From alerts at infosecnews.org Fri Jun 1 02:37:40 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Mac OS X Exploit Rapidly Follows Patch Message-ID: http://www.eweek.com/article2/0,1895,2138304,00.asp By Brian Prince May 29, 2007 Security research firm Immunity released exploit code for a serious bug affecting Mac OS X less than 24 hours after Apple released a patch for it. The flaw is a buffer overflow vulnerability in the UPnP Internet Gateway Device Standardized Device Control code used to create port mappings on home NAT (Network Address Translation) gateways in the OS X mDNSResponder implementation. Apple issued a patch for the vulnerability late in the week of May 21. The flaw, one of 17 security issues addressed by the company in the update, could lead to the remote execution of code. It affects Mac OS X v10.4.9 and Mac OS X Server v10.4.9. The exploit was made available on May 25, less than 24 hours later, to members of Immunity's partner program. "So essentially [it's] a reliable remote root on everyone at Starbucks or on all those OS X fiends at security conventions," Dave Aitel, chief technology officer for Immunity, based in Miami, wrote in a posting about the exploit. "The Immunity exploit will do so on either PPC or Intel, your pick, and since the service restarts, you get to pick twice." Jose Nazario, a software and security engineer at Arbor Networks, based in Lexington, Mass., said it was unusual for an exploit of a Mac vulnerability to be released so quickly. "I don't know of any others that have been quite that fast, within a day or two," Nazario said, adding that Mac OS X has increasingly become a source of interest for hackers and security researchers alike. 5B5B From alerts at infosecnews.org Fri Jun 1 02:37:58 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] ISG Seeks Information Security Message-ID: http://www.thisdayonline.com/nview.php?id=79587 By Frances Ovia 05.30.2007 In a bid to ensure that a lasting solution is achieved in our environment, the second monthly meeting of Information Security Group (ISG), Africa forum which was held recently with all stakeholders in the information security space in attendance has advocated that information security must be accorded top priority. In a key note address, David Isiavwe, General Manager, UBA Plc, said "If corporations want employees and shareholders to be their top priority, then information security must become their paramount concern". With the threats of terrorism and a dramatic increase in the number and complexity of other security-related risks such as computer viruses, cyber attacks, theft, extortion and fraud, he affirmed that companies must find a more comprehensive approach to protecting their employees, core networks and facilities. Isiavwe explained that as new threats emerge and business transactions become more intricate, adhering to regulations and compliance guidelines also becomes more complex and challenging. The focus on security from an enterprise perspective has led to innovative approaches that emphasize the big picture encompassing risk and strategic planning in business organizations, he said. Companies' assets are now increasingly information-based and intangible, and even most physical assets rely heavily on information. Technology is now allowing companies to offer more information products. As these products become increasingly intangible, there is a greater need for information security throughout the entire enterprise. Organizations rely on their IT systems to provide real value, increase competitive advantage and improve relationships with customers and trading partners. "The convergence of logical and physical security is a natural progression that enables businesses to better protect all of their assets and achieve significant financial efficiencies. Increasingly, information security is becoming a legal obligation. It was historically a technical job for the IT department, but it is now a far bigger legal issue with the ever increasing number of lawsuits, court decisions and focus on international legislation all of which clearly demonstrates that senior managers have a legal obligation to protect their company's information", he stressed. According to him, using static passwords and a firewall is not enough today, he added, pointing out that Cyber terrorism is a real threat as it presents a significant opportunity to destroy the economic environment of organisations and the society at large. He stated that the migration of business, government and the activities of individuals to technology-driven platforms, the technical evolution towards undisrupted availability of systems, instant access to networks and the growing risks to the global IT infrastructure make it mandatory for the infrastructure to be protected by all concerned parties. Isiavwe argued that indeed, companies that support security functions and devote more resources towards its implementation will emerge as leaders not only in their own sectors, but across all sectors. From alerts at infosecnews.org Fri Jun 1 02:38:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-22 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-05-24 - 2007-05-31 This week: 70 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ======================================================================== 2) This Week in Brief: Secunia Research has discovered a vulnerability in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. A design error exists in the security restrictions on subclasses of QTObject, which can be exploited by malicious Java code to allow subclassing of QuickTime objects that call unsafe functions from QTJava.dll. This can be exploited to read or write arbitrary parts of memory. Successful exploitation allows execution of arbitrary code on Windows and OS X systems, when a user visits a malicious web site using a Java-enabled browser. This vulnerability is rated by Secunia as highly critical because an attacker could use this flaw to gain access to a vulnerable system. Apple has released Security update 2007-05 for this vulnerability, and users are encouraged to patch their systems. For more information: http://secunia.com/advisories/25130/ -- Along with the vulnerability discussed above, the Apple Security Update also fixes several other vulnerabilities. These include known vulnerabilities in BIND, file, and ruby, among others, as well as newly disclosed vulnerabilities in Alias Manager, pppd, vpnd, and others. These vulnerabilities have varying consequences, such as compromising a vulnerable system, disclosing user passwords, causing crashes, or allowing a user to gain escalated privileges. Users are advised to apply the security update immediately. For more inforamtion: http://secunia.com/advisories/25402/ -- Mozilla has also released multiple security updates this week, providing solutions for several known security issues and software bugs. Errors in the Javascript engine can be exploited to crash the browser or potentially execute arbitrary code. Another error in the "addEventListener" method can be exploited to inject script into another site, bypassing the browser's same-origin policy. And finally, an error in the handling of XUL popups can be exploited to spoof parts of the browser, such as the location bar, which can be used for phishing attacks. These vulnerabilities are found in Firefox and Seamonkey. The Javascript engine errors are also present in Thunderbird. All users of these Mozilla products are advised to update their systems immediately. For more information: http://secunia.com/advisories/25469/ (Firefox) http://secunia.com/advisories/25488/ (Seamonkey) http://secunia.com/advisories/25489/ (Thunderbird) -- VIRUS ALERTS: During the past week Secunia collected 165 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA25402] Apple Mac OS X Security Update for Multiple Vulnerabilities 2. [SA25130] Apple QuickTime Java Extension Two Vulnerabilities 3. [SA23769] Internet Explorer Multiple Vulnerabilities 4. [SA25398] Linux Kernel Unspecified GEODE-AES Vulnerability 5. [SA25383] Apache Tomcat JK Web Server Connector Double Encoded ".." Security Bypass 6. [SA25380] avast! CAB and SIS File Processing Buffer Overflows 7. [SA25403] Sun Solaris NFS Client Module Denial of Service 8. [SA25390] Symantec Enterprise Security Manager Denial of Service 9. [SA25411] Sun Solaris snmpd AgentX Subagent Request Processing Vulnerability 10. [SA25399] Novell International Cryptographic Infrastructure Two Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA25473] Zenturi ProgramChecker ActiveX Components ActiveX Control Buffer Overflows [SA25472] British Telecommunications webhelper ActiveX Controls Vulnerabilities [SA25471] Media Technology Group CDPass ActiveX Control Buffer Overflows [SA25468] Zenturi ProgramChecker ActiveX Components ActiveX Control "DownloadFile()" Insecure Method [SA25444] LEADTOOLS LEAD Raster OCR Document Object Library ActiveX Control Buffer Overflow [SA25433] LEADTOOLS LEAD Raster ISIS Object ActiveX Control Buffer Overflow [SA25430] Ademco ATNBaseLoader100 Module ActiveX Control Buffer Overflows [SA25418] EDraw Office Viewer Component ActiveX Control Insecure Method and Buffer Overflow Vulnerabilities [SA25455] rm-forum "rmforum.mdb" Database Disclosure Security Issue [SA25453] WabCMS "/db/wabcmsn.mdb" Database Disclosure Security Issue [SA25436] Techno Dreams Web Directory "Database.mdb" Database Disclosure [SA25422] Digirez Two Cross-Site Scripting Vulnerabilities [SA25449] F-Secure Policy Manager Server Host Module Denial of Service Vulnerability [SA25439] F-Secure Anti-Virus Real-Time Scanning Component Privilege Escalation [SA25457] Microsoft Windows Active Directory Logon Hours User Enumeration Weakness [SA25410] Credant Mobile Guardian Shield for Windows Information Disclosure UNIX/Linux: [SA25491] Red Hat update for seamonkey [SA25490] Red Hat update for firefox [SA25462] Gentoo update for mplayer [SA25445] Gentoo update for php [SA25421] Fundanemt "spellcheck.php" Shell Command Injection Vulnerability [SA25416] Debian update for gforge-plugin-scmcvs [SA25404] Gentoo blackdown-jdk and blackdown-jre Vulnerabilities [SA25492] Red Hat update for thunderbird [SA25483] Ubuntu update for freetype [SA25478] IBM AIX Perl Unspecified Code Execution Vulnerability [SA25464] Sun Solaris Kerberos kadm5 Library Vulnerability [SA25463] Gentoo update for freetype [SA25458] IBM AIX WebSM Unspecified Denial of Service Vulnerability [SA25435] DOMjudge "receive()" Denial of Service Vulnerability [SA25432] SUSE Update for Multiple Packages [SA25431] Ubuntu update for pulseaudio [SA25482] IBM AIX BIND Denial of Service Vulnerability [SA25467] Sun Solaris update for Adobe Flash Player [SA25465] Sun Solaris "in.iked" Denial of Service Vulnerability [SA25428] Red Hat update for quagga [SA25419] Debian update for otrs2 [SA25413] Avaya IR Java Web Start Insecure System Classes Vulnerability [SA25407] Web Icerik Yonetim Sistemi "No" Cross-Site Scripting [SA25411] Sun Solaris snmpd AgentX Subagent Request Processing Vulnerability [SA25425] xfsdump "xfs_fsr" Insecure Temporary Directory Creation [SA25450] Sun Solaris "inetd" Denial of Service Vulnerability [SA25408] Mutt GECOS Name Processing Buffer Overflow Vulnerability Other: [SA25420] Ingate Firewall and SIParator Multiple Vulnerabilities [SA25409] Nortel Meridian CS 1000 Unspecified Denial of Service Vulnerability [SA25448] 8e6 R3000 Internet Filter Cross-Site Scripting Vulnerabilities [SA25486] OpenVMS Local Denial of Service Vulnerability Cross Platform: [SA25488] Mozilla SeaMonkey Multiple Vulnerabilities [SA25469] Mozilla Firefox Multiple Vulnerabilities [SA25460] Pheap PHP Code Execution and Information Disclosure [SA25459] FileCloset File Upload Vulnerability [SA25426] F-Secure Products LHA Archive Handling Buffer Overflow [SA25417] Avira Antivir Multiple File Processing Vulnerabilities [SA25414] Geeklog CAPTCHA Plugin "_CONF[path]" File Inclusion [SA25405] Sun Java System Web Proxy Server SOCKS Module Buffer Overflows [SA25489] Mozilla Thunderbird Memory Corruption Vulnerability [SA25452] gCards "newsid" SQL Injection Vulnerability [SA25451] My Little Forum "id" SQL Injection Vulnerability [SA25440] F-Secure Packed Executable and Archive Scanning Denial of Service [SA25438] DGNews Cross-Site Scripting and SQL Injection Vulnerabilities [SA25424] cpCommerce "name" Script Insertion Vulnerability [SA25423] HP System Management Homepage PHP Multiple Vulnerabilities [SA25412] cpCommerce Two SQL Injection Vulnerabilities [SA25427] Openfire Unspecified Privilege Escalation Vulnerability [SA25470] Bochs NE2000 RX Frame Overflow and Disk Controller Denial of Service [SA25447] FirstClass "%00" Cross-Site Scripting Vulnerability [SA25446] phpPgAdmin login.php Cross-Site Scripting Vulnerability [SA25443] eggblog Session Fixation Vulnerability [SA25437] Invision Power Board "editorid" Cross-Site Scripting [SA25415] Tor Circuit Generation Entry Guard Check Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA25473] Zenturi ProgramChecker ActiveX Components ActiveX Control Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-30 Will Dormann has reported some vulnerabilities in Zenturi ProgramChecker, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25473/ -- [SA25472] British Telecommunications webhelper ActiveX Controls Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-30 Will Dormann has reported some vulnerabilities in the British Telecommunications Consumer webhelper and Business Connect ActiveX controls, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25472/ -- [SA25471] Media Technology Group CDPass ActiveX Control Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-30 Will Dormann has reported some vulnerabilities in Media Technology Group CDPass ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25471/ -- [SA25468] Zenturi ProgramChecker ActiveX Components ActiveX Control "DownloadFile()" Insecure Method Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2007-05-31 shinnai has discovered a vulnerability in Zenturi ProgramChecker, which can be exploited by malicious people to overwrite arbitrary files or compromise a user's system. Full Advisory: http://secunia.com/advisories/25468/ -- [SA25444] LEADTOOLS LEAD Raster OCR Document Object Library ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-28 shinnai has discovered a vulnerability in LEADTOOLS LEAD Raster OCR Document Object Library ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25444/ -- [SA25433] LEADTOOLS LEAD Raster ISIS Object ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-29 shinnai has discovered a vulnerability in LEADTOOLS LEAD Raster ISIS Object ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25433/ -- [SA25430] Ademco ATNBaseLoader100 Module ActiveX Control Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-28 rgod has discovered some vulnerabilities in Ademco ATNBaseLoader100 Module ActiveX control, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25430/ -- [SA25418] EDraw Office Viewer Component ActiveX Control Insecure Method and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2007-05-30 shinnai has discovered two vulnerabilities in EDraw Office Viewer Component, which can be exploited by malicious people to delete arbitrary files or compromise a user's system. Full Advisory: http://secunia.com/advisories/25418/ -- [SA25455] rm-forum "rmforum.mdb" Database Disclosure Security Issue Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2007-05-28 the_Edit0r has reported a security issue in rm-forum, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25455/ -- [SA25453] WabCMS "/db/wabcmsn.mdb" Database Disclosure Security Issue Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2007-05-28 the_Edit0r has reported a security issue in WabCMS, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25453/ -- [SA25436] Techno Dreams Web Directory "Database.mdb" Database Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2007-05-28 Titanichacker(egy-virus) has reported a security issue in Techno Dreams Web Directory, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25436/ -- [SA25422] Digirez Two Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-28 Linux_Drox has reported two vulnerabilities in Digirez, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25422/ -- [SA25449] F-Secure Policy Manager Server Host Module Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2007-05-30 A vulnerability has been reported in F-Secure Policy Manager Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25449/ -- [SA25439] F-Secure Anti-Virus Real-Time Scanning Component Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-05-30 A vulnerability has been reported in various F-Secure products, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25439/ -- [SA25457] Microsoft Windows Active Directory Logon Hours User Enumeration Weakness Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2007-05-31 Sumit Siddharth has reported a weakness in Microsoft Windows, which can be exploited by malicious people to identify valid user accounts. Full Advisory: http://secunia.com/advisories/25457/ -- [SA25410] Credant Mobile Guardian Shield for Windows Information Disclosure Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2007-05-25 Mike Iacovacci has reported a security issue in Credant Mobile Guardian Shield for Windows (CMG Shield), which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/25410/ UNIX/Linux:-- [SA25491] Red Hat update for seamonkey Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access Released: 2007-05-31 Red Hat has issued an update for seamonkey. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25491/ -- [SA25490] Red Hat update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access Released: 2007-05-31 Red Hat has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25490/ -- [SA25462] Gentoo update for mplayer Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-05-31 Gentoo has issued an update for mplayer. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25462/ -- [SA25445] Gentoo update for php Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, Manipulation of data, Brute force, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2007-05-28 Gentoo has issued an update for php. This fixes some vulnerabilities and weaknesses, where some have unknown impacts and others can be exploited by malicious, local users to bypass certain security restrictions or compromise a vulnerable system, by malicious users to manipulate certain data, disclose potentially sensitive information, bypass certain security restrictions, or cause a DoS (Denial of Service), and potentially by malicious people to cause a DoS or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25445/ -- [SA25421] Fundanemt "spellcheck.php" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-28 Kacper has reported a vulnerability in Fundanemt, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25421/ -- [SA25416] Debian update for gforge-plugin-scmcvs Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-25 Debian has issued an update for gforge-plugin-scmcvs. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25416/ -- [SA25404] Gentoo blackdown-jdk and blackdown-jre Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Privilege escalation, System access Released: 2007-05-28 Gentoo has acknowledged some vulnerabilities in blackdown-jdk and blackdown-jre, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/25404/ -- [SA25492] Red Hat update for thunderbird Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-05-31 Red Hat has issued an update for thunderbird. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25492/ -- [SA25483] Ubuntu update for freetype Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-05-31 Ubuntu has issued an update for freetype. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25483/ -- [SA25478] IBM AIX Perl Unspecified Code Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2007-05-31 A vulnerability has been reported in IBM AIX, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25478/ -- [SA25464] Sun Solaris Kerberos kadm5 Library Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-05-30 Sun has acknowledged a vulnerability in Sun Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25464/ -- [SA25463] Gentoo update for freetype Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-05-31 Gentoo has issued an update for freetype. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25463/ -- [SA25458] IBM AIX WebSM Unspecified Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-31 A vulnerability has been reported in IBM AIX, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25458/ -- [SA25435] DOMjudge "receive()" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-29 Lennert Buytenhek has reported a vulnerability in DOMjudge, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25435/ -- [SA25432] SUSE Update for Multiple Packages Critical: Moderately critical Where: From remote Impact: Unknown, DoS, System access Released: 2007-05-28 SUSE has issued updates for multiple packages. These fix some vulnerabilities, where one has an unknown impact and others can be exploited by malicious users to cause a DoS (Denial of Service) and by malicious people to cause a DoS or compromise a user's system. Full Advisory: http://secunia.com/advisories/25432/ -- [SA25431] Ubuntu update for pulseaudio Critical: Moderately critical Where: From local network Impact: DoS Released: 2007-05-28 Ubuntu has acknowledged some vulnerabilities in pulseaudio, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25431/ -- [SA25482] IBM AIX BIND Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-31 IBM has acknowledged a vulnerability in AIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25482/ -- [SA25467] Sun Solaris update for Adobe Flash Player Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-05-31 Sun has issued an update for Sun Solaris. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25467/ -- [SA25465] Sun Solaris "in.iked" Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-30 Sun has acknowledged a vulnerability in Sun Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25465/ -- [SA25428] Red Hat update for quagga Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-30 Red Hat has issued an update for quagga. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25428/ -- [SA25419] Debian update for otrs2 Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-28 Debian has issued an update for otrs2. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/25419/ -- [SA25413] Avaya IR Java Web Start Insecure System Classes Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-05-28 Avaya has acknowledged a vulnerability in Avaya IR, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25413/ -- [SA25407] Web Icerik Yonetim Sistemi "No" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-25 Vagrant has reported a vulnerability in Web Icerik Yonetim Sistemi, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25407/ -- [SA25411] Sun Solaris snmpd AgentX Subagent Request Processing Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2007-05-25 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25411/ -- [SA25425] xfsdump "xfs_fsr" Insecure Temporary Directory Creation Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2007-05-30 Paul Martin has reported a security issue in xfsdump, which can be exploited by malicious, local users to disclose potentially sensitive information or manipulate data. Full Advisory: http://secunia.com/advisories/25425/ -- [SA25450] Sun Solaris "inetd" Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2007-05-30 Sun has acknowledged a vulnerability in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25450/ -- [SA25408] Mutt GECOS Name Processing Buffer Overflow Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-05-28 A vulnerability has been reported in mutt, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25408/ Other:-- [SA25420] Ingate Firewall and SIParator Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS, System access Released: 2007-05-29 Some vulnerabilities have been reported in Ingate Firewall and SIParator, which can be exploited by malicious users to disclose potentially sensitive information or by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25420/ -- [SA25409] Nortel Meridian CS 1000 Unspecified Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-25 Eldon Sprickerhoff and Richard Gowman have reported a vulnerability in Nortel Meridian CS 1000, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25409/ -- [SA25448] 8e6 R3000 Internet Filter Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-29 agentsteal has reported some vulnerabilities in 8e6's R3000 Internet Filter, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25448/ -- [SA25486] OpenVMS Local Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2007-05-31 A vulnerability has been reported in OpenVMS, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25486/ Cross Platform:-- [SA25488] Mozilla SeaMonkey Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access Released: 2007-05-31 Some vulnerabilities have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25488/ -- [SA25469] Mozilla Firefox Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access Released: 2007-05-31 Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25469/ -- [SA25460] Pheap PHP Code Execution and Information Disclosure Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2007-05-30 Silentz has discovered some vulnerabilities in Pheap, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25460/ -- [SA25459] FileCloset File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-30 A vulnerability has been reported in FileCloset, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25459/ -- [SA25426] F-Secure Products LHA Archive Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-30 A vulnerability has been reported in various F-Secure products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25426/ -- [SA25417] Avira Antivir Multiple File Processing Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-05-29 Sergio Alvarez has reported some vulnerabilities in Avira Antivir, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25417/ -- [SA25414] Geeklog CAPTCHA Plugin "_CONF[path]" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-29 A vulnerability has been reported in the CAPTCHA plugin for Geeklog, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25414/ -- [SA25405] Sun Java System Web Proxy Server SOCKS Module Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-28 Two vulnerabilities have been reported in Sun Java System Web Proxy Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25405/ -- [SA25489] Mozilla Thunderbird Memory Corruption Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-05-31 A vulnerability has been reported in Mozilla Thunderbird, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25489/ -- [SA25452] gCards "newsid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-28 Silentz has discovered a vulnerability in gCards, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25452/ -- [SA25451] My Little Forum "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-05-28 Silentz has discovered a vulnerability in My Little Forum, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25451/ -- [SA25440] F-Secure Packed Executable and Archive Scanning Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-30 A vulnerability has been reported in various F-Secure products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25440/ -- [SA25438] DGNews Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2007-05-29 Some vulnerabilities have been reported in DGNews, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/25438/ -- [SA25424] cpCommerce "name" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-28 jadoba has reported a vulnerability in cpCommerce, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/25424/ -- [SA25423] HP System Management Homepage PHP Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS, System access Released: 2007-05-30 HP has acknowledged some vulnerabilities in HP System Management Homepage, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25423/ -- [SA25412] cpCommerce Two SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-05-25 Two vulnerabilities have been discovered in cpCommerce, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25412/ -- [SA25427] Openfire Unspecified Privilege Escalation Vulnerability Critical: Moderately critical Where: From local network Impact: Privilege escalation Released: 2007-05-29 A vulnerability has been reported in Openfire, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25427/ -- [SA25470] Bochs NE2000 RX Frame Overflow and Disk Controller Denial of Service Critical: Moderately critical Where: Local system Impact: DoS, System access Released: 2007-05-31 Tavis Ormandy has reported some vulnerabilities in Bochs, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25470/ -- [SA25447] FirstClass "%00" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-29 agentsteal has reported a vulnerability in FirstClass, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25447/ -- [SA25446] phpPgAdmin login.php Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-28 Michal Majchrowicz has reported a vulnerability in phpPgAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25446/ -- [SA25443] eggblog Session Fixation Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2007-05-30 David Vieira-Kurz has discovered a vulnerability in eggblog, which can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/25443/ -- [SA25437] Invision Power Board "editorid" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-30 Iron has reported a vulnerability in Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25437/ -- [SA25415] Tor Circuit Generation Entry Guard Check Weakness Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2007-05-28 lodger has reported a weakness in Tor, which potentially can be exploited by malicious people to expose sensitive information. Full Advisory: http://secunia.com/advisories/25415/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From alerts at infosecnews.org Fri Jun 1 02:38:40 