml?tid=19 by Tina Gasperson Tuesday May 14, 2002 Carnegie Mellon University is expected to formally announce its "Sustainable Computing Consortium" on May 16th. In order to make some measurable gains in software quality and security, CMU is hooking up with big players in IT and software development, and NASA, to look at new techniques for measuring sustainability. And ironically, all these different companies are going to put their heads together to brainstorm and collaborate and share ideas on some, get ready for this, good old proprietary software and intellectual property that they'll have to pay a licensing fee to use outside their own companies. Carnegie is the school that brings us CERT/CC, the reporting center for Internet security problems. So any Carnegie-created consortium dedicated to driving "order of magnitude improvements in software quality, dependability, and security" has got to be all good. And it probably is. But people who are used to developing in the open environment fostered by major universities like Carnegie, MIT, and Berkeley, cringe when they visit the front page of the SCC Web site and see a quote from Bill Gates prominently displayed there: "It's time for developers to think and act differently" along with a plug for an InformationWeek article talking about Gates' now famous, but as of yet not acted upon memo about focusing on security. And it forces the question: what is this consortium really all about? According to the group's authors, "Consortium members support the creation of standards and specifications that allow for the measurement and enhancement of software quality, dependability, and security. Sustainable software encompasses technology, measurement, policy, economic and market dimensions of software. The work of the Consortium includes technical efforts to measure and reduce software-associated risks as well as economic, legal and policy efforts to manage risk within organizations, the broader markets, and the national economy." With recent efforts like the Carrier Grade Linux Working Group having demonstrated that an Open Source project like Linux can be hardened sufficiently for mission critical use by the telecommunications industry, coupled with the overall good record for security that the operating system already enjoys, it is natural that OSS and Free Software models should be a driving force behind the Consortium. Yet, leading Open Source companies who want to get involved have discovered that the Sustainable Computing Consortium will operate in a proprietary environment. The "benefits of membership" listed by the Consortium in its FAQ lays it out: "Members are entitled to a non-exclusive, internal-use license for the intellectual property created by the SCC." So what benefit would it be for a Free Software company to get involved in an environment that prevents them from using the innovations created in that environment, since the very nature of Open Source software is that the source code must be offered to those who purchase software? And it appears that so far, only closed-source companies like Microsoft, Oracle, and others have been recruited by the SCC. NASA is a big part of the Sustainable Computing Consortium, having granted Carnegie's computing science department at least $23 million to look into the whole topic of high-dependability software, hoping to reap the benefits of the creative effort. NASA has called it a "unique opportunity to develop an empirically-based science for software dependability," and one that "could have a major impact on NASA's ability to rely on complex software for advanced mission capability." But what of projects like FlightLinux, where rocket scientist Pat Stakem is developing a special distribution of Linux just for use on spacecrafts? The FlightLinux project was originally funded through July 2002 and probably will not continue if NASA decides to focus more on closed-source models. "The licensing questions at stake for the university are, I hope, still open," says Eben Moglen, general counsel for the Free Software Foundation, "and I look forward to CMU's reconsideration of a policy that makes no sense and will render stillborn an otherwise very important and productive venture of great importance." Brad Kuhn, v.p. of the Free Software Foundation agrees. "It's a travesty to have proprietary development happening in an academic environment," since the whole point of a University is to make knowledge available. Bill Guttman, the former co-CEO of PrintCafe, is the director of the SCC. PrintCafe, successful by most measures, makes software specifically for the printing industry. Guttman grew the company to 500 employees and 4000 customers. He's also the director of Carnegie's Software Center which, among other things, focuses on identifying new software development methodologies and business models. But when he took on that role, the Pittsburgh, PA Post-Gazette labeled him a "geek by accident." Guttman has a PhD in international business, the article says, but ended up running software companies because he saw the money in it. He's typical CEO material: a visionary who is always seeking a way to do things better. And since the Software Center has been working on finding new development methodologies, it appears the Open Source/Free Software method of development didn't come in at first place in Guttman's book. If it had, he'd certainly select it as the foundation for the Sustainable Computing Consortium. In fact, a position paper entitled "High Quality and Open Source Software Practices" and written by T.J. Halloran of CMU and Bill Scherlis, who is the co-director of the SCC, expresses reservations about the suitability of the Open Source software development model in "quality-related technology." In the conclusion of the paper, they state, "...any technique or tool is not feasibly adoptable if it requires a major (client-visible) overhaul of a project web portal, collaboration tools, development tools, or source code base." Guttman has told potential Consortium members that the SCC would very much like to see the Free Software/Open Source community participate in the project, and he says the group is considering a dual-licensing strategy. Moglen sees the inclusion of Free Software as vital. "The Consortium cannot succeed without the participation of the free software community," he says, "because ours is the development model that will produce high-quality code in the twenty-first century." Moglen says that in fact, it is the closed method of software development which has contributed heavily to the "radical deterioration in average software quality over the past twenty years, causing hundreds of billions of dollars of lost time every year from work that disappears when personal computers crash, fail to exchange data successfully because of incompatible closed formats, or are disrupted by well-known unfixed security exposures." Not only that, but "to attempt construction of an infrastructure that does what we do without us, in an attempt to bolster the system of proprietary ownership of software, would be literally foolish," he says, "and I don't expect it to happen among people as smart and capable as those presently forming the Consortium." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 20 05:22:00 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] "Nessus phones home": the final report. Message-ID: Forwarded from: Jay D. Dyson -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forwarded with permission of Renaud Deraison. - ---------- Forwarded message ---------- Date: Fri, 17 May 2002 19:57:22 +0200 From: Renaud Deraison To: nessus@list.nessus.org Subject: Re: "Nessus calls home" On Wed, May 08, 2002 at 04:50:09PM +0200, Renaud Deraison wrote: > I attended CanSecWest last week and I was told there were rumors of > people complaining about Nessus "calling home" when doing a scan. Thanks to everyone who replied to me on this issue. I was surprisingly overwhelmed with answers, so please forgive me if I did not reply to you personnaly. So sum up the replies : a vast majority of people don't care, but everyone agreed that a user-defineable third party domain was the way to go. In Nessus 1.2.1 (or the current CVS snapshot), a new option now appears in the 'plugin prefs' tab, and is set to "nessus.org" by default. Users can change it to something else, so privacy issues should be somewhat resolved. I modified more plugins than what I thought would be necessary - I'd like to thanks Thomas Reinke for sending me a list of plugins that used "nessus.org" in one way or another (there were more than what I thought, mostly because of lazyness on my part). People interested in the full list can go to cvs.nessus.org and look for the plugins whose commit log is "privacy". While I apologize to those who have felt threatened by this issue, I sincerely regret the fact that they did not voice their concerns directly to me (even though I was attending CanSecWest, and the person who spread the rumor too), and prefered to go the sneaky way about this. Hopefully, the incident is over in CVS, and will be in Nessus 1.2.1. -- Renaud -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE85p/5GI2IHblM+8ERAjRDAJ9vMkip1mnHTHLtuzHkNAi0swb+bACfZjpK Tqb+X88SSFdYy0iV/wJt5pY= =cMBR -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 20 05:22:37 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] 13,000 Credit Reports Stolen by Hackers Message-ID: http://www.nytimes.com/2002/05/17/technology/17IDEN.htm By JOHN SCHWARTZ May 17, 2002 Hackers posing as employees of the Ford Motor Credit Company have in recent months harvested a trove of 13,000 credit reports - a virtual one-stop shop for fraud and identity theft - with data on consumers in affluent neighborhoods across the country. The company said in a letter to the victims that computer intruders used an authorization code from Ford Credit to get the credit reports from Experian, one of three major reporting agencies. "I've never seen anything of this size," a spokesman for Experian, Donald Girard, said. "Privacy is the hallmark of our business. We're extraordinarily concerned about the privacy issue here, and the trust factor." The inquiries gave the intruders access to each victim's personal and financial information, including address, Social Security number, bank and