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Lax USB stick security causing havoc Message-ID: http://www.channelweb.co.uk/vnunet/news/2190942/security-professionals-lax-usb By Clement James vnunet.com 30 May 2007 Security professionals routinely carry around portable storage devices loaded with sensitive work-related data, potentially putting company information at risk. According to a straw poll carried out at Infosecurity Europe last month, 90 per cent of the 12,000 attendees routinely carried portable storage devices. SmartLine, a developer of network management and end-point security offerings, conducted a short survey on its stand. "Ninety per cent of our visitors were carrying USB sticks, MP3 players, mobile phones with a memory card, digital cameras or some other storage gadget, " said Sacha Chahrvin, managing director for UK & Ireland at SmartLine. "If they are representative of Infosec's visitors as a whole then nearly 11,000 had such a device on them. We calculated that there were just under 22,000 devices in total wandering around at Infosec." The survey also showed that 80 per cent of visitors believed their company had lost valuable confidential data through the use of these devices. Of the 20 per cent who were confident that their data was safe from rogue USB sticks, only one did not use such devices at work. "The security experts who visited our stand were very honest, and most admitted to a security breach. My concern is that the remaining 20 per cent are just kidding themselves," said Chahrvin. "Our survey shows that these devices are extremely popular. Only 10 per cent of people did not have one on them, and everyone who took part in the survey owned at least one such product, even if they hadn't got it with them. "Although these gadgets are designed to be perfectly harmless, it does not take much for them to become a major security headache. It is all too easy to use them to siphon off valuable data. "Even legitimate users can simply lose the device, or have it stolen. Organisations need to ensure that they have the right security measures in place to protect themselves from this type of data leakage." From alerts at infosecnews.org Fri Jun 1 02:39:01 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] The Changing Face of Infrastructure Monitoring Message-ID: http://www.serverwatch.com/trends/article.php/3680851 By Drew Robb ServerWatch May 31, 2007 Donald Trump is rumored to be heavily involved in it. Cisco Systems is all over it via its Cisco Connected Real Estate (CCRE) initiative. Numerous power, cooling and building-automation systems (BAS) vendors are jumping on the bandwagon. What is it? It's the convergence of IP networks and BAS. Convergence that is enabling IT managers to keep track of everything in one building via a single console. "We are seeing an emerging market of security systems, HVAC and power systems managed via IP," said Andreas Antonopoulos, an analyst at New York City based Nemertes Research. "Long term, we will see other forms of convergence, such as IP managing a whole range of BAS." BAS includes lighting, elevators, cooling and electrical elements. It can also encompass physical security systems, TV and fire safety ? all united under IP as the overarching control and monitoring system. Antonopoulos lists the benefits as power savings, coordination of physical and logical assets, and improved security. While such systems are starting to appear, it may be years before they are a standard part of provisioning a new data center. The early stages of convergence are here, however, and range from simple extensions of existing IT capabilities to full-fledged facility systems that tie IT tightly into a building's infrastructure. Netuitive, for example, sells a business service management (BSM) solution that analyzes the data center in real time. It self-learns the system and transmits advanced warnings of heating and power issues. Netuitive Service Analyzer correlates environmental metrics, such as temperature and power consumption, alongside server performance metrics. "Because server overheating creates IT nightmares, knowing ahead of time that the power consumption or temperature is going up allows the IT manager to contact the building manager to proactively prevent problems," said Jean-Francois Huard, CTO and vice president of research and development at Netuitive. Netuitive's technology is based on statistical regression and correlation analysis. For example, a data center with multiple air conditioning (AC) units might have issues with one AC control board that failed to detect a rise in room temperature and therefore didn't send any alarms. This system would detect the anomaly early enough so an admin could have the AC control board repaired and address the overheating issue before any servers shut down. This technology also learns server patterns, so intensive periods of processor usage that send temperatures higher don't also sound the alarm for no reason. According to Huard, Netuity requires sensors be connected to the network. These can be found in the smart UPS and APC-MGE's NetBotz sensor offerings or Liebert's cooling systems. Eaton offers a different way of monitoring. In addition to power equipment, Eaton's Foreseer Enterprise Management System manages environmental and life/safety devices from any site carrying a Foreseer server. It can interface with gear from most power and environmental equipment manufacturers, as well as fire, security, fuel, UPS, air handlers, HVAC, battery monitoring and temperature/humidity subsystems. Thus, IT managers can simultaneously track servers and building systems. APC, meanwhile, has been steadily upgrading its InfraStruXure platform to encompass an even greater zone. InfraStruXure Central 4.0 covers data center design, monitoring and management, and it encompasses power, cooling, floor space and cabling. Its approach is to lower support costs and prevent downtime through early detection. "With 1 to 2 percent of total U.S. power consumption now occurring in data centers, good data center design is vital ? but alone it is not enough," said Soeren Jensen, general manager of enterprise management products at APC-MGE. "It takes the right combination of design, operational and management factors to run things properly." InfraStruXure Central has three components to take care of each facet. Thus, it can be used to design a data center from the ground up (or reconfigure it), for day-to-day operations and in overall management. It keeps an eye on UPS, power switches, PDUs, batteries, cooling, environmental monitors, airflow and server racks. It can also be tied into some BAS systems and enterprise management platforms. IP in Charge Although many of the systems mentioned above can access data from building systems, most are limited in what they can do. Ultimately, however, that will change. The overall trend is for IP to be the backbone for all building systems. Instead of having dozens of different cabling systems, only a few will be needed, and IP will manage just about everything. "Every major sub-system manufacture has something to say about IP," said Tom Shircliff, co-founder of Intelligent Buildings in Charlotte, N.C. Intelligent Buildings is a pioneer in real-estate technology, design and management. "Larger companies like Trane, Siemens, TAC and Johnson Controls promote building technology platforms that look like Ethernet diagrams with their BAS applications hanging off the edge." While this is a good sign, Shircliff cautioned that many of these established players in the facilities market continue to protect their proprietary protocols. As a result, products often labor to be truly interoperable with "foreign" controllers, other building applications and other technologies. He advocates platforms that accommodate multiple protocols and applications. Shircliff's advice to anyone planning a new data center: "Convergence comes at many different levels and you should take what you can get in today's environment, and look to the most progressive vendors to push your legacy systems and providers," said Shircliff. "Basic interoperability is already attainable with mechanical controls, access controls/security and lighting controls." Case in point: Intelligent Buildings was a primary vendor in a site known as Ballantyne Village in Charlotte, N.C. It executed its Fourth Utility concept alongside other providers, including Liebert, Panduit and Cisco. Fourth Utility is all about harnessing IP as a readily available utility ? just like electricity, water and gas. "Most of the dozen applications that are converged and operating on the Fourth Utility infrastructure at Ballantyne Village were not planned from the beginning but were groomed onto the infrastructure along the way," said Shircliff. "Some are converged physically via conduit, cable tray and fiber optics, and others are electronically converged by being switched through the Cisco infrastructure." This includes television, ambient music, digital signage on 35 plasma screens, energy sub-metering, WiFi, VoIP, LED property lighting, point of sales and even lavatories that tell the maintenance staff to bring more toilet paper or paper towels. Another example is the 4 million square-foot North Carolina Research Campus (NCRC), which is being built over the next few years at a cost of $1.5 billion. Anyone looking to see the data center of the future would do well to investigate this property. It is being constructed from the ground up using Intelligent Buildings' Fourth Utility infrastructure. "Building system convergence is being driven by the dominance of IP and the economics," said Jim Sinopoli, principal of Sinopoli and Associates, an engineering and consulting firm based in Spicewood, Texas. "As well as saving money on the construction of the building, the benefits are ease of management and streamlining of the skill sets required to manage the systems." In the drawback side of the ledger, however, he notes that legacy methods of designing and constructing a building are hard to combat. Traditionally, each system is designed and installed separately. Therefore, it can be difficult to get architects, engineers and contractors to agree to look at doing things in a different way. But like everything else, that will change with time. Shircliff thinks it might take another five to seven years for complete convergence to take place. Meanwhile, early adopters in the United States, like Ballantyne Village and NCRC, represent some of the relatively few North American examples, compared to a multitude of such state-of-the-art campuses using this technology in Asia, the Middle East and Europe. "From the perspective of the data center, the Fourth Utility is all about reducing capital expenditures and operating expenditures," said Terry King, business development manager at Liebert. "For now, however, it is mostly hype and discussion in the U.S.A. and not a lot of action. But that is going to change in the near future." Copyright 2007 Jupitermedia Corporation - All Rights Reserved. From alerts at infosecnews.org Fri Jun 1 02:39:16 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Windows Vista no more secure than XP: report Message-ID: http://arstechnica.com/news.ars/post/20070530-windows-vista-no-more-secure-than-xp-report.html By Ken Fisher Ars Technica May 30, 2007 The strength of Windows Vista's security model is easily the biggest question facing the nascent operating system. While sales will be strong simply on account of the way OEMs have adopted Vista on their midrange and high-end offerings, the place of Vista in the enterprise is not yet clear. Microsoft must demonstrate that its approach to security with Vista is indeed effective; otherwise, IT managers will see little benefit to moving to the new OS anytime soon. Windows Vista only offers "marginal security advantages over XP" according to tests completed by CRN [1]. "Vista remains riddled with holes, despite its multilayer security architecture and embedded security tools." The report's findings are mixed and at times a little unfair, but it does demonstrate the problems that Microsoft has to face?technical and otherwise. The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software?something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted. Any business that is deploying Vista (or XP) without an antivirus solution is, of course, out of its mind. What Vista does have built in is Windows Defender and User Account Control, which should both help stop forms of malware other than viruses. And CRN found that Vista does have an "edge" over XP when detecting spyware and adware. It wasn't perfect though: some malware slipped though. Here, though, we run into the issue of deciding what counts as "stopping" malware. For instance, CRN says that Vista "missed" Trojan-Spy.Win32.Goldun.ms, when in fact UAC warns a user when it is accessed (I can confirm that). CRN faults Windows Defender for not identifying and blocking the Trojan outright (it did block others), while Microsoft will tell you that UAC did its job by throwing up a warning and asking for user intervention. In testing some remote data exploits, the reviewers were unable to determine if all of the exploits they tested actually target Vista, making their findings rather questionable. IE7 did stop one RDS exploit while missing four others that may have been only targeted at XP. Notably, XP did not stop any of the RDS exploits. Vista is better here, but the jury is out on how well it did or did not do since the reviewers were unable to determine the full threat of the exploits they were using. Vista and XP both failed miserably at finding scripting exploits in the HTTP stream, and this remains a big problem for both operating systems. Vista failed to flag the exploits as they came down the pipe, though the firewall did detect when the exploits attempted to communicate over the 'net. This is what we've found in our testing as well (the results of which we hope to publish next month). CRN doesn't tell the whole story with such exploits, however. IE7 in protected mode forces such scripts to run at a very restricted user privilege level, unlike XP which will allow those same scripts to run at the same privilege level as a user. Vista may let some of those scripts through, but the damage they do is also mitigated to a certain extent. This is why Microsoft believes such threats will have to evolve [2] to survive with fewer rights and less access to the system: if they get through, they will find a very limited sandbox to play in. CRN's coverage complete ignores this point and fails to test for its effectiveness. It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter. Indeed, while the CRN report is informative, it lacks much critical information to support its judgment that Vista is only a minor improvement. For instance, it's not enough to know if an exploit "got through" IE. What happened afterward? Did it modify system files, corrupt the registry, or deliver some other payload? CRN doesn't report on the effects it observed. We cannot know if the scripting exploits really bypassed Vista because CRN doesn't tell us what the scripts did. There's a big difference between 1) a script exploit running and then installing a rootkit in XP and 2) a script exploit running in Vista but failing at installing that same rootkit. CRN makes no distinction. In all, the CRN report finds that Vista was as good as XP in seven categories and better in four others (notably, Spyware/Adware, Obfuscated Code Exploits, RDS Exploits, and Trojans). Importantly, it was never outperformed by XP, and just as importantly, these tests were carried out using default settings. The scripting exploits, for instance, are largely defanged by tweaking IE7's zone settings, and there are other moves that a competent IT shop would undertake to make Vista more secure before releasing it to Joe User. And again, CRN didn't measure the effect of these exploits, which ignores a big piece of the overall security overhaul in Vista. Still, Vista's security is most certainly not a "slam dunk," and that should worry Microsoft. The mantra that Vista is an evolutionary step in security should be met with better results than this. As one IT contact told me recently, some shops view Windows security primarily as an issue of aggressive filtering at the corporate firewall, and Vista doesn't look poised to change that. All the reviews in the world probably won't change that, either. Time, coupled with a relatively clean record for Vista, is probably the only thing that will change skeptical minds. [1] http://www.crn.com/software/199701019 [2] http://arstechnica.com/news.ars/post/20070430-microsofts-guru-malware-and-viruses-will-evolve-on-vista.html Copyright ? 1998-2007 Ars Technica, LLC From alerts at infosecnews.org Fri Jun 1 02:39:32 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Computer hackers steal Carson funds Message-ID: http://www.latimes.com/news/local/la-me-hackers1jun01,0,2083352.story?coll=la-home-local By Hector Becerra Times Staff Writer June 1, 2007 If Carson Treasurer Karen Avilla had had a nagging feeling she was being watched whenever she got on her laptop computer, she would have been right. Cyber-thieves were able to shift nearly $450,000 from the city's general fund last week by using a program that was able to mimic the computer strokes made by Carson's financial officer. Each time Avilla logged on to her city-provided laptop in the morning, someone was ? virtually ? looking over her shoulder, recording every single keystroke. Armed with the spyware program, the hackers obtained bank passwords. They wired $90,000 to a "Diego Smith" in North Carolina. One day later, on May 24, the thieves got bolder and wired $358,000 from the city's bank account to a bank in Kalamazoo, Mich. Avilla and her deputy discovered the theft just in time to have all but $45,000 of the funds frozen. But the experience left city leaders rattled. "As I sat there with the detectives and the forensic folks from the bank, I thought, 'I don't even want to touch a computer,' " Avilla said Thursday. "I felt violated. It made me think, 'Who's out there?' " The crime raised concerns about the security of municipal coffers, especially when wireless networks are used. Although such city hacking cases have been isolated, some experts said many municipalities lack the large information technology staffs and large budgets for computer security. "If you go after a local municipality, they're more likely to have fewer people dedicated to computer security," said Eric Schultze, chief security architect for Shavlik Technologies in Minnesota and a widely cited expert in anti-hacking circles. Avilla said she still doesn't know how her computer was targeted. She said she doubts it had the latest security software patch protections ? something sheriff's detectives and bank investigators told her is essential in safeguarding her computer. She said that as soon as word got out, Carson fielded calls from officials in other cities, asking how they could protect themselves. South Gate City Manager Gary Milliman said he has seen all sorts of fraud perpetrated against cities in 32 years, but nothing like this. "I think it's a concern," Milliman said. "It's something we're going to check into to make sure there isn't a vulnerability in our system." Earlier this year, the finance director of the Northern California city of Willows discovered that a hacker had taken $4,000 from a city fund. Avilla said cities may not always notice smaller thefts. "One thousand dollars. You think a bank is going to bat an eye?" Avilla said. "It's not an inexpensive enterprise to have a full team that goes around checking every laptop ever used. I think we can use more IT folks, but when a lot of these departments were created, a few people had computers. Now everyone does. On top of that, almost everyone has a laptop." Experts said that without up-to-date security software, such a computer could be especially vulnerable if people who use it visit websites that contain spyware. But hackers also send mass e-mails which, if opened on vulnerable computers, can allow installation of "keystroke loggers." "It automatically sends all keystrokes logged to a hacker, via e-mail or another form of communication," Schultze said. "So a hacker sitting halfway around the world can log into your bank account, enter your user name and do what they want to do." Kevin Overcash, vice president of product management for Breach Security in Carlsbad, Calif., said that when organizations started installing a lot of wireless networks, hackers devised ways to breach them through what is called "drive-by hacking." In trying to provide a service to their residents ? by allowing them to check their water bills via the Web, for example ? municipalities sometimes make themselves vulnerable, he said. "That kind of access opens you up to hackers. It opens the door for people to have access to data if you do not have good security," Overcash said. Avilla said she noticed a problem when she found she was unable to log on to the city's bank account. She thought she must have been typing the password incorrectly. On May 22, the bank gave her a new password. But unbeknownst to her, the cyber thieves got that password as soon as she tapped it into her computer. On May 24, Avilla and her deputy checked bank balances and discovered the previous day's $90,000 wire transfer to someone in Wilson, N.C. Avilla checked with the bank and discovered the $358,000 transfer that day through National City Bank in Kalamazoo. "I thought, 'We got a problem,' " Avilla said. She called the bank and filed a police report, leading to the freezing of the city's funds. No one has been arrested, authorities said. L.A. County Sheriff's Capt. Todd Rogers said the department's high-tech crimes unit is on the case. The Secret Service is also helping in the investigation, he said. Avilla said the experience has made her angry and determined to seek legislation that would address the problem. "There's got to be more than one way to fight this," she said. "They get us in so many ways. There's got to be a way for us to get them." From alerts at infosecnews.org Mon Jun 4 01:22:01 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] The Impact Of Cyberwarfare Message-ID: http://www.informationweek.com/security/showArticle.jhtml?articleID=199800131 By Larry Greenemeier & Sharon Gaudin InformationWeek Jun 2, 2007 Cyberwarfare: What will it look like, how will we defend against it? Those questions have taken on new urgency, as the possibility becomes more real. Recently, the Baltic nation of Estonia suffered several weeks of distributed denial-of-service attacks against both government and private-sector Web sites. And late last month, a report from the Department of Defense said the People's Liberation Army of China is building up its cyberwarfare capabilities, even creating malware that could be used against enemy computer systems in first-strike attacks. To date, there have been no proven, documented cases of one nation attacking another via cyberspace. Yet cyberwarfare is a chilling prospect that's treated among most nations with much the same reverence as Cold War players treated the idea of nuclear winter, mainly because of the potential large-scale economic disruption that would follow, says Howard Schmidt, a former White House cybersecurity adviser and former chief security officer at eBay and Microsoft. This would include shortages of supplies that could affect both citizens and the military, he says. The cyberattacks against Estonia primarily targeted the government, banking, media, and police sites, and they "affected the functioning of the rest of the network infrastructure in Estonia," the European Network and Information Security Agency, or ENISA, reported on its Web site. As a result, targeted sites were inaccessible outside of Estonia for extended periods in order to ride out the attacks and to try and maintain services within the country. Distributed denial-of-service attacks are particularly difficult to prevent and require a lot of coordination to contain the damage when multiple sites are hit. In order to weather the 128 strikes launched against its cyberinfrastructure, Estonia sought help from not only its Computer Emergency Readiness Team, established late last year, but also the Trans-European Research and Education Networking Association and Computer Emergency Readiness Teams in other countries, including Finland and Germany, according to ENISA. LET'S GET ALONG A major hurdle that nations face in defending their critical infrastructures is working with the entities that control telecommunications networks, electrical grids, and transportation systems. This is a significant issue in the United States, given that the private sector owns more than 85% of the critical infrastructure. Communication and cooperation between government officials and private-sector critical infrastructure owners is essential because the military is more knowledgeable and better prepared to respond to a cyberattack. "When it comes to information warfare, corporations in general are no match for a trained intelligence officer," says David Drab, a 27-year veteran of the FBI who retired in 2002 and is now principal for information content security with Xerox Global Services. These officers have an objective, they have resources, and often they have the element of surprise on their side, he says. Businesses are ill-prepared to handle these types of attacks. The Defense Department's annual report to Congress on China's military strategy says China is building up "tactics and measures" to protect friendly computer systems and networks. "The People's Liberation Army is pursuing comprehensive transformation from a mass army designed for protracted wars of attrition on its territory to one capable of fighting and winning short-duration, high-intensity conflicts against high-tech adversaries," according to the report. China refers to that as "local wars under conditions of informatization," the report says. E-DOMINANCE But China isn't just developing a defensive cyberwarfare plan. The People's Liberation Army sees exploiting computer network operations as critical to achieving "electromagnetic dominance" early in a conflict, says the report. And China is focused on being able to disrupt battlefield information systems. Still, Schmidt says, there are ways to mitigate the prospect of cyberwarfare. One is for nations to work with their critical infrastructure owners to bolster security preparedness. This includes ensuring that software patches are up to date and that access-control systems--biometric or otherwise--are in place to protect IT infrastructures from intruders and malicious insiders. Schmidt's other proposal is less technical and more diplomatic: "Create treaties among countries that agree to not do this to each other." From alerts at infosecnews.org Mon Jun 4 01:22:43 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Linux Advisory Watch - June 1st 2007 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 1st 2007 Volume 8, Number 22a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for the Linux kernel PulseAudio, freetype, gforge-plugin-scm, otrs2, php, mutt, selinux, firefox, epiphany, devhelp, yelp, thunderbird, seamonkey, Mplayer, gnome-media, tomcat, jbossas, evolution, quagga, file, and mod_jk. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and Ubuntu. --- Vyatta - Linux-based Router, Firewall & VPN Vyatta software and appliances combine the features, performance and reliability of enterprise-class networking gear with the cost-savings and flexibility of linux-based solutions. Vyatta empowers you to replace overpriced proprietary router, firewall and VPN equipment with commercially supported open-source solutions. Free Vyatta Software & Live Webinars >> http://www.linuxsecurity.com/ads/adclick.php?bannerid=28 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- RFID with Bio-Smart Card in Linux In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. http://www.linuxsecurity.com/content/view/125052/171/ --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gforge-plugin-scmcvs packages fix arbitrary shell command execution 24th, May, 2007 Bernhard R. Link discovered that the CVS browsing interface of Gforge, a collaborative development tool, performs insufficient escaping of URLs, which allows the execution of arbitrary shell commands with the privileges of the www-data user. http://www.linuxsecurity.com/content/view/128325 * Debian: New otrs2 packages fix cross-site scripting 28th, May, 2007 It was discovered that the Open Ticket Request System performs insufficient input sanitising for the Subaction parameter, which allows the injection of arbitrary web script code. http://www.linuxsecurity.com/content/view/128349 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 5 Update: php-5.1.6-1.6 24th, May, 2007 This update fixes a number of security issues in PHP. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. http://www.linuxsecurity.com/content/view/128317 * Fedora Core 6 Update: mutt-1.4.2.3-1.fc6 30th, May, 2007 The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. Also, a Buffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "&" characters in the GECOS field, which triggers the overflow during alias expansion. http://www.linuxsecurity.com/content/view/128378 * Fedora Core 5 Update: mutt-1.4.2.1-8.fc5 30th, May, 2007 The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. Buffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "&" characters in the GECOS field, which triggers the overflow during alias expansion. http://www.linuxsecurity.com/content/view/128379 * Fedora Core 6 Update: selinux-policy-2.4.6-72.fc6 30th, May, 2007 This Updates Fedora Core 6 SELinux policy. One change is Allow prelink sys_resource, Add transition rule to allow apps to run java in different context. Another is Allow netlable to read etc and work with init terminals and changes the file context to have all of policy at SystemLow. http://www.linuxsecurity.com/content/view/128380 * Fedora Core 6 Update: firefox-1.5.0.12-1.fc6 31st, May, 2007 Updated firefox packages that fix several security bugs are now available Fedora Core 6. This update has been rated as having critical security impact by the Fedora Security Response Team. http://www.linuxsecurity.com/content/view/128388 * Fedora Core 6 Update: epiphany-2.16.3-5.fc6 31st, May, 2007 Updated firefox packages that fix several security bugs are now available Fedora Core 6. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. http://www.linuxsecurity.com/content/view/128389 * Fedora Core 6 Update: devhelp-0.12-11.fc6 31st, May, 2007 Updated firefox packages that fix several security bugs are now available Fedora Core 6. This update has been rated as having critical security impact by the Fedora Security Response Team. http://www.linuxsecurity.com/content/view/128390 * Fedora Core 6 Update: yelp-2.16.0-13.fc6 31st, May, 2007 Updated firefox packages that fix several security bugs are now available Fedora Core 6. This update has been rated as having critical security impact by the Fedora Security Response Team. http://www.linuxsecurity.com/content/view/128391 * Fedora Core 6 Update: thunderbird-1.5.0.12-1.fc6 31st, May, 2007 Updated thunderbird packages that fix several security bugs are now available for Fedora Core. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. http://www.linuxsecurity.com/content/view/128392 * Fedora Core 5 Update: thunderbird-1.5.0.12-1.fc5 31st, May, 2007 Updated thunderbird packages that fix several security bugs are now available for Fedora Core. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. http://www.linuxsecurity.com/content/view/128393 * Fedora Core 5 Update: seamonkey-1.0.9-1.fc5 31st, May, 2007 Updated seamonkey packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. http://www.linuxsecurity.com/content/view/128394 * Fedora Core 5 Update: devhelp-0.11-7.fc5 31st, May, 2007 Updated seamonkey packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. http://www.linuxsecurity.com/content/view/128395 * Fedora Core 5 Update: yelp-2.14.3-5.fc5 31st, May, 2007 Updated seamonkey packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. http://www.linuxsecurity.com/content/view/128396 * Fedora Core 5 Update: epiphany-2.14.3-6.fc5 31st, May, 2007 Updated seamonkey packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. http://www.linuxsecurity.com/content/view/128397 * Fedora Core 5 Update: firefox-1.5.0.12-1.fc5 31st, May, 2007 Updated firefox packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. http://www.linuxsecurity.com/content/view/128398 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: PHP Multiple vulnerabilities 26th, May, 2007 PHP contains several vulnerabilities including buffer and integer overflows which could under certain conditions lead to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/128345 * Gentoo: Blackdown Java Applet privilege escalation 26th, May, 2007 The Blackdown JDK and the Blackdown JRE suffer from the multiple unspecified vulnerabilities that already affected the Sun JDK and JRE. Chris Evans has discovered multiple buffer overflows in the Sun JDK and the Sun JRE possibly related to various AWT and font layout functions. http://www.linuxsecurity.com/content/view/128346 * Gentoo: MPlayer Two buffer overflows 30th, May, 2007 Two vulnerabilities have been discovered in MPlayer, each one could lead to the execution of arbitrary code.A buffer overflow has been reported in the DMO_VideoDecoder_Open() function in file loader/dmo/DMO_VideoDecoder.c. Another buffer overflow has been reported in the DS_VideoDecoder_Open() function in file loader/dshow/DS_VideoDecoder.c. http://www.linuxsecurity.com/content/view/128368 * Gentoo: FreeType Buffer overflow 30th, May, 2007 Victor Stinner discovered a heap-based buffer overflow in the function Get_VMetrics() in src/truetype/ttgload.c when processing TTF files with a negative n_points attribute. A remote attacker could entice a user to open a specially crafted TTF file, possibly resulting in the execution of arbitrary code with the privileges of the user running FreeType. http://www.linuxsecurity.com/content/view/128369 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated samba packages fix multiple 24th, May, 2007 A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. http://www.linuxsecurity.com/content/view/128313 * Mandriva: Updated gnome-media packages fix bug 24th, May, 2007 A window modality bug was preventing audio profile editing from Sound-juicer or Rhythmbox applications. This bug is fixed with the updated gnome-media package. http://www.linuxsecurity.com/content/view/128330 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: tomcat security update 24th, May, 2007 Updated tomcat packages that fix multiple security issues and a bug are now available for Red Hat Developer Suite 3. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. http://www.linuxsecurity.com/content/view/128320 * RedHat: Important: jbossas security update 24th, May, 2007 Updated jbossas packages that fix multiple security issues in tomcat are now available for Red Hat Application Stack. This update has been rated as having Important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128327 * RedHat: Moderate: evolution-data-server security update 30th, May, 2007 Updated evolution-data-server package that fixes a security bug are now available for Red Hat Enterprise Linux 5.A flaw was found in the way evolution-data-server processed certain APOP authentication requests. By sending certain responses when evolution-data-server attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128360 * RedHat: Important: mod_jk security update 30th, May, 2007 Updated mod_jk packages that fix a security issue are now available for Red Hat Application Server.If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content. This update has been rated as having Important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128361 * RedHat: Moderate: quagga security update 30th, May, 2007 An updated quagga package that fixes a security bug is now available for Red Hat Enterprise Linux 3, 4 and 5.An out of bounds memory read flaw was discovered in Quagga's bgpd. A configured peer of bgpd could cause Quagga to crash, leading to a denial of service. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128362 * RedHat: Moderate: file security update 30th, May, 2007 An updated file package that fixes a security flaw is now available for Red Hat Enterprise Linux 4 and 5.The fix for CVE-2007-1536 introduced a new integer underflow flaw in the file utility. An attacker could create a carefully crafted file which, if examined by a victim using the file utility, could lead to arbitrary code execution. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128363 * RedHat: Important: mod_jk security update 30th, May, 2007 Updated mod_jk packages that fix a security issue are now available for Red Hat Application Stack v1.1. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content. This update has been rated as having Important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128367 * RedHat: Critical: firefox security update 30th, May, 2007 Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128383 * RedHat: Critical: thunderbird security update 30th, May, 2007 Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5.Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128384 * RedHat: Critical: seamonkey security update 30th, May, 2007 Updated seamonkey packages that fix several security bugs are now available for Red Hat Enterprise Linux 2.1, 3, and 4.Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128385 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: Linux kernel vulnerabilities 24th, May, 2007 Philipp Richter discovered that the AppleTalk protocol handler did not sufficiently verify the length of packets. By sending a crafted AppleTalk packet, a remote attacker could exploit this to crash the kernel. http://www.linuxsecurity.com/content/view/128329 * Ubuntu: PulseAudio vulnerability 25th, May, 2007 Luigi Auriemma discovered multiple flaws in pulseaudio's network processing code. If an unauthenticated attacker sent specially crafted requests to the pulseaudio daemon, it would crash, resulting in a denial of service. http://www.linuxsecurity.com/content/view/128343 * Ubuntu: freetype vulnerability 30th, May, 2007 Victor Stinner discovered that freetype did not correctly verify the number of points in a TrueType font. If a user were tricked into using a specially crafted font, a remote attacker could execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/128382 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From alerts at infosecnews.org Mon Jun 4 01:23:28 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] 16th USENIX Security Symposium Registration Now Open Message-ID: Forwarded from: Lionel Garth Jones ------------------------------------------------------------- 16th USENIX Security Symposium August 6-10, 2007 Boston, MA http://www.usenix.org/sec07/proga Early Bird Registration Deadline: July 16, 2007 ------------------------------------------------------------- Dear Colleague, I'm pleased to invite you to attend the 16th USENIX Security Symposium, August 6-10, 2007, in Boston, MA. Computer security today advances at an exceptional rate, as both its operational relevance and the tension between attackers and defenders continue to grow. New services, new systems, and new networking architectures continually add new dimensions to the field and subvert previously held assumptions. This symposium offers cutting-edge research on topics that range from Web-based detection through memory performance attacks. * The Security training program can help you learn the latest on topics such as: -- TCP/IP Weapons School -- Live Forensics Experts such as Richard Bejtlich, Dan Geer, Frank Adelstein, and Golden G. Richard will give you the information, techniques, tools, and strategies you need to practice effective security today--and tomorrow. * Don't miss the keynote address by Steven Levy, a senior editor and columnist at Newsweek, on "How the iPod Shuffled the World as We Know It." * The Invited Talks cover a number of timely topics, including: -- "Windows Vista Content Protection," by Peter Gutmann, University of Auckland, New Zealand -- "Exploiting Online Games," by Gary McGraw, Cigital -- And more... * The 23 refereed papers present the best new research in a variety of subject areas, including privacy, cellular network security, and authentication. * Join colleagues with similar interests for thought-provoking discussions at the evening Birds-of-a-Feather sessions. * Share a provocative opinion, interesting preliminary work, or a cool idea that will spark discussion at the poster session. To submit a poster, please send a 1-5 page(s) proposal, in PDF or PostScript, to sec07posters@usenix.org by June 23, 2007 * Get a preview of next year's news or present your own new work and get audience feedback at the Work-in-Progress reports (WiPs). Speakers should submit a one- or two-paragraph abstract to sec07wips@usenix.org by August 8, 2007. Whether you're a researcher, a system administrator, or a policy wonk, come to the 16th USENIX Security Symposium to find out how changes in computer security are going to affect you. Please see http://www.usenix.org/sec07/proga to register today! We look forward to seeing you in Boston, August 6-10, 2007. For the Security '07 Program Committee, Niels Provos, Google Inc. Security '07 Program Chair sec07chair@usenix.org P.S. Workshops will be held in conjunction with the main conference. EVT '07 and WOOT '07 will both take place on August 6. DETER 2007 will take place August 6-7. HotSec '07 and MetriCon 2.0 will both take place on August 7. For more information, see: http://www.usenix.org/events/sec07/workshops.html ------------------------------------------------------------- 16th USENIX Security Symposium August 6-10, 2007 Boston, MA http://www.usenix.org/sec07/proga Early Bird Registration Deadline: July 16, 2007 ------------------------------------------------------------- From alerts at infosecnews.org Mon Jun 4 01:23:47 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Computers hacked at Hilton Head Island High Message-ID: http://www.islandpacket.com/front/story/6536804p-5816824c.html Packet Staff Report June 1, 2007 Beaufort County School officials said Friday they?re investigating a case of apparent computer hacking that?s resulted in altered attendance records for at least a dozen students at Hilton Head Island High School. Several of the students whose attendance records were altered were summoned, along with their parents, to the high school Friday morning to meet with principal Helen Ryan. Ryan said the interviews with the students have led school officials to focus on the student suspected of altering the records. Neither the name of that student or any of those whose records were altered can be be released because of confidentiality laws, school officials said. ?We?ve got somebody ID?d that we believe we?re going to take disciplinary action against,? Hudson said. In some cases the students? attendance records ? before being altered ? showed that they had too many absences to receive credit for a class, Ryan said. In other cases, it wasn?t clear why the records were altered because the students didn?t have excessive absences. Ryan said more students than the 12 identified so far may have had their attendance records altered, adding that the investigation is ?ongoing.? The Beaufort County Sheriff?s Office also is involved in the investigation, she said. Ryan and school district spokesman Tom Hudson said the records appear to have been altered selectively. ?It wasn?t a wholesale thing,? Hudson said. ?It looks like a number of individual records as opposed to across the board.? It?s unclear how a hacker could have penetrated the computer network to get access to the students? attendance records, both Ryan and Hudson said. ?We thought we had put in as many stop-gaps as we could,? Ryan said. She said the records are maintained on a ?statewide database ? it?s not a local system they hacked into.? So far, the investigation indicates that the altered records belong to juniors and seniors, Ryan said. She said the problem could not have been the result of a random computer glitch. ?No,? she said. ?It was done intentionally.? From alerts at infosecnews.org Mon Jun 4 01:24:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Report: Security Certifications Boost Pay Message-ID: http://www.eweek.com/article2/0,1895,2140574,00.asp By Deborah Perelman June 1, 2007 Though the pay value of the vast majority of IT certifications has been on the decline for more than two years, pay premiums for IT security, project management and database administration certifications have soared, finds a new report. Compensation for certified IT security professionals increased nearly 2 percent over the past six months, according to research released May 31 by Foote Partners, an IT work force research firm based in New Canaan, Conn. Foote Partners documented a multi-year trend in IT professional pay in which noncertified IT skills are gaining over their certified counterparts. Pay for 149 leading noncertified IT skills grew 4.1 percent in value in the last six months and 9.1 percent over the past year, according to the most recent report. Pay for certified IT skills increased 1.1 percent and 2.1 percent, respectively, in the same period. "We've been reporting for more than a year that pay for IT certifications has been on a steady decline," remarks David Foote, Foote Partners CEO and chief research officer. "But there is one category of IT certifications?and only one, according to our data?that is showing signs of life: IT security. The group of 27 security certifications we survey is the only one that grew in value the past six months and we discovered why," he said. Between the third quarter of 2001 and the third quarter of 2004, average base pay for IT professionals declined significantly, whether they had certified or non-certified technology skills. However, certified IT pros took slightly less of a hit, according to Foote's data. After pay for both groups bottomed out in the third quarter of 2004, though both certified and non-certified IT professional pay came back fairly quickly, non-certified pay made healthier gains, putting it in the possible position to surpass certified pay by the end of 2007, if not sooner. Several certifications, however, are holding their own. IT professionals with security certifications?including all versions of the CISSP, CISA, GSE, CISM, SSCP and GCFA?earned 10 percent to 14 percent premiums on their base pay over their non-certified counterparts. Foote sees the strength of pay for certified IT security professionals as related to larger cultural trends and customer demands. "Customers are becoming nervous and demanding more security in their vendors' products and services. This is especially true when their data is running across vendor networks," said Foote. "We believe that this trend in IT security certifications pay is an indication that, finally, there is something other than government regulation that is driving business leaders to examine how critically short-handed their companies are when it comes to staffing the IT security function. Historically, market forces have been more effective than regulation in moving companies to correct deficiencies in their products and services. That, and in the case of security, sudden serious security breaches such as the recent theft of personal information by more than 45 million TJX customers," he said. Project management certifications?including PMP, and the Open Group's ITCA?had a similar median pay value, and networking/internetworking certifications?including BCSM, CCIE, CCVP, CCSI, CCEA and several others?earned individuals 10 percent to 13 percent pay premiums, according to the report. Other certifications holding their value included those in the areas of systems administration and engineering (Master ASE, CCIA and RHCA), application development and programming languages (IBM WebSphere and SOA Solution Designer, OCP and MCSD) and databases (TCM, OCM DBA, DB2 and TCAD). From alerts at infosecnews.org Mon Jun 4 01:24:38 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Stiffer Cyber Laws to Crack Down on Botnets, Spyware Message-ID: http://www.wired.com/politics/law/news/2007/06/bot_law By Luke O'Brien 06.04.07 WASHINGTON -- Federal lawmakers confronting a plague of botnet infections, denial-of-service extortion schemes and spyware are going on the counter-offensive with two new bills that would make it easier for federal prosecutors to charge cybercriminals, while bringing computer intrusion under the ambit of the mob-busting RICO Act. Together, the Cyber-Security Enhancement Act and the Internet Spyware (I-SPY) Prevention Act would represent one of the more significant updates to federal computer-crime law in the last two decades. Around 30 percent of malicious internet activity took place or originated in the United States in the second half of last year, according to information from Symantec. China was second at 10 percent. Prominent among today's threats are bots -- a type of malicious software that secretly puts a vulnerable PC under the control of an attacker, who can direct thousands of computers at once. Organized cybercriminals routinely use networks of bots to launder spam, steal passwords for online banking and launch denial-of-service attacks like those that recently plagued the small European nation of Estonia after it angered Russian nationalists. "You're looking at a new species of criminal conduct," says Roma Theus, a white-collar crime expert at the Defense Research Institute and a former federal prosecutor. "We have to look beyond where we are today and think about where we might be ten years from today." The Cyber-Security Enhancement Act, introduced by Rep. Adam Schiff (D-California), would do just that, stiffening penalties and sentencing times for cybercriminals by classifying computer-fraud offenses as a predicate offense for the Racketeer Influenced and Corrupt Organizations, or RICO, law. Authorities could also seize any ill-gotten gains a crook may have obtained through online rackets. The measure also adjusts the damage threshold that qualifies a cybercrime receive FBI attention. Currently, a financial loss of $5,000 spread out among victims makes an intrusion into a federal case; under the bill, damaging 10 or more computers in a year would automatically qualify, even with no financial harm. This bill has cheered many advocates for tougher laws on cybercrime. "In our discussions with law enforcement, that $5,000 limit is a major sticking point in terms of not being able to go after these criminals," says Rob Tai, the manager of cybercrime prevention for the Business Software Alliance, which represents the commercial software industry and supports both bills. The I-SPY Act, introduced by Rep. Zoe Lofgren (D-California), amends the same federal computer crimes statute by setting a five-year sentence and/or fines for anyone caught using subversive software "in furtherance" of a federal criminal offense. Scam artists who distribute software coded with keystroke loggers or other covert functions, and who use it to steal Social Security numbers, credit card numbers, passwords or any personal identification information could face new charges. So could hoods using spyware to "impair" a computer's security system while trying to defraud another person, although the prison time for that offense drops to two years. The bill is a nice step forward but only part of a much-needed collection of tools to combat spyware violations, according to David Sohn, senior policy counsel at the Center for Democracy and Technology. "It's adding an additional enforcement arrow to the quiver," Sohn said. Both measures modify the Computer Fraud and Abuse Act, the federal anti-hacking bill enacted in 1986. Originally intended to protect only federal government computers and financial institutions, the CFAA has been amended several times since then, most recently in 2001, when the Patriot Act raised the maximum penalties, among other tweaks. Not everyone thinks the latest crop of bills is the correct response to shifting cyberthreats. "I'm not sure it's completely necessary," says Andy Serwin, a noted cyberspace lawyer and the author of a book on information security and privacy laws. "How much burden do you put on business?" The Federal Trade Commission already enforces cyberfraud, and state and federal laws cover more than enough ground to allow for prosecution, Serwin argues. Increased legislation might wind up criminalizing legitimate software, such as Microsoft's updater, which automatically installs programs on computers and might technically be spyware under the new legislation, he says. Besides, Serwin adds, "The guy who's going to do the really malicious stuff is going to do it anyway. And he may do it offshore, so there's no way to get at him." Theus disagrees. He says that the government could extradite wrongdoers, or even seize them, ala Manuel Noriega. "If someone is under the misapprehension that they can be outside the U.S. and commit a crime that has effects inside the U.S. (and avoid sanctions), that person is going to be terribly surprised." So far such extraditions are virtually unheard of. In the U.K., Gary McKinnon, a 41-year-old man accused of penetrating over 90 unclassified U.S. military computers in 2001 and 2002, has delayed extradition for years, even while admitting to the hacking spree. In April he lost a court challenge to an extradition order, and is now on a final appeal to the U.K. Parliament's Law Lords. From alerts at infosecnews.org Mon Jun 4 01:24:50 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Stolen Laptop Stored Personal Police Data Message-ID: http://www.kxan.com/Global/story.asp?S=6601344 June 1, 2007 The personal information of every police officer in Texas was in the hands of thieves Friday, after a laptop computer containing the data was stolen. A laptop containing each officer's private information was stolen from a Houston software company that stores sensitive records for the Texas Commission on Law Enforcement. "The Texas Commission on Law Enforcement maintains all the records for all the law enforcement agencies, peace officers and county jailers and others, telecommuters and others to the tune of approximately 97,000 individuals," said James Heironimus of the commission. "My name was on that database as well, as a peace officer." Those individuals got an e-mail last month about the break in and theft. "Our chief of police forwarded that information to the supervisors here at UTPD, and those supervisors were asked to inform those officers to the loss of the laptop," said spokeswoman Rhonda Weldon of the University of Texas Police Department. Heironimus said they are working with the Houston Police Department to track down the thieves and are asking officers to monitor their credit reports for possible fraud. KXAN was told the thieves hit several businesses that night, and the laptop may not have been a specific target. From alerts at infosecnews.org Tue Jun 5 00:15:52 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab Message-ID: http://www.cio.com/article/114550 By Scott Berinato CSO May 31, 2007 Forensic investigations start at the end. Think of it: You wouldnt start using science and technology to establish facts (thats the dictionary definition of forensics) unless you had some reason to establish facts in the first place. But by that time, the crime has already happened. So while requisite, forensics is ultimately unrewarding. A clear illustration of this fact comes from the field investigations manager for a major credit services company. Sometime last year, he noticed a clutch of fraudulent purchases on cards that all traced back to the same aquarium. He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio file while eating a sandwich on her lunch break. He learned that when she played the song, a rootkit hidden inside the song installed itself on her computer. That rootkit allowed the hacker whod planted it to establish a secure tunnel so he could work undetected and get root?administrators access to the aquarium network. Sounds like a successful investigation. But the investigator was underwhelmed by the results. Why? Because he hadnt caught the perpetrator and he knew he never would. Whats worse, that lunch break with the sandwich and the song download had occurred some time before he got there. In fact, the hacker had captured every card transaction at the aquarium for two years. The investigator (who could only speak anonymously) wonders aloud what other networks are right now being controlled by criminal enterprises whose presence is entirely concealed. Computer crime has shifted from a game of disruption to one of access. The hackers focus has shifted too, from developing destructive payloads to circumventing detection. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation. This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you. The concept is neither new nor foolproof, but in the past 12 months, forensic investigators have noticed a significant uptick in the use of antiforensics. This is not because hackers are making more sophisticated antiforensic tools, though some are. Rather, its because antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. Whats more, this transition is taking place right when (or perhaps because of) a growing number of criminals, technically unsophisticated, want in on all the cash moving around online and they need antiforensics to protect their illicit enterprises. Five years ago, you could count on one hand the number of people who could do a lot of these things, says the investigator. Now its hobby level. Researcher Bryan Sartin of Cybertrust says antiforensic tools have gotten so easy to use that recently hes noticed the hacks themselves are barely disguised. I can pick up a network diagram and see where the breach occurred in a second, says Sartin. Thats the boring part of my job now. Theyll use FTP and they dont care if it logs the transfer, because they know I have no idea who they are or how they got there. Veteran forensic investigator Paul Henry, who works for a vendor called Secure Computing, says, Weve got ourselves in a bit of a fix. From a purely forensic standpoint, its real ugly out there. Vincent Liu, partner at Stach & Liu, has developed antiforensic tools. But he stopped because the evidence exists that we cant rely on forensic tools anymore. It was no longer necessary to drive the point home. There was no point rubbing salt in the wound, he says. The investigator in the aquarium case says, Antiforensics are part of my everyday life now. As this article is being written, details of the TJX breachcalled the biggest data heist in history, with more than 45 million credit card records compromisedstrongly suggest that the criminals used antiforensics to maintain undetected access to the systems for months or years and capture data in real time. In fact, the TJX case, from the sparse details made public, sounds remarkably like the aquarium case on a massive scale. Several experts said it would be surprising if antiforensics werent used. Who knows how many databases containing how many millions of identities are out there being compromised? asks the investigator. That is the unspoken nightmare. [...] From alerts at infosecnews.org Tue Jun 5 00:16:08 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Federal data still vulnerable a year after VA laptop theft Message-ID: http://www.fcw.com/article102889-06-04-07-Web By Richard W. Walker June 4, 2007 A year after a laptop computer was stolen from the home of a Veterans Affairs Department employee, federal systems are still vulnerable, according to a study released today. A Telework Exchange survey of 258 federal employees found that 13 percent dont have encryption on their newly issued laptop PCs, compared with 11 percent in June 2006 before VA announced that the stolen laptop contained information on about 26.5 million people. Sixty-five percent of the workers in the study said their agencies reinforced security policies after the VA incident, although fewer than half reported that their agencies provided them with additional training (48 percent) or updated encryption and other protection technologies (47 percent). Moreover, 16 percent said their agencies didnt react at all to the incident. The survey also revealed that although those who telework and those who dont have about the same awareness of their agencies security policies 97 percent compared to 96 percent, respectively teleworkers are more likely to have received training on data security, have encryption on their laptops and have antivirus protection on their work PCs. According to researchers, nonteleworkers are the Achilles heel of federal data security. Fifty-four percent of them said they carry files home and 41 percent reported that they log onto their agencys network from home. These unofficial teleworkers are removing data from the office and working remotely in unauthorized locations, and therefore constitute a major risk in data security, researchers concluded. Nonteleworkers represented 52 percent of the respondents in the survey, teleworkers 48 percent. Researchers recommended that agencies audit and assess unofficial teleworkers; implement and update policies, training, and technology to reinforce data security policies; and make sure that all laptop and desktop PCs, regardless of whether the user is a teleworker or nonteleworker, have data encryption and security protection. The survey, conducted last month, was underwritten by Utimaco, a data security firm. From alerts at infosecnews.org Tue Jun 5 00:16:24 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Risk and reward as a data defender Message-ID: http://www.computerweekly.com/Articles/2007/06/04/224506/risk-and-reward-as-a-data-defender.htm By Liz Warren 4 June 2007 Information security chiefs can work at the highest level of business and reap the financial benefits, but their livelihood is on the line if a breach occurs. As information security has risen up the corporate agenda, the role of chief security officer has emerged to oversee it. The CSO typically sits on the board and works alongside the chief executive and other senior managers to ensure that the organisation has the right security policies, procedures and technologies in place. Adrian Asher, head of security at online gaming exchange Betfair, is one of this new breed of CSOs. "My role is to provide assurance to the business that our operations are secure," he says. "For Betfair, that can mean anything from protecting against denial of service attacks to preventing users from repudiating bets they have made." Asher manages a team of 10 security specialists who advise him on particular areas of policy and research and implement technical systems. With CSOs looking to build these kinds of teams to support their security strategies, there is growing demand for security specialists at a lower level. Premium rates Security roles typically pay a premium of about 10% above rates for similar roles in other IT disciplines, said Sam Baxendale, sales manager at recruitment firm Computer People. But that premium comes with a downside, especially for the CSO. "If there is a security breach, the buck stops with you and it is difficult to shift the blame," Baxendale says. "The result of any investigation is often a sacking." Security is certainly not for the faint-hearted. Lysa Myers, a virus research engineer at security research firm McAfee Avert, says, "It is a fast-paced environment, and at times it can be overwhelming." Myers analyses samples sent in by users of McAfee systems to determine the threats they contain, explain them customers, and add them to McAfee's detection and removal systems. She also provides training for internal staff and customers. "You have to be able to switch gears quickly, from whatever you are working on to something else that is a higher priority. But there is something different every day, and always something new to learn," says Myers. Because the emphasis on security as a specialism is relatively recent, there are no clearly established career paths, especially to the CSO role. However, accreditation is becoming increasingly important. At CSO level, employers look for candidates with CISSP (certified information systems security professional) certification, said John Whiting, managing director of the UK IT business at recruitment firm Harvey Nash. At a more junior level, supplier-specific qualifications such as Cisco, Nokia, Juniper and Checkpoint are in demand, he says. Broad experience However, most people seem to have fallen into security roles by accident, having been involved in a project where security was a prime concern, and experience across the full spectrum of IT is the best grounding, according to those working in security roles. Asher says, "To be good in security, you have to be able to think from top to bottom and have done a little of each of the disciplines - network, database, applications and server admin - at a high level. Because you have to convince people who do these tasks every day to do them in a slightly different way, they have to respect you and you have to respect them, so you need some depth across all those areas." Asher worked in network and server admin before becoming involved in a security-focused project to revamp Heathrow Airport's internet-based systems. Similarly, Dave Martin, a managment consultant who jointly heads up the security consulting group at LogicaCMG, came from a background of programming, systems administration and operations management in the Royal Navy and defence contractor Plessey. Working with security as a component of the systems he was developing gave Martin experience that he was able to transfer to a commercial environment. He now conducts risk analyses of firms' systems, devises policies to mitigate those risks, and delivers security awareness training to end-users. Martin also carries out these functions internally to ensure that LogicaCMG's own operations remain secure. On the supplier side, it is typical for security staff to join with generalist IT skills and to receive company-specific training on the job. Myers started off at McAfee in a secretarial role and began asking questions about the reports she was helping to compile. Over time, she took on analysis of more complex threats, and she is now McAfee's expert in malware related to IRC bots. Interpersonal skills However, the kind of technical skills Asher, Martin and Myers have developed are just one aspect of the security role. Interpersonal skills and business skills are equally key, especially at CSO level. "You have to be an ambassador to senior managers and the board," says Asher. "Internal communications are a large part of the board." Martin agrees. "Many technical people hit a glass ceiling in security, because you have to be able to talk business to senior business people," he says. "You often get people who are excellent technicians but cannot translate that into business issues." But if you can master a security role, it can open doors. Whiting says, "There are big links between IT security, risk management, compliance and business continuity, so people coming from any of those areas are seeing avenues opening up across all of them. And it can provide a route to move into the operational side of the business from a pure technology role." From alerts at infosecnews.org Tue Jun 5 00:16:41 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Zero-day sales not 'fair' - to researchers Message-ID: http://www.theregister.co.uk/2007/06/03/market_value_of_software_security_vulnerabilites/ By Robert Lemos SecurityFocus 3rd June 2007 Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information. Having recently left the National Security Agency, the security professional decided to try his hand at selling the bug to the U.S. government. In a paper due to be presented next week at the Workshop on the Economics of Information Security, Miller - now a principal security analyst at Independent Security Evaluators - writes about the experience and analyzes the market for security vulnerabilities. Click here to find out more! In the case of the Linux flaw, one agency offered him $10,000, while a second told him to name a price. When he said $80,000, his contact quickly agreed. "The government official said he was not allowed to name a price, but that I should make an offer," Miller told SecurityFocus. "And when I did, he said OK, and I thought, 'Oh man, I could have gotten a lot more.'" The sale underscores a significant problem for vulnerabilities researchers that attempt to sell a flaw: Determining the value of the information. In addition, time is a major factor: Miller felt pressured to complete the deal, because if anyone else found and disclosed the flaw, its value would plummet to zero. In a second attempted sale outlined in the paper, the disclosure clock ran out for Miller as he tried to sell a PowerPoint flaw that Microsoft patched this past February before the researcher could close the deal. Yet, researchers that sell vulnerabilities should also consider the ethical issues involved, said Terri Forslof, manager of security response for TippingPoint, a subsidiary of networking giant 3Com. "The value of the vulnerability is determined by the amount of time that the vulnerability can be used to get a return on investment before it is patched," Foslof said. "If I'm paying $50,000 for a vulnerability, what am I doing with it? I'm likely not trying to get it patched." Miller's paper comes as sales of vulnerability information are becoming more common. Driven by researchers' reluctance to give away hard-won information for free and the standardization on flaw bounties through initiatives such as iDefense's Vulnerability Contributor Program and 3Com's Zero-Day Initiative, flaw finders are increasingly trying to get paid for their work. Miller found out that selling a flaw for a fair price is difficult. While the unnamed government agency offered the researcher $80,000, they placed a condition on the sale that the exploit would have to work against a particular flavor of Linux. Two weeks later and worried that the flaw might be found, Miller accepted a lesser offer from the same group for $50,000 for the exploit as is. "While I was paid, it wasn't a full success," he wrote in the paper (PDF) [1]. "First, I had no way to know the fair market value for this exploit. I may have been off by a factor of ten or more." Moreover, Miller had contacts in the government, but could not initially find the right people with which to deal. So, he offer a 10 percent cut to a friend who had better contacts. Other researchers might not be able to find the right contacts to complete similar deals. "The only reason this sale happened at all was because of personal contacts I had, which should not be necessary for a security researcher who wants to make a living," he wrote in the paper. The sale of a second vulnerability did not go so well. In January, Miller was approached by a friend who wanted to sell a flaw in Microsoft PowerPoint XP and 2003. Miller found very little guidance in the market to help him set a price, but he believed a company would pay up to $20,000 for the flaw and a government agency, perhaps $50,000. In reality, he only had a handful of offers but haggled one company up to $12,000. Before he could close the deal, however, Microsoft released a fix for the issue. The delay and difficulty in finding a buyer and the problems in setting a price had essentially scuttled the deal, Miller said. "I don't think it fair that researchers don't have the information and contacts they need to sell their research," Miller said. Yet, TippingPoint's Forslof stressed that selling to the government is not necessary setting a fair price for a vulnerability. Legitimate markets include companies that use vulnerability information to protect their customers while they contact the vendor to get the issue fixed. The government generally constitutes a gray market, because they most likely are not going to notify the vendor and the researcher does not know how they are going to use the information. The black market, where the buyers are likely to use the vulnerability for illicit purposes, would likely pay the most money but put end users in the most jeopardy. "There are a range of prices when you are talking about fair market value versus black market value," she said. "And the government is in a class of their own. It's a matter of what is going to happen to that vulnerability and how they are going to use it." The answers to those questions drove one researcher to deal with a vulnerability-buying program rather than selling to a government agency. Security researcher Aviv Raff found two trivial-to-exploit vulnerabilities in a component of the Windows Vista operating system late last year. He shopped the more critical flaw to a number of security companies as well as the two major vulnerability-purchase programs. While some of the security companies bested the offers from TippingPoint and iDefense, he declined to sell the flaw to them because they would not commit to notifying Microsoft of the issue. For the same reason, selling the vulnerability to the government was out of the question as well. "I wouldn't mind (selling the information to the government), if I knew they will report it to Microsoft," Raff said. Because of the terms of the sale, Raff cannot mention the name of the program to which he sold the vulnerability nor the price at which he sold it, except to say it's much less than $80,000. Raff directly notified Microsoft of the less critical of the two vulnerabilities. The software giant has not yet patched the flaws. This article originally appeared in Security Focus. Copyright ? 2007, SecurityFocus [1] http://weis2007.econinfosec.org/papers/29.pdf From alerts at infosecnews.org Tue Jun 5 00:19:05 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] THC-Orakel, Cracking Oracle Passwords within seconds Message-ID: Forwarded from: rm (at) ingsoc.org Hi, THC presents a crypto paper analyzing the database authentication mechansim used by oracle. THC further releases practical tools to sniff and crack the password of an oracle database within seconds. Link: http://www.thc.org/thc-orakel One of the network authentication modes used by Oracle databases uses a weak key exchange mechanism. This mechanism is still used on the newest database versions using Oracle's JAVA drivers. Also, for native Oracle drivers an attack is known to downgrade the authentication mode to the vulnerable version. The orakelsniffert article documents the mechanism used by the weak authentication mode, the complexity and impact of the attack and an example of an attack in the field. A Windows based cracker and a simple JAVA based client application are included to verify the results. Also, a supporting crypto utility is released. Yours sincerly, vonjeek / THC The Hackers Choice http://www.thc.org From alerts at infosecnews.org Wed Jun 6 00:30:23 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] How to Conduct a Vulnerability Assessment Message-ID: http://www.cio.com/article/116800/How_to_Conduct_a_Vulnerability_Assessment By Sarah D. Scalet June 05, 2007 CSO Roger Johnston knows about security vulnerabilities, and not only because he works for the Los Alamos National Laboratory, which has experienced more than its share of security problems of late (including the loss of classified materials last autumn). As leader of the laboratory's Vulnerability Assessment Team, a research group devoted to improving physical security, Johnston is the guy who gets brought in to find security problems, not only at his own agency, but also at other agencies and at private companies. His team has been hired to conduct vulnerability assessments at government agencies with such high security stakes as the International Atomic Energy Agency, the Department of State and the Department of Defense, as well as at private companies that are developing or considering the use of high-tech security devices. Senior Editor Sarah D. Scalet recently spoke with Johnston about strategies for running an effective vulnerability assessment and then communicating the results without also putting your job on the line. To help security leaders identify specific areas that need improvement, Johnston also developed a quiz that identifies the 28 attributes of a flawed security system. "We see the same things over and over," he says. "These are the common unifying themes." Find out how you rate. (Note: Johnston emphasized that his statements here are his own opinions and do not necessarily reflect the official position of the Los Alamos National Laboratory or the U.S. Department of Energy, its parent organization.) CSO: You basically spend your days finding problems with things. Are people afraid to cook for you? ROGER JOHNSTON: Yeah, well, we always try to have an upbeat message. There are often very simple fixes to problems. Say you're using a tamper-indicating seal for cargo security. When you inspect the seal, maybe you simply spend an extra second or two looking for a little scratch in the upper right-hand corner to discover an attack. CSO: So training is a key to that upbeat message? JOHNSTON: Right. We're very strong believers in showing security personnel a lot of vulnerability information. Often, low-level security people aren't given the information they need to do a good job. If they know what they're supposed to be looking for, instead of just turned loose and told to report "anomalous incidents," they generally will do a lot better. You really haven't spent a lot of extra money, and it doesn't necessarily take a great deal of time. CSO: When you're doing a vulnerability assessment, what's the best way to get into the mind-set of the adversary? JOHNSTON: That's the real trick. The problem with a lot of vulnerability assessments is that they're done by very sincere security people who have devoted their lives and careers to being good guys. They really don't want security to have any problems. It's not a matter of dishonesty; it's just human nature. Also, in many cases security personnel come from military or police backgrounds. That kind of training and discipline can be very useful, but those backgrounds don't typically tend to attract people who are wildly creative. You want to look around your organization and find people who are outside-the-box thinkers. They don't have to be in the field of security. You're looking for people who would normally be your worst security nightmare--people who are loophole finders, smart alecks, kind of skeptical. They're people who have to prove things for themselves and aren't sure they buy everything they hear from authority. CSO: So you're looking for people who've been in trouble for violating some security policy? JOHNSTON: I don't want to push it too far. If they're wanted in 35 states for felonies, maybe that's not exactly who you want looking at your critical security vulnerabilities. It's more about finding the people who won't automatically toe the party line. These are people in your organization who are already thinking about how they could beat your security. They're probably not going to do it, but that's just the way they think. They may be graphic artist types; they may be the smart aleck on the loading dock who's always questioning the boss. CSO: There's more of that ethos in the information security culture than in the physical security culture. JOHNSTON: Absolutely. There's a huge cultural gap, of course, between IT security and physical security, and that's much of the problem of convergence, trying to bring the two together. I think IT is better off in this regard. A lot of the people who work on computers automatically think that way. CSO: What's the risk of conducting a vulnerability assessment from the point of a good guy? JOHNSTON: When vulnerability assessments are done by good guys thinking like good guys, number one, they let the existing security infrastructure and hardware and strategies define the vulnerability issues. For example, if there's a fence, they'll think about ways the bad guys might get over the fence. But of course that's all backwards. We need to think about what the bad guys want to accomplish and then decide if we even need a fence. Number two, there's that tendency not to want to try to find problems. CSO: Not only are they possibly making themselves look bad if they find a problem, they're also creating more work for themselves, right? JOHNSTON: Absolutely. In many cases when the fix is very simple, organizations are very reluctant to do it, because that is sometimes thought of as saying, "We've been screwing up all these years." So you don't want to go with people who have a history of doing a vulnerability assessment and then telling you everything is swell. There are always vulnerabilities, and they are always present in very large numbers. Any vulnerabilities assessment that finds zero vulnerabilities is completely useless. CSO: When you actually do the assessment, are there warm-ups you can do to get yourself in the mind-set of a bad guy, or are there ways you should set up the room? JOHNSTON: A lot of vulnerability assessment needs to be very similar to classic brainstorming. A lot of the tools that are applied to creative thinking in other fields can be applied directly to vulnerability assessments. This is kind of a radical position. A lot of people in the security business are not comfortable with this 1960s hippy, touchy-feely, "let's all get together" approach. CSO: I'm imagining a bunch of beanbag chairs. JOHNSTON: Yeah. A lot of people would much rather have a rigorous, quantitative approach, and I would claim that's largely a sham. I don't think it's a mistake to use analytical tools like a security survey, but we would like to combine those more closed-ended, straightforward tools with creative thinking. The fact is that creativity has been studied extensively over the last 50 years, and there's a lot of understanding of how you create an environment where people come up with good ideas. It's not quite the seat-of-the-pants, wacky kind of thing that it might look like from the outside. CSO: Should the CSO even be there? JOHNSTON: You don't want the boss in the room, because it constrains people. What you need are really nutty ideas, so we strongly encourage thinking about attacks that involve Elvis impersonators and flying monkeys and the use of space aliens. Early on, it's very important not to editorialize. Later on, we're going to prioritize them and think about the practicality of them. In many cases, we have people say, "Well, if I had the space aliens come down with a ray beam, they could do the following." Later on, it turns into a very viable attack, once we get rid of the space aliens and the laser beams. CSO: Does this take hours? Days? Weeks? JOHNSTON: It depends. If you're looking at a very complex security program, you may want to spend two or three weeks just kind of freewheeling. But you don't just sit around and do ideas. You generate nutty ideas, and then you go back to the program or the hardware and play around a little bit to see if those nutty ideas might have some merit. Then you get back together again, and you think of more nutty ideas based on what you learned. We're very much in favor of hands-on work, and not just thinking in abstractions. Toss the device around. Chat up the security guards. Kick the fence. Play with the system and try to understand how it behaves. CSO: When the CSO tells his or her company about a vulnerability, we've seen that there can be a kind of "shoot the messenger" effect. (See "Don't Shoot the Messenger" from the August 2006 CSO.) What are ways they can avoid that or at least mitigate the effect? JOHNSTON: We try to encourage people think about a vulnerability not as bad news. It's great news. When you find a vulnerability, you can do something about it. CSO: But you still have to take people down the path of, something terrible could happen. JOHNSTON: All our vulnerability assessment reports start out by pointing to the good things. There are always good things. Sometimes they're an accident, but by pointing them out, you get them recognized. Also, at the very beginning we always point out that we're going to find more vulnerabilities than they can possibly mitigate. We're going to make more suggestions for changes than you can possibly implement. That's OK. The bottom line is, vulnerability assessors are not here to tell you what changes to make. We're here to point out what we think are problems and what we think may be solutions. It's up to you to decide what you do with the findings. This binary thinking about security--that something is either secure or not secure, or that we have to have all the vulnerabilities covered or we're not doing our job--is really nonsense. Security is a continuum, and there are always going to be vulnerabilities you can't do anything about. That doesn't mean anybody is screwing up. That's just the way security works. CSO: In coming up with this laundry list of problems and possible solutions, is there oftentimes an 80/20 thing at play, where you can solve 80 percent of the problems with 20 percent of the solutions? JOHNSTON: It does work that way. People say, "Gee, you're telling me I need to make this one little change, and this attack and this attack and this attack and this other attack basically go away?" It's really quite surprising. Sometimes the vulnerabilities are extraordinarily complex, and the solutions, while they may not be 100 percent perfect, are often really painless. We don't always have the most realistic view--we work for the government--about what's economically viable to implement. Sometimes what we think is simple isn't really simple in the real world. But that's OK too. Sometimes our suggestions get the end users thinking, and then maybe they come up with their own solution. CSO: You've brought a couple of industrial-organizational psychologists onto your team. Why? JOHNSTON: Industrial-organizational psychology has been applied across a wide range of fields, but for some weird reason, not security. When we first got these psychologists to work with us, they just couldn't believe that no one had applied all these powerful tools in industrial psychology towards security problems. Increasingly, we're using them to understand the human factors associated with security. In the end, security is really about how people interact with technology, how people use and think about technology, and how the technology was designed to enhance what people are already doing. CSO: What kinds of things have the industrial-organizational psychologists found? JOHNSTON: The main one early on was the recognition that the security guard turnover problem is a huge problem. The numbers typically run between 40 percent and 400 percent per year. McDonald's has a turnover rate of about 35 to 40 percent, so McDonald's does a better job than security of finding the right people and hanging on to them. There are plenty of organizations that do very fine with turnover rates that don't pay people very well and don't necessarily represent fabulous careers. There are ways that IO psychologists have developed over the last couple decades that help these companies, but the tools never have been applied to security. The first things that our guys did was publish some papers basically saying, "Hey, wake up, we don't need to do any new R&D, there are all these tools already proven out there." They involve things like understanding who you hire and creating a realistic picture in their mind of what the job is like. If you simply do that, turnover rate plummets. We're just beginning to look more specifically at how IO psychology applies to vulnerability assessments. It's a totally open field. One problem we want to look at is the tamper-indicating seals that are used for cargo security. We know from experience that some people are really good at finding seals that have been tampered with, and some people aren't. But we don't know why. One of the things we want to do is study the people who are good at it and try to understand what it is that they're doing or what characteristics they have that make them good. One of the studies we want to do, and we haven't found anybody to fund it, is an eye-tracking study. We want to look at what seal inspectors are looking at. You give them this little eyeglass thing, and it tells what their eyes are looking at. It's used all the time to judge advertisements for TV; advertisers stick audiences in front of the proposed commercial to see if they're really looking at the product or they're looking at the pretty girl in the background. We want to apply this technology to understanding what the people who are effective at finding seals that have been tampered with are looking at. Maybe we can train people better, or maybe we can do a screening exercise to find the people who are really good at it, for whatever reason. CSO: I know you've done a lot of work around what to do once you actually find a vulnerability. Can you tell me about the Vulnerability Disclosure Index that you and your group have created? JOHNSTON: One of the problems with finding a vulnerability is, exactly who do you tell? We have found vulnerabilities that were specific to the sponsor of the vulnerability assessment, and of course if they pay for the work, they get the findings. No issue there. But we'll find things that have more general applicability. Now the question is, what do you do? A classic example is spoofing a global positioning system. Everyone's focused on jamming GPS devices, but that's not an interesting attack, because the GPS receiver knows it's not getting satellite signals from space. Spoofing, however, turns out to be surprisingly easy. You can feed fake coordinate information to a GPS receiver. CSO: How could the bad guys use that to their advantage? JOHNSTON: A lot of national networks, like for financial transactions, get their critical time synchronization from the GPS satellite signals. If someone fed the GPS fake information, the networks could crash within milliseconds. It could potentially be very serious. There's some recognition that jamming might be an issue, but in our view spoofing is the far more serious issue and is not widely recognized. Now, do we discuss this? Do we write papers about this problem? Or do we just keep our mouths shut? This kind of problem crops up all the time, but there are some fairly straightforward, simple signs you're looking for. If there are a whole lot of good guys who don't seem to be very sophisticated in understanding the vulnerabilities, and there are only a small number of bad guys, you probably ought to just publicize it to the world. If the attack is pretty obvious--and I think GPS spoofing is--the bad guys are going to figure it out anyway. So again, you probably ought to just tell the whole world. On the other hand, if it's kind of a specialized security device not being used by very many people, but a whole bunch of potential bad guys might want to exploit it, then maybe you don't need to be publicizing that vulnerability. Instead, you want to seek out the specific end user and point out the potential problem. The Vulnerability Disclosure Index is a sort of semiquantitative attempt to try to provide some guidance as to whether you should disclose this vulnerability, how publicly, and in how much detail you should go. CSO: Vulnerability disclosure has been especially contentious in the field of IT security. (See "The Chilling Effect" from the January 2007 CSO.) Does this Vulnerability Disclosure Index apply to IT vulnerabilities as well? JOHNSTON: It's really meant for physical security. IT lives in a very different world. Let's say you're playing around on your home computer, and you find a very serious software vulnerability. There's some controversy, but most people agree you should do the following: You should contact the software company and say, "I think there's a problem here." You give them a chance to fix that. If after a while they're just stonewalling and not doing anything, then maybe you go public. Once they fix the problem, it's no big deal. Everybody who bought the product typically does checks on whether there are upgrades. Physical security is not like that. In many cases the physical security systems are from a bunch of different vendors and may be put together by a third-party vendor. Often there's no one company to go to complain about a potential vulnerability. Moreover, the fix isn't just some software download. The fix may require servicepeople going out and changing parts, and it could be very expensive, very disruptive. Before you get everybody all wound up about a physical security vulnerability, you may want to think about, is it even going to be practical to fix it? CSO: You've written that when the vulnerability assessment is chartered, the sponsor owns the findings, but that that doesn't necessarily "relieve the vulnerability assessors of their responsibility to warn others of a clear and present danger." This might strike fear into the hearts of CSOs who think they're going to hire someone to do a vulnerability assessment and the contract will ensure that the findings remain private. JOHNSTON: A typical example would be if a company is considering a commercial security device. Let's say we do a vulnerability assessment on that device and oh my gosh, if you poke it with a paperclip it will quit working. And we know that commercial device is being used for a wide variety of applications, including corporate security, U.S. national security and nuclear safeguards. We believe we have some moral responsibility to tell people there might be a problem. Most companies we've done that for have had no problems and in some cases encourage us to do exactly that. Senior Editor Sarah D. Scalet can be reached at sscalet (at) cxo.com. If you would like to see a copy of a paper Roger Johnston wrote about vulnerability disclosure, contact him at rogerj (at) lanl.gov. Copyright 2002-2007 CXO Media Inc. All rights reserved. From alerts at infosecnews.org Wed Jun 6 00:30:39 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] IT advisory council to contribute to Ohio University's security efforts Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9023219 By Jaikumar Vijayan June 05, 2007 Computerworld Ohio University last week announced the creation of a new Information Technology Advisory Council that will contribute to its ongoing efforts to revamp data security following a series of high-profile computer intrusions at the university last year. The advisory council will include representatives from faculty, staffers, students, IT professionals and executive leadership at the university. Its mission is to provide guidance for IT policies and processes, review and prioritize proposals for new IT services, and recommend IT-related funding requests from the university, a university statement said. In addition, the council will help develop a mission statement and strategic plan for central IT besides overseeing an annual process for measuring the effectiveness of central IT, the statement said. The creation of the committee builds on measures the university is taking to fortify IT security, said Brice Bible, who took over as the CIO at Ohio University in April. "This presents a great opportunity for each of the universitys constituents to have a formal voice in IT direction," Bible said. "The council will allow [the central IT organization] to have a two-way conversation" with all of the stakeholders across the university, he added. Ohio Universitys move to establish the advisory council is the latest in a series of steps that the institution has taken in response to the discovery of five separate data breaches involving its systems in a two-month period, starting in April of last year. The breaches included one that resulted in the exposure of personal data belonging to 137,000 alumni, and another that involved the compromise of a server containing personal data on 60,000 current and former students as well as some faculty and staff. The incidents prompted the resignation of the universitys CIO William Sams and the firing of two senior IT executives. It also triggered a wide-ranging overhaul of the universitys IT infrastructure and strategies, including a 20-step plan for improving information security. Much of the work on the technology front has already been accomplished or is in the process of being implemented, Bible said. For instance, he said, the university has deployed new perimeter firewall and network intrusion-detection and -prevention systems. Measures have also been taken to eliminate the use of Social Security numbers on student and employee identification cards, he said. Starting June 18, all students and employees will be issued new ID cards without Social Security numbers, he said. An effort is also under way to identify systems containing sensitive data across the university and finding ways to minimize that data. The new advisory council will play a part in helping to vet a new data classification policy that is being rolled out across the university by the central IT department, Bible said. "We are making significant progress at the foundational level," Bible said. He said that more work remains to be done is in areas such as user education and security awareness training -- issues that the new council is designed to address. Expect also to see the council to play a significant role in an evolving effort to centralize more of the universitys distributed IT operations, Bible said. The central IT organization that Bible heads is currently working with the separate IT groups at the universitys College of Arts and Sciences, the College of Engineering and the Finance & Administration area. Bible said that the effort is to find areas where some IT functions can be managed by a core central IT group. "There is a strong buy-in from university leaders about the need to rightsize the balance between distributed and centralized IT," Bible said. "We are beginning to develop a rightsize model, and we will use those two colleges and the one service unit to prototype it," he added; if successful, the same model will be rolled out universitywide. From alerts at infosecnews.org Wed Jun 6 00:30:56 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Who's To Blame For Insecure Software? Maybe You Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199901402 By Larry Greenemeier InformationWeek June 5, 2007 The recent observation that companies buying software are unaware of 95% of the bugs contained therein places the well-worn argument about the value of security vulnerability research in a new light. Are security researchers, who spend much of their time finding flaws in others' programming efforts and are often the bane of software vendors, doing enough? And do software consumers escape blame for shoddy products put on the market? Attendees at the Gartner IT security summit keynote session Tuesday responded to an instant poll indicating that most of them, 57% of the 340 people present, believe that vulnerability labs set up by security researchers are a useful public service, while 22%, or 75 people, think they're a distraction that forces them to patch more often. Yet there's not consensus on how much information to disclose or when to disclose it. The discovery of a security vulnerability in a piece of software is in many ways like seeing that the front door to your neighbor's house has been left open, David Maynor, chief technology officer of Errata Security, said Tuesday. The options are calling the neighbor right away and alerting them to the open door, inspecting the neighbor's house (helping yourself to some of their food and trying on their clothes in the process) before calling them, or calling all of the other neighbors on the block to tell them about the neighbor's open door. An even more nefarious option is to close the neighbor's door but leave it unlocked so that the house can be entered some time in the future. In software terms, that pretty much sums up the spectrum that includes discrete disclosure of software vulnerabilities to the software's maker, full disclosure of the vulnerabilities to the public Internet, and no disclosure at all. Different researchers take a different approach. Maynor, for example, says he gives the software vendor a month to fix its software vulnerability before he reports the flaw publicly. "We'll give you 30 days to fix a bug, that's it," he said. Thomas Ptacek, the principal of Matasano Security and a member of the Tuesday morning keynote panel, said he's willing to wait until the software maker makes its own decision to publicly disclose a vulnerability before he publishes his report. One sentiment that's been floated is for software vendors, or internal software developers, to be held liable for flaws in their products that lead to intrusions into their customers' -- or their own -- networks and breaches of data found there. The concept of spending the time and money to write secure programs is a difficult one for company executives on the business side to accept, as it means possibly extending deadlines for deployment, lowering margins on products, or passing along the higher costs to customers. But it's worth it for companies to consider paying extra attention to the security of the programs they write, when you consider the cost of fixing a bug once an application is shipped and in use can be up to 100 times more expensive than identifying the problem during the development phase, Chris Wysopal, chief technology officer for Veracode and the third member of the Tuesday morning keynote panel, said. There was no consensus as to how much money to spend on measures required to write more secure applications. Whereas Maynor believes that companies should consider spending as much as 25% of the cost of the total project on security, Ptacek puts the figure at closer to 10%. Maynor reasoned that internal applications must be secured to defend companies against insiders and intruders who are able penetrate a company's outer defenses. Still, security researchers aren't so quick to heap all of the blame on software vendors. Those who've properly configured their firewalls and kept their software patches up to date are much less likely to become victim of a data breach, Maynor said. In April, Microsoft issued an advisory warning users of a vulnerability in its Domain Name System Server Service that potentially allowed an attacker to execute code remotely in Windows environments. Although an exploit was published to take advantage of this problem, "it was found that if you had your firewall properly configured, it wouldn't have been an issue," Maynor said. Another Gartner poll taken during the session indicated that, when the Microsoft Windows Domain Name Service flaw was revealed in August, 2006, that 30% of attendees waited for Microsoft's patch, while 20% disabled the Remote Procedure Call, or RPC, management interface used by the DNS service. Only 7% tried a non-Microsoft patch. Most disturbing, 23% were unfamiliar with the DNS flaw. Software consumers have a responsibility to test the security of the products they buy prior to implementation, the panel agreed. If more software vendors thought their customers did this, they'd be compelled to provide a higher quality product in the first place. Microsoft has gotten a lot of credit for improving both the security of its products and the process by which those products are patched, but it's not hard to figure out why. "Microsoft found religion because they knew that they had a lot of security researchers looking at their product," Ptacek said. If market scrutiny can change the direction of a company the size of Microsoft, there's no reason other software vendors can't be made to fall in line. Copyright 2007 CMP Media LLC From alerts at infosecnews.org Wed Jun 6 00:31:10 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] TJX chief apologizes for data breach Message-ID: http://www.boston.com/business/ticker/2007/06/tjx_chief_apolo.html By Jenn Abelson, Globe staff June 5, 2007 ATLANTA -- At her first shareholder meeting as chief executive of TJX Cos., Carol Meyerowitz apologized for the Framingham merchant's recent security breach that involved the theft of at least 45.7 million credit and debit card numbers and said she wished the incident -- the biggest loss of personal data reported -- never happened. Meyerowitz, who took over the helm of the company in January, said increasingly sophisticated cyber criminals are a global and complex problem for government agencies, hospitals, universities, and retailers who have all suffered attacks in recent years. Despite having security measures in place, TJX said hackers still managed to get into its systems. "But we had locks," Meyerowitz said. It was one of the first times TJX held its annual shareholder meeting outside of its hometown Framingham. Only a handful of shareholders attended yesterday's meeting and none asked about the security breach. The company refused questions from the media. A company spokeswoman said the shareholder meeting coincided with a yearly off-site trip by the board of directors. This year Atlanta was selected because it is one of TJX's largest markets and the company operates a distribution center in a nearby town. From alerts at infosecnews.org Wed Jun 6 00:31:27 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Security's Soft Underbelly Message-ID: http://www.darkreading.com/document.asp?doc_id=125692 By Larry Ponemon Special to Dark Reading June 5, 2007 Databases are among the most widely deployed, complex, and fastest growing technologies in corporate infrastructures. Stocked with vast amounts of business-critical, sensitive records, theyre now the focal point in highly-damaging data breaches. Its a safe bet that perpetrators will target databases even more in the days ahead. Yet, as businesses rush to provide real-time information flow inside and outside their organizations, database security remains one of the least understood and most under-funded aspects of corporate security -- and IT is yelling for help. These are some of the key findings in a new study [1] we released yesterday in conjunction with Application Security (AppSecInc). We queried 649 highly experienced IT professionals, more than 70 percent of which are responsible for managing all or part of their organizations IT budget -- a solid barometer for corporate priorities. Of the 2007 total corporate IT budget, respondents said they have allocated 34 percent for database infrastructure and 20.6 percent for IT security overall. More than 53 percent believe their databases are critical to their businesses. But only 15 percent said that extending security best practices to the database is a "critical priority" for 2007. Higher priorities included upgrading applications (25 percent), improving the efficiency of IT (20 percent), and consolidating IT infrastructure (19 percent). Upgrading security overall (13 percent) finished slightly lower, as did supporting Sarbanes-Oxley (10 percent) and upgrading disaster recovery capabilities (9 percent). Interestingly, 92 percent of respondents are seeking a better tool to help them identify and analyze risk factors that exist within their systems or IT infrastructure. This makes sense, particularly as a majority of respondents plan no, or only slight, increases in IT staff in 2007. According to our study results, IT security practitioners are fairly confident they can stop hackers from compromising their systems (68 percent), but they are far less certain that they can prevent malicious insiders (43 percent) and negligence (45 percent). Respondents in larger organizations are more confident than those in smaller-sized companies when it comes to their ability to control these threats. Whats in corporate databases? Lots of valuable data. Some 55 percent of respondents said their databases contain customer data, 54 percent said databases contain employee data, and 50 percent contain confidential business data. Intellectual property -- the most highly-guarded data in our survey -- resides in 38 percent of respondents' databases. Respondents' database environments are of substantial scale and complexity -- a majority of respondents manage more than 500 databases. Twenty-nine percent have many different database types and technologies. Another 38 percent said their IT environment consists of a few different types of databases. Only 24 percent of respondents stated that their organization utilizes one primary database technology. One of the biggest challenges, then, is coordinating database security across the enterprise. SQL, Oracle, and DB2 are the most frequently used database solutions for respondent companies. In addition, our results show that both Oracle and DB2 are the most likely to be used for critical or high-priority data. MySQL and Sybase were the least likely to be used for critical data. What are the features most important to respondents when purchasing a database security software application or tool? Robust access controls, ease of integration, and the ability to identify unauthorized access are viewed as the three most important features. Real time alerts and preformatted policies for Sarbanes Oxley or PCI compliance ranked low on the list. Clearly, database security is becoming an important part of the security picture, but most organizations still have a lot of work to do. If you have questions about the research, please contact us. - Larry Ponemon is founder and CEO of Ponemon Institute LLC. - Special to Dark Reading. [1] http://www.appsecinc.com/news/pr/2007_6_04_Ponemon-Study.shtml From alerts at infosecnews.org Thu Jun 7 00:19:23 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] The importance of vulnerability research Message-ID: http://www.networkworld.com/news/2007/060507-vulnerability.html By Cara Garretson Network World 06/05/07 WASHINGTON - Testing in-house and vendor-built software for security holes should be an enterprise priority, said a group of vulnerability research experts speaking on a panel at the Gartner IT Security Summit held here this week. But Rich Mogull, the Gartner analyst who hosted the panel, questioned how practical it would be for companies to dedicate the dollars and resources required for this testing. Thomas Ptacek, founder of application security consulting firm Matasano Security, defined vulnerability research as analyzing software for holes that attackers could take advantage of before the product is deployed, using techniques such as reverse engineering and source-code auditing. Software vendors and many enterprises have teams of engineers in house to perform this testing, or rely on third parties such as the panelists companies that specialize in finding vulnerabilities. The benefit of this testing is being able to avoid the damage an attacker could cause by fixing software problems before implementation. If you dont find the problems, someone [else] will find the problems, said Chris Wysopal, co-founder of Veracode. If you leave crumbs on the floor the ants are going to show up. Thats a huge liability for your company. For software built in-house, vulnerability testing should be part of the software development life cycle, not an afterthought, Wysopal said. Threat modeling to find out what are the weakest parts and easiest attack vectors [of an application] is what people should do when designing software; you find the weak points through threat modeling then start reverse engineering, he said. Simply using tools that scan for vulnerabilities is not enough, the panelists agreed. Scanning tools can reduce the amount of time you spend [analyzing the code] manually, but if you care about the security of the application you need to go deep and augment the scanner, says Ptacek. The place of the scanner is to accelerate testing, but you cant rely on them. Gartners Mogull did an electronic poll of the roughly 1,000 conference attendees, asking what level of vulnerability testing they performed at their organizations. The majority said their testing was limited to using commercial scanning tools. One reason enterprises may not be doing more intense vulnerability testing is because the necessary skills are rare, Mogull suggested. Its a huge skills issue, conceded Wysopal. It would be best to have an expert researcher looking at every piece of code out there, but you just cant find them. Ptacek disagreed, saying services such as Web application penetration testing are readily available. Another panelist, Errata Security co-founder David Maynor, added that any steps an organization can take to find vulnerabilities in software are worth it. Youre not wasting your money just because you dont find bugs, Maynor said. Yet the process is still an expensive one, Mogull said, and enterprises cant be expected to dedicate such time and money to extensively testing every application. You have to have the appropriate level of testing [correlate to] the risk of the application, said Wysopal. Not every application requires hired experts coming in, or training up a large team. Some applications are not as risky as others. Ptacek again disagreed, saying that every application offers entry into an organization. Even innocuous applications deployed inside an organization can be lethal if exploited, since just about every application contains or connects to sensitive data. The one example the panel came up with of a program that wouldnt pose a threat if compromised was an employee lunch-ordering application. Every piece of software is not a Boeing flight-control system where everyone will die if theres a bug, countered Wysopal. Mogull asked what percentage of the application development life cycle budget should be devoted to vulnerability research. Wysopal answered at least 5%, Ptacek said between 5% and 10% - adding that the cost for such testing should actually come out of the quality and assurance budget -- but Maynor said closer to 25%. Its easier to allocate dollars before deployment than fix [a vulnerability] after its been deployed, he said. Turning to commercial software, Mogull asked the audience for a show of hands if they reverse engineer products they buy from vendors to look for vulnerabilities. Outside of the panelists, few hands went up. It would be ridiculous to test [to that level] every single product you bring into your organization. What level of testing is OK? Mogull asked the panel. Put one to two person weeks on any new product and youll find stuff, said Ptacek. Use a sniffer and look at packets on the wire. Youll find vulnerabilities, and youll gain control over how theyre going to be fixed. All contents copyright 1995-2007 Network World, Inc. From alerts at infosecnews.org Thu Jun 7 00:20:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Is Another Web-Based Super Worm on the Way? Message-ID: Forwarded with permission from: Security UPDATE PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: VeriSign's Extended Validation SSL Certificates http://list.windowsitpro.com/t?ctl=58F2D:57B62BBB09A69279FBC549C5DF4EA0E5 Top Ten Server Virtualization Considerations http://list.windowsitpro.com/t?ctl=58F38:57B62BBB09A69279FBC549C5DF4EA0E5 Protect Info from Phishing and Pharming Exploits http://list.windowsitpro.com/t?ctl=58F25:57B62BBB09A69279FBC549C5DF4EA0E5 === CONTENTS =================================================== IN FOCUS: Is Another Web-Based Super Worm on the Way? NEWS AND FEATURES - Google Buys GreenBorder, Gains Security Technology - Mozilla Releases Firefox Updates, Retires Firefox 1.5.0.x - Spam King Gets Slapped with 35 Criminal Charges - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: PHP 5.2.3 Coming Soon--RC1 Available Now; Windows Media Player Plug-In for Firefox - FAQ: Disable IE Enhanced Security in Windows Server 2008 - From the Forum: Multiple Web Servers Behind One IP address with a Proxy Server? - Share Your Security Tips - Microsoft Learning Paths for Security: Reducing the Challenges and Complexities of Identity and Access Management PRODUCTS - Web Filter Gets Reporting Engine - Product Evaluations from the Real World RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: VeriSign ========================================== VeriSign's Extended Validation SSL Certificates Increase customer confidence at transaction time with the latest breakthrough in online security--Extended Validation (EV) SSL Certificates from VeriSign. Extended Validation triggers the address bar to turn green when a visitor is using Microsoft Internet Explorer 7 and viewing a site with EV SSL Certificates. This green bar lets customers know that the site they are on is highly authenticated and secure. In a recent VeriSign study, 77% of the respondents indicated that they would be hesitant about shopping at, would check into problems with, or would abandon a site that once showed EV and no longer did. Learn more about Extended Validation by reading the technical white paper: Maximizing Site Visitor Trust Using Extended Validation SSL. http://list.windowsitpro.com/t?ctl=58F2D:57B62BBB09A69279FBC549C5DF4EA0E5 === IN FOCUS: Is Another Web-Based Super Worm on the Way? ====== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Over the years, we've seen a number of "super worms." For example, Nimda, Code Red, and SQL Slammer were devastatingly effective. They spread quickly, infected a huge number of systems, and cost much money to eradicate. Worm technology has certainly evolved, and in many cases it basically follows the path of least resistance. Since Web technology is dominant and Ajax (a combination of JavaScript and XML) is being more widely used every day, it seems rather natural that worms begin to target those technologies. In fact, back in 2005, someone created an Ajax-based worm (dubbed Samy) and turned it loose on MySpace. The worm worked by taking advantage of the browser when a MySpace user visited a particular MySpace page. The page loaded JavaScript worm code that used Ajax to spread itself to the MySpace user's page. And that cycle kept repeating itself. Within 24 hours, Samy had reportedly spread to more than 1 million MySpace pages! You can read a blow-by-blow description of how the worm worked at this URL: http://list.windowsitpro.com/t?ctl=58F3A:57B62BBB09A69279FBC549C5DF4EA0E5 Samy took advantage of several problems with Ajax technology, one of which is the familiar cross-site scripting (XSS) scenario in which a script from one site interacts with another site. If someone were to take a worm like Samy further by automating it to contain a longer list of sites vulnerable to XSS attacks, the effect could be far more significant. After all, if the Samy worm could infect over 1 million MySpace sites in only 24 hours, then a worm targeting many different sites would spread exponentially faster. Furthermore, such a worm could do a lot more than simply spread itself. It could, for example, easily be made to steal user credentials and post that information someplace for an intruder to receive. Recently, Petko Petkov showed how using a combination of available technologies would provide the means for a new super worm to be created. You might know about XSSed.com, a site that aggregates lists of other sites that contain XSS vulnerabilities. The lists are presented in an easy-to-parse format and include examples of how to exploit each XSS vulnerability. Having such a database available online is useful, even educational, but at the same time, it's a treasure trove for a malicious coder. Petkov showed that a new super worm could use XSSed.com as a base and technologies such as Dapper and Yahoo Pipes to spread itself at lightning speed. Dapper (at the first URL below) lets people grab content from nearly any Web site. The content can be automatically formatted into XML (and other formats). So, effectively, someone can use Dapper to create a list of sites vulnerable to XSS along with the sites' associated exploits, all in XML formatted code that a script can then use for attacks. Yahoo Pipes (at the second URL below) lets the malicious script obtain a list very quickly on the fly. http://list.windowsitpro.com/t?ctl=58F3F:57B62BBB09A69279FBC549C5DF4EA0E5 http://list.windowsitpro.com/t?ctl=58F3E:57B62BBB09A69279FBC549C5DF4EA0E5 With that data and technology available, a worm would spread incredibly quickly. The problem is compounded by the fact that neither Dapper nor Yahoo Pipes specifically is necessary for such a worm to work. The technology provided by those two services could easily be recreated on any number of sites around the Internet. So stopping such a worm isn't as simple as it might seem at first. The best defense of course is to not create Web sites that contain XSS vulnerabilities! You can read more about Petkov's ideas at the first URL below. The upcoming Black Hat USA 2007 conference will have at least three presentations that deal with Web worms (see the second URL below), including "Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity" by Brad Hill; "Premature Ajax-ulation" by Bryan Sullivan and Billy Hoffman; and "The Little Hybrid Web Worm that Could" by Billy Hoffman and John Terrill. So if you're going to Black Hat USA this year (July 28 - August 2 in Las Vegas), consider attending these presentations. http://list.windowsitpro.com/t?ctl=58F33:57B62BBB09A69279FBC549C5DF4EA0E5 http://list.windowsitpro.com/t?ctl=58F2C:57B62BBB09A69279FBC549C5DF4EA0E5 === SPONSOR: SWSoft ============================================ Top Ten Server Virtualization Considerations The playing field for server virtualization has become much more crowded over the last few years. This checklist provides a list of the main considerations and basic differences between the technologies to provide a starting point for technology evaluation. http://list.windowsitpro.com/t?ctl=58F38:57B62BBB09A69279FBC549C5DF4EA0E5 === SECURITY NEWS AND FEATURES ================================= Google Buys GreenBorder, Gains Security Technology Expanding its security tools further, Google has acquired GreenBorder Technologies, maker of security tools that protect browsers, IM clients, and email clients. http://list.windowsitpro.com/t?ctl=58F30:57B62BBB09A69279FBC549C5DF4EA0E5 Mozilla Releases Firefox Updates, Retires Firefox 1.5.0.x Mozilla Foundation released updates for Firefox that fix five vulnerabilities present in both the 2.0.0.x and 1.5.0.x versions and said that unless a serious problem is discovered in the 1.5.0.x series, no further updates to it will be made available. http://list.windowsitpro.com/t?ctl=58F2F:57B62BBB09A69279FBC549C5DF4EA0E5 Spam King Gets Slapped with 35 Criminal Charges Robert Alan Solloway, infamous as a prolific spammer, has been arrested in Seattle and charged with several federal offenses. The arrest warrant charges Solloway with 35 counts of mail fraud, wire fraud, email-based fraud, identity theft, and money laundering. http://list.windowsitpro.com/t?ctl=58F2E:57B62BBB09A69279FBC549C5DF4EA0E5 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=58F27:57B62BBB09A69279FBC549C5DF4EA0E5 === SPONSOR: Websense ========================================== Protect Info from Phishing and Pharming Exploits Combat phishing and pharming with complete protection against complex Internet threats by filtering at multiple points on the gateway, network, and endpoints. http://list.windowsitpro.com/t?ctl=58F25:57B62BBB09A69279FBC549C5DF4EA0E5 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: PHP 5.2.3 Coming Soon--RC1 Available Now; Windows Media Player Plug-In for Firefox by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=58F37:57B62BBB09A69279FBC549C5DF4EA0E5 PHP 5.2.3 will probably be released in the next week or two unless major problems are discovered in RC1. Get a link to test RC1 right now; plus get a link for a Microsoft-developed Windows Media Player (WMP) plug-in for Mozilla Firefox. http://list.windowsitpro.com/t?ctl=58F26:57B62BBB09A69279FBC549C5DF4EA0E5 FAQ: Disable IE Enhanced Security in Windows Server 2008 by John Savill, http://list.windowsitpro.com/t?ctl=58F35:57B62BBB09A69279FBC549C5DF4EA0E5 Q: How do I turn off Internet Explorer Enhanced Security Configuration in Windows Server 2008? Find the answer at http://list.windowsitpro.com/t?ctl=58F31:57B62BBB09A69279FBC549C5DF4EA0E5 FROM THE FORUM: Multiple Web Servers Behind One IP Address with a Proxy Server? A forum participant writes that he has a cable modem connection with a domain name mapped to his dynamic IP address. He has multiple Web servers on his network that he wants to make accessible to the Internet. When he had only one Web server, he could use port forwarding to make that site accessible, but now with several servers, he wonders if he needs to use a proxy server to forward requests to the appropriate site. He also wonders if an article is available that details how to set up a Windows Server 2003 machine as a proxy server. http://list.windowsitpro.com/t?ctl=58F21:57B62BBB09A69279FBC549C5DF4EA0E5 SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@securityprovip.