credit card accounts and ratings of creditworthiness, which can be used to identify the best targets. "This is not just a credit card number; this is the whole kazoo," said Richard Power, the editorial director for the Computer Security Institute, an industry trade group. A criminal could use the data to make credit card charges or even open bank and credit card accounts in the victim's name. Thefts of credit records, Mr. Power said, are far more common than is reported. "The unique thing about this one," he said, "is that it has surfaced." The theft was first reported yesterday by The Boston Globe and The Detroit News. Statistics on identity theft are hard to come by, with estimates ranging as high as 700,000 cases a year. Betsy Broder, the assistant director for planning and information of the Federal Trade Commission, said the commission received 86,000 complaints of identity theft last year. Representatives of Ford Credit said they did not know how the hackers acquired the code, which was used by the company's office in Grand Rapids, Mich. The intruders focused on addresses in affluent neighborhoods, often in numeric sequence, said Rich Van Leeuwen, executive vice president at Ford Credit. The company said it had sent letters via certified mail to all 13,000 people, urging them to contact Experian and the two other credit reporting giants, Equifax and TransUnion, and to report any evidence of abuse to the F.B.I. The company has also worked with Experian to set up a phone line to let victims get their credit reports and help them resolve discrepancies. Neither Ford Credit nor Experian has determined how many people have reported fraudulent charges or other problems. Mr. Girard said that Experian had received 2,700 calls since the letters started going out this month. Although the unauthorized inquiries began in April 2001, Ford first heard about the problem in February, Mr. Van Leeuwen said. Only 400 of the 13,000 victims were customers of Ford Credit, he said. Dawn M. Clenney, a special agent at the F.B.I. office in Detroit, said that she could not comment, except to say, "We're on the case." Mr. Girard, the Experian spokesman, said the company would work with the F.B.I. to catch and prosecute the intruders. "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Fri May 17 04:48:26 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] [Admin note] Request for Comments Message-ID: In the last couple of weeks I have been working on a few updates of both C4I.org and InfoSec News for a new site rollout in the near future, I have also been pouring over webstats, looking at search terms, and trying a few of them out. One site that suprised me was an article I never saw until today in ITworld.com by Brian Hatch "Where to Go for Security Summaries" http://www.itworld.com/nl/lnx_sec/03262002/ Where there was a neat review for InfoSec News! InfoSec News ISN (http://www.c4i.org/isn.html) shoots copies of interesting security- related articles directly to your email. The articles are very wide ranging; they're usually not related to specific vulnerabilities, but they do offer some enjoyable security reading. Volume ranges from one to ten messages a day. Yeah, it's not a weekly security reminder, but it's fun. That review made my day! Which leads to the main reason why I'm sending this mail out, Whenever someone leaves the list, I always manually type out a message to the effect of... -=- Hello, I see that you signed off the ISN list, and I was curious why? Thanks! William Knowles wk@c4i.org -=- Nine out of ten times of sending this I get little nuggets of feedback to improve the list, one has been popping up alot is in regards to the amount of messages being sent out, and of those repling back on InfoSec News articles. Some would like to see a seperate list for replies, I think its a good idea, as it would cut down on the amount of ISN mail sent, but I was curious how many of you, the ISN readers would be interested in an unmoderated list of replies to InfoSec News articles? Unmoderated only as far as things stay on topic, if things gravitated towards food recipes involving heat generated from your servers, ballistic comparisons between the H&K MP-5 PDW and the FN P90 PDW, or the most efficient way to send a box of Krispy Kreme dougnuts overseas while still keeping them fresh, then I'd probably have to jump in, and moderate the list. :) I have no idea what the traffic would be like on this seperate list, sometimes there is one or two messages in my box about a story, and othertimes there's been 10+ messages. So, there it is, think about it, sleep on it, reply with a little feedback and we'll go with it from there. Thanks for your time! William Knowles isn@c4i.org - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. From isn at c4i.org Mon May 20 05:21:38 2002 From: isn at c4i.org (InfoSec News) Date: Thu Apr 10 03:59:09 2008 Subject: [ISN] Are you the Klez monster? Message-ID: http://news.com.com/2100-1001-916945.html?tag=fd_top By Robert Lemos Staff Writer, CNET News.com May 17, 2002, 1:05 PM PT It may only be a matter of time before you're accused of spreading the Klez virus. A month after it started spr