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. MICROSOFT LEARNING PATHS FOR SECURITY: Reducing the Challenges and Complexities of Identity and Access Management Learn how to reduce and control the challenges and complexities of enterprisewide identity and access management. Gain more control by providing a single view of a user's identity across the enterprise through the automation of common tasks. And learn how to use an integrated approach with smart cards, certificate and password management, and user provisioning. http://list.windowsitpro.com/t?ctl=58F32:57B62BBB09A69279FBC549C5DF4EA0E5 === PRODUCTS =================================================== by Renee Munshi, products@windowsitpro.com Web Filter Gets Reporting Engine Barracuda Networks announced the immediate availability of new reporting capabilities in Barracuda Web Filter firmware 3.2. The updated firmware adds a set of reports based on criteria such as user behavior, traffic patterns over time, bandwidth usage, domain requests, Web site categories and log history and supports PDF, HTML, text, and CSV output formats. The 3.2 firmware release also lets existing Barracuda Web Filter customers compile reports on historical Web traffic. (Barracuda Web Filter can store approximately six months of Web traffic history.) Barracuda Web Filter customers with current Energize Updates subscriptions can upgrade to the new firmware release at no additional charge. For more information, go to http://list.windowsitpro.com/t?ctl=58F3D:57B62BBB09A69279FBC549C5DF4EA0E5 PRODUCT EVALUATIONS FROM THE REAL WORLD Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to whatshot@windowsitpro.com. === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=58F34:57B62BBB09A69279FBC549C5DF4EA0E5 Learn how to achieve ROI with your log management system in a matter of months without costly or daunting investments. Attend this Web seminar and learn how to ensure that your organization gets the most out of its log management investment, the key requirements and architectural differences you need to consider, and the caveats and risks to watch for when you spec out your requirements and design. http://list.windowsitpro.com/t?ctl=58F22:57B62BBB09A69279FBC549C5DF4EA0E5 Tune in to the hottest network security products by listening to this exclusive podcast featuring Windows IT Pro Editorial and Strategy Director Karen Forster and Microsoft's Ian Hameroff. Learn how Network Access Control (NAC) and Network Access Protection (NAP) work, the technologies that are involved, and which third-party products are poised to work with those technologies. http://list.windowsitpro.com/t?ctl=58F24:57B62BBB09A69279FBC549C5DF4EA0E5 Don't miss the 16th USENIX Security Symposium in Boston, August 6-10, 2007. Security '07 offers in-depth training by experts such as Richard Bejtlich (on TCP/IP Weapons School) and Dan Geer (on measuring security). The comprehensive technical program includes a keynote address by Steven Levy, senior editor and columnist at "Newsweek," on "How the iPod Shuffled the World as We Know It"; 23 refereed papers; and talks by Gary McGraw and Peter Gutmann. Don't miss the latest advances in the security of computer systems and networks. Register by July 16 and save! http://list.windowsitpro.com/t?ctl=58F3B:57B62BBB09A69279FBC549C5DF4EA0E5 === FEATURED WHITE PAPER ======================================= MSCS clustering can be a good option for local high availability, but it doesn't completely protect you from unplanned downtime. Download this free white paper and learn how extending your MSCS cluster offsite with a high-availability solution that integrates with CDP technology can protect against data corruption, including damage done by viruses or human error. http://list.windowsitpro.com/t?ctl=58F23:57B62BBB09A69279FBC549C5DF4EA0E5 === ANNOUNCEMENTS ============================================== Scripting Pro VIP--Just Download and Run Scripting Pro VIP is an online resource that delivers in-depth articles (with downloadable code!) every week on topics such as ADSI, ADO, and much more. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other unique benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=58F29:57B62BBB09A69279FBC549C5DF4EA0E5 Special Invitation for VIP Access Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, Exchange & Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now!: http://list.windowsitpro.com/t?ctl=58F28:57B62BBB09A69279FBC549C5DF4EA0E5 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=58F36:57B62BBB09A69279FBC549C5DF4EA0E5 http://list.windowsitpro.com/t?ctl=58F3C:57B62BBB09A69279FBC549C5DF4EA0E5 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=58F2B:57B62BBB09A69279FBC549C5DF4EA0E5 Be sure to add Security_UPDATE@list.windowsitpro.com to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=58F39:57B62BBB09A69279FBC549C5DF4EA0E5 About your product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=58F2A:57B62BBB09A69279FBC549C5DF4EA0E5 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. From alerts at infosecnews.org Thu Jun 7 00:20:36 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Survey: Unauthorized teleworkers a security risk Message-ID: http://www.govexec.com/story_page.cfm?articleid=37105 By Aliya Sternstein National Journal's Technology Daily June 4, 2007 Federal teleworkers are less of a security risk than many of their in-office colleagues who take home government work without authorization, according to a report released Monday by the public-private partnership Telework Exchange. An online poll of 258 federal employees including sanctioned teleworkers, non-teleworkers and non-teleworkers who unofficially work at home revealed that federal data is significantly more mobile and still vulnerable. Telework Exchange conducted the survey in May to examine changes in data mobility and security awareness one year after the loss of a Veterans Affairs Department laptop that contained personal data on 26.5 million veterans and active-duty members. The report found that 63 percent of respondents who worked from home unauthorized -- more half of the non-teleworkers surveyed -- used their home computers in doing that work. "People were saving documents on their home computers that were unprotected," said Josh Wolfe of Utimaco, a data security company that underwrote the study. After the VA incident, 13 percent of federal employees surveyed said their newly issued laptops did not have encryption. And while 65 percent of employees said their agencies reinforced security policies after the event, only 48 percent said their agencies provided additional training. When teleworkers and nonteleworkers where asked if they had antivirus protection on their laptop or desktop computers, 94 percent of teleworkers responded yes, while only 75 percent of non-teleworkers said yes. The survey, which had a 6 percent error margin, did not break down results by agency or job function. "We're not sure if these people are dealing with spreadsheets with Social Security numbers on them or something more mundane than that," Wolfe said. Still, he said, agencies should be reemphasizing security procedures for all authorized teleworkers and making sure all mobile equipment -- not just laptops -- is secure. The report recommends that agencies audit the online behavior of unofficial teleworkers who work at home and give them the same home computer security training and equipment as official teleworkers. Diane Merriett, a spokeswoman for the General Services Administration, which helps agencies maintain security controls to enable telework, said the behavior of unauthorized teleworkers "is outside the realm of GSA comment." She directed Technology Daily to the GSA's March bulletin on telework IT guidelines. The bulletin states that agencies should encrypt all data on mobile computers and devices that carry agency data, "unless the agency determines that the data are nonsensitive." Each agency is supposed to establish its own policies for "limited personal use" of government e-mail and Internet systems based on 1999 recommendations by the CIO Council, according to the bulletin. That guidance advises agencies to review user activity logs for inappropriate activities. Colleen Kelley, president of the National Treasury Employees Union, said the study's finding that agencies failed to encrypt data on some new laptops is "disappointing." A large number of her members "routinely travel in the course of their daily work. These include Internal Revenue Service revenue agents and revenue officers, bank examiners of the Federal Deposit Insurance Corp., and many others," she said, adding, "This is an important shortcoming that must be addressed by agencies, even as they seek to expand telework opportunities." From alerts at infosecnews.org Thu Jun 7 00:20:56 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Former IT Contractor Pleads Guilty To Chrysler Sabotage Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199901760 By Sharon Gaudin InformationWeek June 6, 2007 An IT contractor who had been let go from his job at Daimler Chrysler pleaded guilty to sabotaging the auto-maker's wireless inventory network and causing more than $29,000 in damages. William A. Johns, 65, of Lake Orion, Mich., pleaded to the charge of unlawful computer intrusion in U.S. District Court. Under the terms of the plea agreement, he faces up to 12 months in prison and a fine of up to $250,000. Johns also will be required to make full restitution to Daimler Chrysler in the amount of $29,916 to pay for the costs associated with repairing the damaged network. "A case like this shows the potential vulnerability -- the potential for a seriously damaging breach," said Terrence Berg, First Assistant U.S. Attorney, in an interview with InformationWeek. "The company caught on quickly and took swift action so this didn't cause them especially significant damage. But it showed that the vulnerability was there and it gave them a chance to fix it." According to a release from the U.S. Attorney's office, Johns worked for Intermec, a consulting company hired to come in and set up a new wireless network for Chrysler's remote parts distribution facilities in Atlanta, Georgia, Portland, Oregon, and Denver and Colorado. MOPAR is Chrysler's parts distribution component. Johns was part of the installation team. However, Berg said at some point Johns was let go from the Chrysler job. Court papers showed that on Oct. 3, 2003, Johns entered the Daimler Chrysler Assembly plant in Sterling Heights, Mich. and accessed a computer kiosk in the visitors' lobby. Based on his familiarity with Daimler Chrysler's computer system and security systems, he used the terminal to delete files and passwords from wireless devices used in remote parts distribution facilities in remote cities. The government told the court that Chrysler was forced to remove and repair the devices, causing each MOPAR facility to shut-down for about seven and a half hours, causing more than $25,000 in damages. Berg said that while Johns was making his plea to the court, he called his actions "a prank." "If that's accurate, I don't know," added Berg. "Sometimes when someone is an IT consultant like that, they cause a problem because they want to be the one to fix it. They cause problems so they can be appreciated when they solve them." Berg said Chrysler was quick to call in the FBI when they discovered the incident. Johns is slated to be sentenced on Sept. 12. From alerts at infosecnews.org Thu Jun 7 00:21:09 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Mass. credit union bills TJX $590k for breach-related costs Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9023778 By Jaikumar Vijayan June 06, 2007 Computerworld HarborOne Credit Union in Brockton, Mass., has sent The TJX Companies Inc. an invoice for $590,000 for what the financial institution says it incurred in actual costs and reputational damage as a result of the data compromise disclosed by the retailer in January. The bill was sent to TJX on April 30, but the company so far has not responded or commented on it in any fashion, said James Blake, the president and CEO of the 100,000-member, $1.4 billion credit union. "The bill was for both direct operational costs that we incurred reissuing new debit cards to our customers, as well as the costs to us from a reputational standpoint," he said. According to Blake, the TJX breach resulted in HarborOne having to block and reissue about 9,000 cards at a cost of around $90,000. The remaining $500,000 is what Blake believes the breach cost the credit union in terms of brand damage. "We had to notify customers of the fact that their account was breached. There were some questions on their part whether or not we were responsible [for the breach] when in fact it was TJX's responsibility," Blake said. Rather that pursue a formal lawsuit against TJX for the amount, HarborOne has decided to give TJX a chance to do the "morally" right thing he said. "Whether they will is another issue. They have chosen not to respond to any of our communications. They have run from the problem from the very beginning." According to Blake, in the last year alone, HarborOne has had to reissue debit cards more than 30 times to customers as a result of data breaches at various retailers. "You can understand why we are a little upset about this," he said. A spokesperson from TJX did not immediately respond to a request for comment. HarborOne's action comes amid growing pressure from credit unions and other financial institutions around the country to get retailers to take financial responsibility for data compromises. Credit union associations in various states are vigorously lobbying lawmakers to approve bills that would require retailers to implement stronger data-security measures and to reimburse costs associated with reissuing payment cards after a breach. One such bill is the Plastic Card Security Act that was signed into law in Minnesota last month after being actively pushed by the Minnesota Credit Union Network. And the California Credit Union League is now pushing a bill similar to the one in Minnesota. Other states, including Texas and Connecticut, have considered similar proposals recently. Blake, who is the chairman of the Massachusetts Credit Union League, welcomed such proposals but said such measures need to be considered at the federal level. From alerts at infosecnews.org Fri Jun 8 09:05:02 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] New Firm Eager to Slap Patents on Security Patches Message-ID: http://securitywatch.eweek.com/patches/new_firm_eager_to_slap_patents_on_security_vulnerabilities.html By Lisa Vaas June 7, 2007 Security researchers, are you tired of handing your vulnerability discoveries over to your employer, as if that were what you're paid to do? Helping vendors securing their products ?for free? so that their users won't be endangered by new vulnerabilities? Showing your hacking prowess off to your friends, groveling for security jobs or selling your raw discoveries to middlemen for a fraction ?a pittance? of their real value? Take heart, underappreciated, unremunerated vassals, for a new firm is offering to work with you on a vulnerability patch that they will then patent and go to court to defend. You'll split the profits with the firm, Intellectual Weapons, if they manage to sell the patch to the vendor. The firm may also try to patent any adaptations to an intrusion detection system or any other third-party software aimed at dealing with the vulnerability, so rest assured, there are many parties from which to potentially squeeze payoff. Intellectual Weapons is offering to accept vulnerabilities you've discovered, as long as you haven't told anyone else, haven't discovered the vulnerability through illegal means or have any legal responsibility to tell a vendor about the vulnerability. Also, the vulnerability has to be profitable?the product must be "highly valuable," according to the firm's site, "especially as a percentage of the vendor's revenue." The product can't be up for upcoming phaseout?after all, the system takes, on average, seven years to churn out a new patent. The vendor has to have deep pockets so it can pay damages, and your solution has to be simple enough to be explained to a jury. Because goodness, you will be looking at juries and lawyers, you can count on that. Intellectual Weapons says this isn't for everybody. The firm says it "fully [anticipates] major battles." "We need people who have the emotional stability and the tenacity to persevere with each project?from describing the vulnerability, and helping develop the fix, through to generating and enforcing the IP," the firm states on its site. Patenting may be a new twist, but the idea of profiteering from vulnerabilities is nothing new. iDefense Labs has its Vulnerability Contributor Program, and TippingPoint has its Zero Day Initiative. Even the Mozilla Foundation tried it, although of course the open-source software project dedicated funds to bugs found in only its own code. The blogosphere is frothing. "Nice. The race to the bottom started by [TippingPoint parent company] 3Com and [iDefense] is now complete. I for one hope that Matasano is able to use this idea in regards to a TippingPoint vulnerability," wrote Chris_BJune in a response to a blog from security firm Matasano's Thomas Ptacek. According to Ptacek, the reasons why nobody should care about Intellectual Weapons includes the fact that the time required to complete a patent filing is over seven years. Add on to that the years it will take to "initiate, litigate and prevail in a patent claim, especially against an established software vendor," Ptacek said. "Presuming you do prevail; you likely won't." Intellectual Weapons has plans to deal with these inconveniences, however. The company says that it may try to use a Petition to Make Special in order to speed up the examination process when filing a U.S. patent. Another strategy the firm proposes using is to go after a utility model rather than a patent?a utility model being similar to a patent but easier to obtain and of shorter duration?typically six to 10 years. "In most countries where utility model protection is available, patent offices do not examine applications as to substance prior to registration," the company says. "This means that the registration process is often significantly simpler, cheaper and faster. The requirements for acquiring a utility model are less stringent than for patents." Ptacek calls utility models "patents-lite." Other nicknames are "petty patent," "minor patent" and "small patent." Such patent workarounds are available in some EU countries and other countries including Argentina, China, Malaysia, Mexico, Morocco, Philippines, Poland, Russia, South Korea and Uzbekistan. "Would it be [possible] for an outfit like 'Intellectual Weapons,' exploiting the services of contingency-fee lawyers, to get an injunction against a Microsoft security fix in the Republic of Moldova? Anything's possible," Ptacek said. He doesn't believe it will happen, however, given that international patents have to be fought jurisdiction by jurisdiction. "In this case, you'd be slogging through those fights for a shot at a tiny sliver of the revenue generated by the products you're targeting. This is nothing like NTP vs. RIM, where NTP's claims enabled RIM's entire product." From alerts at infosecnews.org Fri Jun 8 09:05:29 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:30 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-23 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-05-31 - 2007-06-07 This week: 76 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ======================================================================== 2) This Week in Brief: Two extremely critical vulnerabilities in Yahoo! Messenger were made public this week, which could allow an attacker to gain control of a vulnerable system. The vulnerabilities are due to boundary errors within two Yahoo! Messenger ActiveX controls: the Yahoo! Webcam Upload and the Yahoo! Webcam Viewer controls. These vulnerabilities could be exploited by assigning an overly long string to the Server property and then calling the Send() or Receive() method, respectively. Successful exploitation allows an attacker to execute arbitrary code on the system. Yahoo! has yet to release a patch for these vulnerabilities; hence users are urged to refrain from browsing untrusted sites that may host exploit code for these vulnerabilities, or modify their system registries to set the kill-bit for the affected ActiveX controls. For more information, please refer to: http://secunia.com/advisories/25547/ -- Two vulnerabilities were reported in the Computer Associates (CA) Anti-virus engine, which could be exploited by malicious people to gain access to a vulnerable system. A boundary error in a library file when processing CAB files can be exploited to cause a stack-based buffer overflow via a specially crafted CAB file with an overly long filename. An input validation error when processing the coffFiles field in CAB files can also be exploited to cause a stack-based buffer overflow. Various CA products are affected. The vendor has released a patch for these vulnerabilities via content update 3.60. Users are strongly encouraged to check that their systems have been patched. For more information, and a complete list of affected products: http://secunia.com/advisories/25570/ -- Secunia Research has discovered several vulnerabilities in Mplayer, which can be exploited by malicious people to compromise a user's system. A boundary error within the "cddb_query_parse()" function in stream/stream_cddb.c when parsing album titles can be exploited to cause a stack-based buffer overflow. This can be exploited by tricking a user into parsing malicious CDDB entries with overly long album titles. Successful exploitation allows execution of arbitrary code. Boundary errors within the "cddb_parse_matches_list()" and "cddb_read_parse()" functions in stream/stream_cddb.c when parsing album and category titles can be exploited to cause stack-based buffer overflows. These can be exploited by tricking a user into parsing malicious CDDB entries with overly long album or category titles. Successful exploitation allows execution of arbitrary code, but may require that the user connects to a malicious server. The vendor has released a patch for version 1.0rc1. Users are advised to apply the patch immediately. For more information: http://secunia.com/advisories/24302/ -- VIRUS ALERTS: During the past week Secunia collected 356 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA25481] Mozilla Firefox / Seamonkey "resource://" Information Disclosure 2. [SA25469] Mozilla Firefox Multiple Vulnerabilities 3. [SA25456] PHP Integer Overflow Vulnerability and Security Bypass 4. [SA25130] Apple QuickTime Java Extension Two Vulnerabilities 5. [SA23769] Internet Explorer Multiple Vulnerabilities 6. [SA25514] Logitech VideoCall Multiple ActiveX Controls Buffer Overflows 7. [SA25505] Linux Kernel VFAT IOCTLs Denial of Service 8. [SA25498] Novell GroupWise Authentication Credentials Disclosure Security Issue 9. [SA25434] PHP crypt() Race Condition Vulnerability 10. [SA25487] PHP JackKnife Gallery System Two SQL Injection Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA25547] Yahoo! Messenger Two ActiveX Controls Buffer Overflows [SA25570] CA Anti-Virus Engine CAB Archive Processing Buffer Overflows [SA25568] FlipViewer FViewerLoading ActiveX Control Buffer Overflows [SA25514] Logitech VideoCall Multiple ActiveX Controls Buffer Overflows [SA25509] Macrovision FLEXnet boisweb.dll ActiveX Control Buffer Overflows [SA25508] DVD X Player PLF File Parsing Buffer Overflow Vulnerability [SA25501] Macrovision FLEXnet Connect DWUpdateService ActiveX Control Insecure Methods [SA25500] Authentium Command Antivirus ActiveX Controls Buffer Overflows [SA25565] Free-PayPal-Shopping-Cart "news_id" SQL Injection Vulnerability [SA25545] Omegasoft Insel Cross-Site Scripting and SQL Injection [SA25543] Symantec Reporting Server Three Vulnerabilities [SA25537] Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass [SA25564] Internet Explorer Page Loading Race Condition and URL Spoofing [SA25527] ADPLAN SEO Cross-Site Scripting Vulnerability [SA25507] Hitachi Products Collaboration-File Sharing Cross-Site Scripting Vulnerability [SA25539] Symantec Ghost Solution Suite Three Denial of Service Vulnerabilities UNIX/Linux: [SA25578] Amavis file Integer Underflow and Denial of Service [SA25555] Mandriva update for mplayer [SA25534] Slackware update for Mozilla products [SA25533] Ubuntu update for firefox [SA25522] Xoops iContent Module "spaw_root" File Inclusion [SA25582] SUSE update for asterisk [SA25569] Gentoo update for libexif [SA25562] Atom PhotoBlog Script Insertion and Cross-Site Scripting [SA25553] Mandriva update for clamav [SA25551] Gentoo update for evolution [SA25540] rPath update for libexif [SA25535] Slackware update for php5 [SA25525] Kolab Server ClamAV Denial of Service [SA25523] SUSE update for clamav [SA25511] Hitachi TP1/NET/OSI-TP-Extended Denial of Service Vulnerability [SA25496] Ubuntu update for mozilla-thunderbird [SA25495] Avaya Products FreeType BDF Font Integer Overflow Vulnerability [SA25567] HP-UX update for CIFS Server [SA25561] LightBlog "id" Cross-Site Scripting Vulnerability [SA25554] Mandriva update for libpng [SA25544] Mandriva update for file [SA25530] Mandriva update for util-linux [SA25566] Sun Solaris Management Console Privilege Escalation [SA25497] Avaya Products CUPS Incomplete SSL Negotiation Denial of Service [SA25494] Hitachi XP/W Map I/O Service Denial of Service Vulnerability [SA25519] Mandriva update for lha [SA25550] Gentoo update for elinks [SA25546] rPath update for mutt [SA25531] Sun Solaris xscreensaver Arbitrary Command Execution [SA25529] Red Hat update for mutt [SA25515] Mandriva update for mutt [SA25505] Linux Kernel VFAT IOCTLs Denial of Service Other: [SA25563] F5 FirePass 4100 SSL VPN "username" Command Injection [SA25499] Apple Xserve Lights-Out Management Firmware IPMI Vulnerability Cross Platform: [SA25572] PBLang "lang" Local File Inclusion Vulnerability [SA25548] EQdkp "rank" SQL Injection Vulnerability [SA25542] IBM Lotus Domino Unspecified Denial of Service Vulnerability [SA25524] Particle Gallery "editcomment" SQL Injection Vulnerability [SA25518] Basic Analysis and Security Engine Multiple Security Bypass [SA25513] Quick.Cart "sLanguage" Local File Inclusion Vulnerability [SA25584] AIOCP "aiocp_dp" Cross-Site Scripting Vulnerability [SA25557] Cacti "graph_image.php" Denial of Service [SA25552] WordPress XMLRPC "wp.suggestCategories" SQL Injection [SA25549] Beatnik Extension for Firefox Feed Script Insertion Vulnerability [SA25538] EQDKP Attunement and Key Tracker Plugin Cross-Site Scripting [SA25532] WebSVN Cross-Site Scripting Vulnerability [SA25526] Chameleon CMS Session Fixation Vulnerability [SA25521] Calimero.CMS Session Fixation Vulnerability [SA25517] Codelib Linker "cat" and "kword" Cross-Site Scripting Vulnerabilities [SA25512] SSL-Explorer Multiple Vulnerabilities [SA25510] Meneame Cross-Site Scripting Vulnerability [SA25506] @Mail "ReadMsg.php" Cross-Site Scripting Vulnerability [SA25503] Aigaion Authors and Publications Script Insertion Vulnerabilities [SA25502] WebStudio CMS "pageid" Cross-Site Scripting [SA25498] Novell GroupWise Authentication Credentials Disclosure Security Issue [SA25493] HP System Management Homepage Unspecified Cross-Site Scripting [SA25536] APC PowerChute Network Shutdown Directory Traversal [SA25520] IBM Lotus Domino Agent Signature Verification Vulnerability [SA25516] Symantec Veritas Storage Foundation Veritas Volume Replicator Denial of Service [SA25541] WordPress Unmoderated Comments Disclosure Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA25547] Yahoo! Messenger Two ActiveX Controls Buffer Overflows Critical: Extremely critical Where: From remote Impact: System access Released: 2007-06-07 Danny has discovered two vulnerabilities in Yahoo! Messenger, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25547/ -- [SA25570] CA Anti-Virus Engine CAB Archive Processing Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-06 Two vulnerabilities have been reported in the CA Anti-Virus engine, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25570/ -- [SA25568] FlipViewer FViewerLoading ActiveX Control Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-06 Will Dormann has reported some vulnerabilities in FlipViewer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25568/ -- [SA25514] Logitech VideoCall Multiple ActiveX Controls Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-01 Will Dormann has discovered some vulnerabilities in Logitech VideoCall, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25514/ -- [SA25509] Macrovision FLEXnet boisweb.dll ActiveX Control Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-05 TippingPoint has reported some vulnerabilities in Macrovision Update Service and FLEXnet Connect, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25509/ -- [SA25508] DVD X Player PLF File Parsing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-04 n00b has discovered a vulnerability in DVD X Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25508/ -- [SA25501] Macrovision FLEXnet Connect DWUpdateService ActiveX Control Insecure Methods Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-01 Will Dormann has reported some vulnerabilities in the Macrovision FLEXnet Connect Software Manager DWUpdateService ActiveX control, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25501/ -- [SA25500] Authentium Command Antivirus ActiveX Controls Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-01 Will Dormann has reported some vulnerabilities in Authentium Command Antivirus, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25500/ -- [SA25565] Free-PayPal-Shopping-Cart "news_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-06-07 kerem125 and gsy have reported a vulnerability in Free-PayPal-Shopping-Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25565/ -- [SA25545] Omegasoft Insel Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2007-06-06 MC.Iglo has reported some vulnerabilities in Omegasoft Insel, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/25545/ -- [SA25543] Symantec Reporting Server Three Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2007-06-06 Three vulnerabilities have been reported in Symantec Reporting Server, which can be exploited by malicious people to gain knowledge of sensitive information, bypass certain security restrictions, or manipulate certain files. Full Advisory: http://secunia.com/advisories/25543/ -- [SA25537] Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2007-06-04 TippingPoint has reported a vulnerability in Symantec Veritas Storage Foundation, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25537/ -- [SA25564] Internet Explorer Page Loading Race Condition and URL Spoofing Critical: Less critical Where: From remote Impact: Security Bypass, Spoofing Released: 2007-06-06 Michal Zalewski has reported two vulnerabilities in Internet Explorer, which potentially can be exploited by a malicious website to display a fake URL in the address bar or to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25564/ -- [SA25527] ADPLAN SEO Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-07 A vulnerability has been reported in ADPLAN SEO, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25527/ -- [SA25507] Hitachi Products Collaboration-File Sharing Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-01 A vulnerability has been reported in various Hitachi products, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25507/ -- [SA25539] Symantec Ghost Solution Suite Three Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2007-06-06 Three vulnerabilities have been reported in Symantec Ghost Solution Suite, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25539/ UNIX/Linux:-- [SA25578] Amavis file Integer Underflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-06-06 A vulnerability and a security issue have been reported in Amavis, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25578/ -- [SA25555] Mandriva update for mplayer Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-05 Mandriva has issued an update for mplayer. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25555/ -- [SA25534] Slackware update for Mozilla products Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access Released: 2007-06-04 Slackware has issued updates for mozilla-firefox, mozilla-thunderbird and seamonkey. These fix some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25534/ -- [SA25533] Ubuntu update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access Released: 2007-06-04 Ubuntu has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25533/ -- [SA25522] Xoops iContent Module "spaw_root" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-06-04 Mahmood_ali has discovered a vulnerability in the iContent Module for Xoops, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25522/ -- [SA25582] SUSE update for asterisk Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2007-06-07 SUSE has issued an update for asterisk. This fixes some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information or by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25582/ -- [SA25569] Gentoo update for libexif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-06 Gentoo has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25569/ -- [SA25562] Atom PhotoBlog Script Insertion and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-07 Some vulnerabilities have been discovered in Atom PhotoBlog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25562/ -- [SA25553] Mandriva update for clamav Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-05 Mandriva has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25553/ -- [SA25551] Gentoo update for evolution Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-07 Gentoo has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25551/ -- [SA25540] rPath update for libexif Critical: Moderately critical Where: From remote Impact: System access Released: 2007-06-05 rPath has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25540/ -- [SA25535] Slackware update for php5 Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, DoS Released: 2007-06-04 Slackware has issued an update for php5. This fixes some vulnerabilities, where one has an unknown impact and others can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25535/ -- [SA25525] Kolab Server ClamAV Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-04 Some vulnerabilities have been reported in Kolab Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25525/ -- [SA25523] SUSE update for clamav Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-06 SUSE has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25523/ -- [SA25511] Hitachi TP1/NET/OSI-TP-Extended Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-01 A vulnerability has been reported in TP1/NET/OSI-TP-Extended, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25511/ -- [SA25496] Ubuntu update for mozilla-thunderbird Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-06 Ubuntu has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25496/ -- [SA25495] Avaya Products FreeType BDF Font Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-01 Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25495/ -- [SA25567] HP-UX update for CIFS Server Critical: Moderately critical Where: From local network Impact: System access Released: 2007-06-06 HP has issued an update for HP-UX. This fixes some vulnerabilities, which can be exploited by malicious users and malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25567/ -- [SA25561] LightBlog "id" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-07 ls has reported a vulnerability in LightBlog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25561/ -- [SA25554] Mandriva update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2007-06-06 Mandriva has issued an update for libpng. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25554/ -- [SA25544] Mandriva update for file Critical: Less critical Where: From remote Impact: DoS, System access Released: 2007-06-06 Mandriva has issued an update for file. This fixes a vulnerability and a security issue, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25544/ -- [SA25530] Mandriva update for util-linux Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-06-05 Mandriva has issued an update for util-linux. This fixes a security issue, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25530/ -- [SA25566] Sun Solaris Management Console Privilege Escalation Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2007-06-06 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25566/ -- [SA25497] Avaya Products CUPS Incomplete SSL Negotiation Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2007-06-01 Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25497/ -- [SA25494] Hitachi XP/W Map I/O Service Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2007-06-01 A vulnerability has been reported in XP/W, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25494/ -- [SA25519] Mandriva update for lha Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-06-06 Mandriva has issued an update for lha. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/25519/ -- [SA25550] Gentoo update for elinks Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-06-07 Gentoo has issued an update for elinks. This fixes a weakness, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25550/ -- [SA25546] rPath update for mutt Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-06-05 rPath has issued an update for mutt. This fixes a vulnerability, which can potentially be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25546/ -- [SA25531] Sun Solaris xscreensaver Arbitrary Command Execution Critical: Not critical Where: Local system Impact: Security Bypass Released: 2007-06-05 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25531/ -- [SA25529] Red Hat update for mutt Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-06-04 Red Hat has issued an update for mutt. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges or gain escalated privileges. Full Advisory: http://secunia.com/advisories/25529/ -- [SA25515] Mandriva update for mutt Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-06-05 Mandriva has issued an update for mutt. This fixes a vulnerability, which can potentially be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25515/ -- [SA25505] Linux Kernel VFAT IOCTLs Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-06-01 A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25505/ Other:-- [SA25563] F5 FirePass 4100 SSL VPN "username" Command Injection Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-06 Leonardo Nve has reported a vulnerability in F5 FirePass 4100 SSL VPN, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25563/ -- [SA25499] Apple Xserve Lights-Out Management Firmware IPMI Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2007-06-01 A vulnerability has been reported in the Xserve Lights-Out Management firmware, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25499/ Cross Platform:-- [SA25572] PBLang "lang" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-06-06 Silentz has discovered a vulnerability in PBLang, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/25572/ -- [SA25548] EQdkp "rank" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-06-05 Silentz has discovered a vulnerability in EQdkp, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25548/ -- [SA25542] IBM Lotus Domino Unspecified Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-04 A vulnerability has been reported in IBM Lotus Domino, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25542/ -- [SA25524] Particle Gallery "editcomment" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-06-04 Silentz has discovered a vulnerability in Particle Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25524/ -- [SA25518] Basic Analysis and Security Engine Multiple Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-06-05 Johnny Storm has discovered some vulnerabilities in Basic Analysis and Security Engine (BASE), which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25518/ -- [SA25513] Quick.Cart "sLanguage" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2007-06-04 Kacper has discovered a vulnerability in Quick.Cart, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25513/ -- [SA25584] AIOCP "aiocp_dp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-07 A vulnerability has been reported in All In One Control Panel (AIOCP), which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25584/ -- [SA25557] Cacti "graph_image.php" Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2007-06-06 A vulnerability has been discovered in Cacti, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25557/ -- [SA25552] WordPress XMLRPC "wp.suggestCategories" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-06-07 Slappter has discovered a vulnerability in WordPress, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25552/ -- [SA25549] Beatnik Extension for Firefox Feed Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-05 CrYpTiC MauleR has discovered a vulnerability in the Beatnik extension for Firefox, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/25549/ -- [SA25538] EQDKP Attunement and Key Tracker Plugin Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-04 A vulnerability has been reported in the Attunement and Key Tracker Plugin for EQDKP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25538/ -- [SA25532] WebSVN Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-04 A vulnerability has been reported in WebSVN, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25532/ -- [SA25526] Chameleon CMS Session Fixation Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2007-06-04 David Vieira-Kurz has reported a vulnerability in Chameleon CMS, which can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/25526/ -- [SA25521] Calimero.CMS Session Fixation Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2007-06-05 David Vieira-Kurz has discovered a vulnerability in Calimero.CMS, which can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/25521/ -- [SA25517] Codelib Linker "cat" and "kword" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-04 Some vulnerabilities have been discovered in Codelib Linker, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25517/ -- [SA25512] SSL-Explorer Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2007-06-04 Some vulnerabilities have been reported in SSL-Explorer, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting and HTTP header injection attacks. Full Advisory: http://secunia.com/advisories/25512/ -- [SA25510] Meneame Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-04 A vulnerability has been reported in Meneame, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25510/ -- [SA25506] @Mail "ReadMsg.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-01 A vulnerability has been reported in @Mail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25506/ -- [SA25503] Aigaion Authors and Publications Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-01 ephemeral_sta has reported some vulnerabilities in Aigaion, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/25503/ -- [SA25502] WebStudio CMS "pageid" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-05 Glafkos Charalambous has reported a vulnerability in WebStudio CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25502/ -- [SA25498] Novell GroupWise Authentication Credentials Disclosure Security Issue Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2007-06-01 A security issue has been reported in Novell GroupWise, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/25498/ -- [SA25493] HP System Management Homepage Unspecified Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-01 A vulnerability has been reported in HP System Management Homepage, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25493/ -- [SA25536] APC PowerChute Network Shutdown Directory Traversal Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2007-06-06 Chris Castaldo has reported a vulnerability in APC PowerChute Network Shutdown, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25536/ -- [SA25520] IBM Lotus Domino Agent Signature Verification Vulnerability Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2007-06-05 A vulnerability has been reported in IBM Lotus Domino, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25520/ -- [SA25516] Symantec Veritas Storage Foundation Veritas Volume Replicator Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2007-06-04 A vulnerability has been reported in Symantec Veritas Storage Foundation, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25516/ -- [SA25541] WordPress Unmoderated Comments Disclosure Security Issue Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2007-06-04 Sumit Siddharth has discovered a security issue in WordPress, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25541/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From alerts at infosecnews.org Fri Jun 8 09:05:50 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Check Point boss snipes at Microsoft's security Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=9058 By Raphael Fogel TheMarker.com 07 June 2007 Check Point's chief executive has taken a swing at rival Microsoft, saying its security products leave a lot to be desired. Gil Shwed, also founder of the firewall vendor, made his remarks during a lecture on the global security market, before a group of network security managers at an IDC security conference in Israel. "Microsoft has been in the security market for more than ten years. It has firewall, VPN, anti-virus capabilities and disk encryption," Shwed said. "But it doesn't have the leading products in any of them, and apparently, the management and integration levels of its products is unsatisfactory." For a decade, Microsoft has been offering an enterprise firewall, the ISA server, but Check Point for one hasn't been running into them in the field, Shwed said. He went on to criticise Microsoft's security products more specifically. Since Microsoft began setting its Windows Firewall as the default in Windows XP, Check Point has built a $50-million-a-year business in personal firewalls alone. And that, said Shwed, means that Microsoft's personal Windows firewall can't be doing the job that users want, if the Israeli company's personal firewall business remained healthy. He refrained from mentioning other rivals like Cisco and Juniper. But he did say that security managers at major enterprises don't want to delve into the nuts and bolts of the security systems and components under offer. What they really want is a certificate guaranteeing that the security systems and components meet the regulations. They want to know their systems will be safe. They care less how that's achieved. Most companies use multiple security systems, each protecting a different aspect of the enterprise systems. That is not good, Shwed elaborated the obvious: what they need is a single platform that will do, or manage, it all for them. And to no great surprise, he said that Check Point was close to providing such a platform. From alerts at infosecnews.org Fri Jun 8 09:06:02 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Microsoft Plans Six Security Updates, Two For Windows Vista Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199902337 By Sharon Gaudin InformationWeek June 7, 2007 Gearing up for next week's Patch Tuesday release, Microsoft announced on Thursday that it's preparing six security updates -- four of them for critical bugs. One security update actually can patch multiple vulnerabilities so it's unclear at this point how many flaws next week's releases will fix. Microsoft, though, did announce in its Security Bulletin Advance Notification that each of the four critical updates will affect Windows software, while only one affects Internet Explorer. Another one will address issues in Outlook Express, as well as Windows Mail. One critical vulnerability affects Windows Mail in Windows Vista and Windows Vista x64 edition. There another patch for Windows Vista that's rated "moderate". All of the critical bugs being fixed enable remote code execution, meaning that a remote hacker could take over an infected system. The one security bulletin that received Microsoft's second-highest threat rating of "important" affects the Office application suite, as well as Microsoft Visio, which is diagramming software. The flaw being fixed also enables remote code execution. It's not yet clear why this is not a critical flaw, as nearly all remote code execution vulnerabilities are rated that way. The 'moderate' security bulletin affects a bug in Windows that causes information disclosure. Johannes Ullrich, CTO for the Internet Storm Center, a cooperative cyber threat-monitoring and alert system, said this seems like an average size patch release for Microsoft -- slightly less than last month when Microsoft released seven bulletins in its monthly patch release. He is hoping, though, that several of the outstanding Internet Explorer flaws are fixed in the June 12 release. "There are about six publicly known IE bugs out there," he added in an interview. "Typically, Microsoft issues patches that fix multiple bugs. Last month, four vulnerabilities were fixed with one IE patch. That would be good." Ullrich also is hoping that Microsoft patches several outstanding Office vulnerabilities. "It's definitely one of the issues that keeps bugging users," he said. "We haven't seen any of them widely used yet. They're being used in smaller, targeted attacks." From alerts at infosecnews.org Fri Jun 8 09:06:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Cyber attacks draw terror tag Message-ID: http://www.australianit.news.com.au/story/0,24897,21870446-5013040,00.html Correspondents in Tallinn June 08, 2007 ESTONIA will call on the European Union to define cyber attacks as "acts of terror", Estonian Justice Minister Rein Lang said. "We're inclined to view such things as acts of terror, just as the Americans view them now," Mr Lang said "I predict a fairly interesting discussion on this" he added. At the same news conference, Prime Minister Andrus Ansip reiterated accusations that computers in Kremlin had carried out a number of the cyber attacks launched on Estonian institutions after a row with Russia at the end of April over the removal of a Soviet war memorial from the centre of Tallinn. He and Lang added that the attacks were well organised and, regardless of whether the Kremlin had knowledge of them, were a serious breach of security. "These attacks came directly from the IP address of the (Russian) president's office," Mr Ansip said. Mr Lang said: "If the computers (in the Kremlin) were used unintentionally, then that means there are computers in the Russian administration which may be used for criminal attacks." "It's clear the attacks were an organised offensive against the information systems of the Estonian state structures and against the infrastructure of the state in general," he said. Moscow has denied any involvement in the massive cyber attacks against Estonia, which forced the authorities here to temporarily bar access to official state websites. Some of the attacks also targeted private interests such as banks. From alerts at infosecnews.org Fri Jun 8 09:06:34 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Energy gets tough on laptop use Message-ID: http://www.gcn.com/print/26_13/44394-1.html By Joab Jackson GCN 06/04/07 issue The Energy Department has launched a new effort to keep tighter control of its mobile computing units, following the recent disclosure that the department has lost 1,415 laptop PCs during the past six years, agency officials said. DOE Secretary Samuel Bodman expects to take immediate actions to correct this, department spokeswoman Megan Barnett said. Were moving in a serious and deliberative manner. DOE notified Congress of the lost laptops late last month. The figure represents approximately 2 percent of its current inventory of laptop computers; about 71,874 units are used either by agency personnel or contractors. Since his appointment in 2005, Bodman has recognized that management deficiencies have been an issue throughout the history of the department, Barnett said. He has been working to fully identify weaknesses and correct them at their source in regard to computer inventory control. Barnett added that the laptop issue is is something that has been developing over many years. As a result of the findings, which track missing units up until June 2006, Bodman ordered a full inventory of laptops, which subsequently recovered 100 of the units. The agency has already been taking a number of other steps to minimize future losses, Barnett said. For instance, the agency has implemented a rule that requires employees to report missing property within 24 hours of noticing the loss. The agency plans to beef up its reporting capabilities to better detail the circumstances of the loss. Senior managers will have to verify that their offices are in compliance with these policies. In addition, the agency has been stressing that employees take better care of the property that is checked out. Those who get laptops must now sign a statement acknowledging their responsibility for the equipment. And closer scrutiny will be in place to ensure employees return all equipment that has been checked out when they leave DOE. During the next 120 days, DOE will take additional steps. For instance, contractor performance plans are being revised to spell out the responsibility for keeping track of equipment. Contractors must do inventories and make sure the equipment is updated. Property management performance will be part of business management performance, Barnett said. None of the individuals to whom the missing laptops were issued were disciplined. DOE said none of the stolen or lost laptops carried classified information. Two possibly held personal information one had a resume and the other carried a performance evaluation and one possibly contained an internal Office Use Only document. The reported loss of personal computers is the latest in a long line of disclosure by government agencies. Earlier last month, the Transportation Security Administration alerted the FBI and Secret Service of a lost hard drive containing information on 100,000 current and former workers. In February, the Justice Departments inspector general found that 160 FBI laptop PCs had been lost or stolen during a 44-month period. And last November, the Armys Accessions Command in Fort Monroe, Va., reported that a laptop PC with personal information on 4,600 scholarship applicants for the Reserve Officer Training Corps had gone missing. In May 2006, the Veterans Affairs Department had one of the most notable losses, when a laptop with information on as many as 26 million veterans was stolen from a VA employees home. The laptop was recovered, and its information had not been accessed. In August 2006, VA instituted a policy of encrypting all its laptop PCs. Last September, Rep. Tom Davis (R-Va.), then chairman of the Government Reform Committee (now ranking member), introduced the Federal Agency Data Breach Protection Act, which calls for stronger rules about agencies disclosing data loss. The act never made it out of committee, however. Why cant anyone take this more seriously? Usually, heads roll when something like this happens in the private sector. But in the public sector, the consequences seem minimal, said Adam Thierer, a senior fellow at the Progress and Freedom Foundation, a Washington think tank covering technology issues. These machines should be bolted to the desk. And there should be some straightforward rules that are in place, he said. GCN senior writer Patience Wait contributed to this story. From alerts at infosecnews.org Fri Jun 8 09:07:58 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Second Call for Papers: DeepSec IDSC 2007 Europe/Vienna: 20-23 Nov 2007 Message-ID: Forwarded from: Paul B?hm DeepSec In-Depth Security Conference 2007 Europe - Nov 20-23 2007 - Vienna, Austria http://deepsec.net/ Second Call for Papers We're inviting you to submit papers and proposals for trainings for the first annual DeepSec security conference. We've been able to get some really good submissions, fantastic keynotes, and extremely interesting invited talks so far, and are hoping we'll get even more exciting talks during the final phases of the CFP. We're especially interested in getting more non-web talks! Dudes - stop submitting basic ajax, web2.0 and voip security talks already, we're flooded by these! We still want to get more submissions and case studies of government project security (egovernment, electronic health/citizen cards, electronic passports, i- and evoting security, inter-government protocols, ...), and also more submissions on secure software development, rootkits, forensics, and the security of popular but seldom discussed protocols. We've managed to come up with a really nice social programme around the conference. Among other things, there'll be Capture the Flag and Live Web Hacking contests organized by the Hack in the Box team, exciting evening action at our partner event, the RoboExotica Cocktail-Robotics Festival, and a thrilling speakers after-party at Vienna's top hacker club, the Metalab. We're sure this will be a conference experience that you'll remember! So submit your talks and trainings now and don't miss the action! :) All proposals received before June 16th 2007, 23:59 CET will be considered by the Program Committee. == About DeepSec == DeepSec IDSC is an annual European two-day in-depth Conference on Computer-, Network-, and Application-Security. The first DeepSec Conference will be held from November 22nd to 23rd 2007 in Vienna, and aims to bring together the leading security experts from all over the world in Europe. In addition to the conference with thirty-two sessions, four two-day intense security training courses will be held before the main conference. The conference program will be augmented with a live hacking competition and a team capture the flag contest. DeepSec is a non-product, non-vendor-biased conference. Our aim is to present the best research and experience from the fields' leading experts. Target Audience: Security Officers, Security Professionals and Product Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and Firewall-Admins, and Software Developers. == Speakers/Trainers == Until June 16th, 23:59 CET, we'll be accepting papers and lightning talk submissions. Please note we are non-product, non-vendor biased security conference, and do not accept vendor pitches. Speaker privileges include * One economy class return-ticket to Vienna. * 3 nights of accomodation in the Conference Hotel. * Breakfast, Lunch, and two coffee breaks * Speaker activities during, before, and after the conference. * Speaker After-Party in the Metalab Hackerspace on November, 24th. Trainer privileges include * 50% of the net profit of the class. * 2 nights of accomodation in the Conference Hotel during the trainings. * Breakfast, Lunch, and two coffee breaks. * Free Speaker Ticket for the Conference. * Speaker activities during, before, and after the conference. * Speaker After-Party in the Metalab Hackerspace on the 24th November == Topics == We are interested in bleeding edge security research, directly from leading researchers, professionals in academics, industry, and government, and the underground security community. Topics of special interest include * Vista, Linux, OSX Security * E/I-Voting Case-Studies, Attacks, Weaknesses * Mobile Security * Network Protocol Analysis * AJAX/Web2.0/Javascript Security * Secure Software Development * VoIP * Perimeter Defense / Firewall Technology * Digital Forensics * WLAN/WiFi, GPRS, IPv6 and 3G Security * IPv6 * Smart Card Security * Cryptography * Intrusion Detection * Incident Response * Rootkit Detection, Techniques, and Defense * Security Properties of Web-Frameworks * Malicious Code Analysis * Secure Framework Design * .Net and Java Security == Submission == Proposals for presentations and trainings at the first annual DeepSec In-Depth Security Conference will be accepted until June 16th 2007, 23:59 CET. All proposals should be submitted over the web at http://www.deepsec.net/cfp/. If you have questions, want to send us additional material, or have problems with the webform, feel free to contact us at cfp@deepsec.net. From alerts at infosecnews.org Mon Jun 11 02:00:36 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] TJX lists mounting costs of data-breach debacle Message-ID: http://www.networkworld.com/news/2007/060807-tjx.html By Ellen Messmer Network World 06/08/07 Retailer TJX yesterday detailed the mounting legal woes and financial costs spawning from a data-breach disclosed in January that?s believed to have resulted in the compromise of at least 45.6 million credit and debit cards. In its quarterly filing with the Securities and Exchange Commission, TJX acknowledged that the computer intrusion still under investigation has cost it $20 million during the first quarter alone, and that costs were expected to continue to mount in future quarters. In addition, stated TJX, ?We face potential liabilities from customers, banks, payment card companies and governmental entities with respect to the computer intrusion.? TJX says it?s facing several ?putative class-action lawsuits? filed in Massachusetts, Illinois, Ohio and elsewhere. These lawsuits are said to represent individuals, financial institutions and others claiming injury and shareholder interest associated with the computer intrusion. Some lawsuits also name Fifth Third Bancorp as a defendant because it processed payment-card transactions for TJX. TJX is also facing a lawsuit from the Massachusetts Bankers Association representing banks pressing to have their losses associated with the data breach covered by TJX. TJX stated in the filing that the $20 million in costs tied to the data breach was spent on investigating the security lapse, strengthening computer security and communicating with customers about the compromise of sensitive financial data. TJX, which has 125,000 employees, operates hundreds of T.J. Maxx and other stores in the United States and the United Kingdom. In the quarterly filing, TJX reported net sales for the quarter ending April 28 were $4.1 billion, up from $3.8 billion the same quarter a year ago. Net income for the quarter was down from $163.8 million a year ago to $162.1 million in the first quarter of this year. All contents copyright 1995-2007 Network World, Inc From alerts at infosecnews.org Mon Jun 11 02:00:51 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] U-Va. Officials Announce Database Breach Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2007/06/08/AR2007060801704.html By Susan Kinzie Washington Post Staff Writer June 9, 2007 Hackers have been breaking into a University of Virginia database that included Social Security numbers and other personal information about faculty members over the past two years. School officials announced the security breaches yesterday, about a week after they discovered that, on 54 days between April 2005 and April 2007, someone broke into the records for more than 5,700 faculty members. Officials warned professors to carefully watch their financial accounts and have offered a year of free credit monitoring to everyone affected. "I'm concerned about it," said professor Brandt R. Allen, whose data were exposed. He said he had already been a little worried about online security: "We probably have a lot more breaking and entering than people realize." Many schools have had similar problems, and many have changed the types of personal information they store. U-Va. was in the process of moving from Social Security numbers to university-issued identification numbers, spokeswoman Carol Wood said. The theft brings greater urgency to that effort. Hackers got into an academic Web site that mistakenly included the database of professors' information, officials said. The database included names, Social Security numbers and dates of birth, but not financial information such as credit card numbers or bank accounts. No students or non-faculty staff members were affected. When officials sent out e-mail alerts, the names got mixed up, and the school had to send follow-up messages and post a clarifying note online: "If an e-mail came to your address, your information has been exposed -- even if the name in the salutation is not yours." That did not inspire confidence, Allen said. University police have launched a criminal investigation with assistance from the FBI and campus technology experts. The data have been removed and security has been shored up, according to school officials. But they are concerned that more than 3,500 of those affected no longer work at U-Va. and could be difficult to contact, so they hope former faculty members will check the school's Web site. ? 2007 The Washington Post Company From alerts at infosecnews.org Mon Jun 11 02:01:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Check Point boss snipes at Microsoft's security Message-ID: Forwarded from: security curmudgeon : http://www.techworld.com/security/news/index.cfm?newsID=9058 : : By Raphael Fogel : : Check Point's chief executive has taken a swing at rival Microsoft, : saying its security products leave a lot to be desired. : : Gil Shwed, also founder of the firewall vendor, made his remarks during : a lecture on the global security market, before a group of network : security managers at an IDC security conference in Israel. : : "Microsoft has been in the security market for more than ten years. It : has firewall, VPN, anti-virus capabilities and disk encryption," Shwed : said. "But it doesn't have the leading products in any of them, and : apparently, the management and integration levels of its products is : unsatisfactory." Why do security vendors insist on waving their virtual penis like this? Check Point, the same vendor with a steady stream of vulnerabilities in their enterprise/corporate products since 1998, possibly earlier? The same maker of Zone Alarm, their personal firewall that is a "$50-million-a-year business" that has had vulnerabilities published since 2000? : He refrained from mentioning other rivals like Cisco and Juniper. But he : did say that security managers at major enterprises don't want to delve : into the nuts and bolts of the security systems and components under : offer. What they really want is a certificate guaranteeing that the : security systems and components meet the regulations. : : They want to know their systems will be safe. They care less how that's : achieved. Meeting regulations and 'being safe' are NOT mutually inclusive. Check Point Connectra NGX sre/params.php ICS Security Bypass Jan 25, 2007 Check Point VPN/Firewall Traversal Arbitrary File Access Jul 24, 2006 Check Point VPN-1 SecureClient SR_Watchdog.exe Path Subversion Privilege Escalation Jan 17, 2006 Check Point Firewall-1 Internal Certificate Authority (ICA) Information Disclosure Jan 1, 2006 Check Point VPN-1 SecureClient Security Policy Bypass Dec 7, 2005 Check Point NGX R60 CIFS Rule Packet Verification Failure Sep 7, 2005 Check Point VPN-1 SecuRemote/SecureClient Registry Information Disclosure Jul 20, 2005 [..] ZoneAlarm Pro vsdatant Driver Local DoS May 1, 2007 ZoneAlarm Spyware Removal Engine (SRE) srescan.sys IOCTL Handling Local Privilege Escalation Apr 20, 2007 ZoneAlarm vsdatant.sys Hooked SSDT Function Local Privilege Escalation Apr 15, 2007 ZoneAlarm VETFDDNT\Enum Registry Key Multiple Function DoS Jul 1, 2006 ZoneAlarm Security Suite VSMON.exe Path Subversion Local Privilege Escalation Mar 8, 2006 ZoneAlarm ShowHTMLDialog() Outbound Filter Bypass Nov 8, 2005 ZoneAlarm Pro DDE-IPC Method Ruleset Bypass Sep 29, 2005 ZoneAlarm Vet Anti-Virus Engine Remote Overflow May 23, 2005 ZoneAlarm vsdatant.sys NtConnectPort() Hook Invalid Pointer Dereference Remote DoS Feb 11, 2005 [..] From alerts at infosecnews.org Mon Jun 11 02:01:18 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Open University HK takes warflying to new heights Message-ID: http://www.techworld.nl/idgns/3360/open-university-hk-takes-warflying-to-new-heights.html By John C.Tanner Computerworld Hong Kong 7 juni 2007 Academic researchers from Hong Kong and California took Wi-Fi war-driving -- and war-flying -- to new levels on Monday by test-driving a new technique for surveying wireless broadband security and connectivity. Intended as a trial run for an annual Wi-Fi survey project in July led by Dr Philip Tsang of the Open University of Hong Kong (OUHK), Monday's experiment saw two teams -- one from OUHK and another from Stanford University -- collaborate to not only detect Wi-Fi access points in Kowloon and Hong Kong Island, but also to divine extra data about the APs themselves. The war-drive also tested the connectivity speeds of HSDPA signals around the city in cooperation with SmarTone-Vodafone. At the heart of the experiment was new software developed by Christopher White of Stanford University and CEO of White's Consulting, OUHK CT212F student Casper Lau and OUHK tutor Jack Mak. The software enables mobile computers in a roving van and helicopter to detect Wi-Fi Aps as well as to determine geographic data via GPS and to distinguish between corporate, residential, educational or commercial hot spots. The software is also designed to account for Hong Kong's urban canyon topography via algorithms that give the app "more of a 3D perspective to counter the effects like shadowing that you get with lots of tall buildings around," said Stanford team leader Professor Bebo White. Results of the test run won't be available until later in the week, although Christopher White said the software test was a success. One early result of note is that the street-level wardrive detected over 11,000 hot spots -- compared to just under 4,700 detected in OUHK's last war-flying survey in October 2006. From alerts at infosecnews.org Mon Jun 11 02:01:33 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Planners hang hopes on Barksdale's cyber future Message-ID: http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20070610/NEWS01/706100322 By John Andrew Prime June 10, 2007 Woodlands just east of Bossier Parish Community College are a field of dreams for Bossier Parish and city planners. The former Alden Plantation is where they hope to build a 58-acre cyber innovation center to complement Air Force Cyber Command, just formed at Barksdale Air Force Base. Using up to $50 million from Bossier City and Bossier Parish and $50 million from Louisiana, the center would be an enticement to the Air Force to locate a potential new major command headed by a four-star general here. Planners also estimate as many as 10,000 civilian contractor jobs, ranging from programmers and engineers to manufacturers and training, could also result, directly and indirectly. "It's just too important not to go after it full bore, with nothing but achieving the goal in sight," said former Bossier City Mayor Don Jones, now a force in Barksdale Forward and the 8th Air Force Consultation Committee. "Nothing else is acceptable. This is too big a deal to miss. We need to get this." The Air Force is expected to announce the permanent site of the new major command later this year. The city and parish have a buy-sell agreement on the 58 acres, at a cost of just less than $4.3 million, as the site for the innovation center, Bossier City attorney Jimmy Hall said. Boosters base the 10,000-job number on community industrial development after new high-tech missions began at Vandenberg Air Force Base in southern California and at Redstone Arsenal in Huntsville, Ala. The jobs, studies show, pay well, too, But even if the jobs reach a fraction of that number, getting that cyber mission here will mean success, Hall said. "It will provide that new mission for Barksdale, a mission that will not go away. That is priceless." Prevent network attacks, more Much of the work that will be done by Air Force Cyber Command and the potential new major command is described in broad brush strokes that preserve secrecy; it is a battleground still being defined. The task will be to prevent attacks on the electronic and cyber networks that control and link military, industrial and other operations, and to plan for offensive operations on the same turf. It is now under the command of 8th Air Force head Lt. Gen. Robert J. Elder Jr. He enthusiastically endorses the local efforts on the innovation center. "The civilian community asked how they could help. We suggested that we needed an innovation center that made it easy for us to collaborate with academia, research institutions, and industry. "The community took it from there ? the innovation incubator was their idea. The Cyberspace Innovation Center is a community initiative." Sensitive operations and command functions will remain on base, but some personnel from the military commands could work out of the innovation center, Elder said. "We intend to become a partner in the venture." Vision for innovation center The local $50 million for the civilian center ? two-thirds from Bossier City and one-third from Bossier Parish ? would come from bonds that will be paid using current revenue streams, Hall said. The state has been asked to match that with $50 million, available from the $400 million that had been reserved in a failed bid to lure a German steel mill to Louisiana. Parish Administrator Bill Altimus and Bossier City Mayor Lo Walker spoke with Gov. Kathleen Blanco last week while in Baton Rouge to lobby for Interstate 49 and asked her to commit on the state's $50 million stake. "She said she's going to do all she can to assist in this project," Altimus said. The 58 acres come from the old Alden Plantation, part of which was used for the new Bossier Parish Community College campus. According to the buy-sell agreement, the landowners are JPIL Partnership, Belmore Bridgford, the Nipissing Trust, John Hendrick III, Bobbie Cates Hicks, the Hicks Marital Trust, Katherine Sale, the ERH Limited Partnership, N.H. Wheless Jr. and N.H. Wheless as trustee for the Elise Wheless Hook Trust. Early plans envision several phases, with an inner core of buildings with enhanced security, lease properties, a "dish garden" (the name given to areas where satellite dishes are clustered) and conference and visitor centers. Altimus said more land east toward Interstate 220, some owned by those individuals and some by Louisiana Downs, also could be acquired for expansion. Pledging money like that at the start jumps a hurdle that often hurts a community seeking such facilities, Jones said. "The commitment by Bossier City and Bossier Parish to get out front and make a substantial investment in the future of Barksdale moved this along rather quickly. And it has raised the bar for other cities, competitors, to try to top." These competitors include Belleville, Ill., Omaha, Neb., San Antonio and Langley, Va., Jones said. That makes this a horse race, with $100 million at stake. "Until the secretary of the Air Force announces it, nothing's a done deal," Jones said. Center's economic impact Altimus and Walker say the innovation center development would increase the tax base and cause a mushrooming of schools and local services. And it would impact transportation, with Louisiana agreeing to create an I-20/Interstate 220 spur onto Barksdale that could affect several aspects of the base's mission. All this buttresses their estimate of 10,000 jobs ? possibly more ? that could be here in the next few years. At Vandenberg, a 2006 study says, space-oriented military activity resulted in 8,300 jobs, with a direct impact of $555.4 million. "The strong income impact is due largely to the high salaries associated with the aerospace industry and the demand for technical consulting services made by the base and its contractors," says the study, which looked at 2004 numbers and was the work of the University of California at Santa Barbara. Studies Altimus and others consulted show these jobs with annual salaries at $70,000 and upward. Altimus said such growth also has happened in Colorado Springs, Colo., after Air Space Command opened there in the early 1980s. And he cited Cummings Research Park in Huntsville, Ala., which witnessed the creation of thousands of well-paying space program jobs when it was created in the 1960s. The 3,843-acre park now employs 25,000 workers in nearly 300 tenant companies. "We think the same parallel would occur here," Altimus said. "Honestly, we think the real potential is more than what has been stated so far." Analyst: Count your pennies Washington defense analyst John Pike, founder of GlobalSecurity.Org, suggests caution since not all military information warfare initiatives have blossomed on the civilian side. "They need to count their pennies," he said. "They need to understand very clearly what's it going to cost and what's it going to get? "It's not going to be the Manhattan Project," he said, referring to the effort to develop and build the first atomic bombs. "That was $25 billion over four years." And Pike said not all high-tech government enterprises spawn economic growth. He cited Fort Meade, Md., home of the National Security Agency, whose work to a large degree parallels that planned for the cyber commands here. "There's a surprising absence of an off-site contractor presence outside Fort Meade. It's not there." He also said what the Air Force is planning here runs against the grain for that branch. "Every time the Air Force has started thinking about itself as being an information operations service, as opposed to a 'hot steel on target' service, after a little while, they get down that road and they say 'You know, information operations just really doesn't have that much in common with air power.' It has a different set of tools, a different set of principles, a different set of skills." It doesn't involve flying or destroying targets. And in the Air Force, those are almost requirements for advancing to higher command, Meade said. So it might also be seen as a dead-end career field, he noted. "So very different" In fact, Meade concluded, "Information operations is so very different from air power, there's no particular reason you have to be in the Air Force to do it." Elder said Pike "is factually correct. However, Cyber Command reflects a major shift in Air Force thinking back to its roots, emphasizing operational effects and strategic thought (versus) simply tactical approaches to war fighting. "(The) Air Force intends to integrate air, space and cyberspace rather than present these capabilities independently," Elder said. "That is what makes our approach different from the other services. "And the Cyber Command is not only network ops ? it is also electronic attack, a form of electronic warfare. ... So it does involve aircraft and aircraft-delivered effects." Recent pronouncements from Air Force leaders further emphasize the importance of the cyber realm and promise growth in its career fields, signaling change as well. "The Air Force is a business and, like any other business, is being asked to do more with less," Altimus said. "Funding and personnel, I am sure, are constant concerns. There is value in streamlining. And having various functions in one location can create savings." Walker, a retired Air Force colonel and combat-decorated pilot, said the importance of what could happen at Barksdale transcends its impact on the economy. "By far and away, the most important thing is the defense of the nation. "What's least understood by the average citizen out there is that this affects them," he said. "They are in this war because they will be directly impacted negatively by an enemy's use of this electromagnetic spectrum to do harm to the United States." ? The Times 2007 From alerts at infosecnews.org Mon Jun 11 02:02:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Linux Advisory Watch - June 8th 2007 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 8th 2007 Volume 8, Number 23a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for samba, ipsec-tools, libexif, evolution, elinks, php-pear, util-linux, mutt, mplayer, clamav, file, libpng, lha, fetchmail, asterisk, and Thunderbird. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. --- Vyatta - Linux-based Router, Firewall & VPN Vyatta software and appliances combine the features, performance and reliability of enterprise-class networking gear with the cost-savings and flexibility of linux-based solutions. Vyatta empowers you to replace overpriced proprietary router, firewall and VPN equipment with commercially supported open-source solutions. Free Vyatta Software & Live Webinars >> http://www.linuxsecurity.com/ads/adclick.php?bannerid=28 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- Review: Practical Packet Analysis In the introduction, McIlwraith points out that security awareness training properly consists of communication, raising of issues, and encouragement to modify behaviour. (This will come as no surprise to those who recall the definition of training as the modification of attitudes and behaviour.) He also notes that security professionals frequently concentrate solely on presentation of problems. The remainder of the introduction looks at other major security activities, and the part that awareness plays in ensuring that they actually work. http://www.linuxsecurity.com/content/view/128459/171/ --- Robert Slade Review: "Information Security and Employee Behaviour" The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/128404/171/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New samba packages fix regression 4th, June, 2007 A security vulnerability in the samba packages was found. The security update for CVE-2007-2446 introduced a regression, which broke connection to domain member servers in some scenarios. This update fixes this regression. http://www.linuxsecurity.com/content/view/128425 * Debian: New ipsec-tools packages fix denial of service 7th, June, 2007 It was discovered that a specially-crafted packet sent to the racoon ipsec key exchange server could cause a tunnel to crash, resulting in a denial of service. We recommend that you upgrade your racoon package. http://www.linuxsecurity.com/content/view/128465 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 5 Update: samba-3.0.24-7.fc5 6th, June, 2007 Bugfixes against the recent security updates for Fedora Core 5 samba-3.0.24-7.fc5 package. Also this update fixes a samba denial of service vulnerability. http://www.linuxsecurity.com/content/view/128458 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: libexif Integer overflow vulnerability 5th, June, 2007 libexif fails to handle Exif (EXchangeable Image File) data inputs, making it vulnerable to an integer overflow. An attacker could entice a user to process a file with specially crafted Exif extensions with an application making use of libexif, which will trigger the integer overflow and potentially execute arbitrary code or crash the application. http://www.linuxsecurity.com/content/view/128438 * Gentoo: Evolution User-assisted execution of arbitrary code 6th, June, 2007 A vulnerability has been discovered in Evolution allowing for the execution of arbitrary code. A remote attacker could entice a user to open a specially crafted shared memo, possibly resulting in the execution of arbitrary code with the privileges of the user running Evolution. http://www.linuxsecurity.com/content/view/128460 * Gentoo: ELinks User-assisted execution of arbitrary code 6th, June, 2007 A vulnerability has been discovered in ELinks allowing for the user-assisted execution of arbitrary code.A local attacker could entice a user to run ELinks in a specially crafted directory environment containing a malicious ".po" file, possibly resulting in the execution of arbitrary code with the privileges of the user running ELinks. http://www.linuxsecurity.com/content/view/128461 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated php-pear packages fix directory traversal 4th, June, 2007 A security hole was discovered in all versions of the PEAR Installer (http://pear.php.net/PEAR). The security hole is the most serious hole found to date in the PEAR Installer, and would allow a malicious package to install files anywhere in the filesystem. The vulnerability only affects users who are installing an intentionally created package with a malicious intent. http://www.linuxsecurity.com/content/view/128428 * Mandriva: Updated util-linux packages address login access 4th, June, 2007 Th login in util-linux-2.12a (and later versions) skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok. Updated packages have been patched to address this issue. http://www.linuxsecurity.com/content/view/128429 * Mandriva: Updated mutt packages fix vulnerabilities 4th, June, 2007 A flaw in the way mutt processed certain APOP authentication requests was discovered. By sending certain responses when mutt attempted to authenticate again an APOP server, a remote attacker could possibly obtain certain portions of the user's authentication credentials (CVE-2007-1558). http://www.linuxsecurity.com/content/view/128431 * Mandriva: Updated mplayer packages fix buffer overflow 4th, June, 2007 Buffer overflow in the asmrp_eval function for the Real Media input plugin allows remote attackers to cause a denial of service and possibly execute arbitrary code via a rulebook with a large number of rulematches. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/128432 * Mandriva: Updated clamav packages fix vulnerabilities 4th, June, 2007 A vulnerability in the OLE2 parser in ClamAV was found that could allow a remote attacker to cause a denial of service via resource consumption with a carefully crafted OLE2 file. Other vulnerabilities and bugs have also been corrected in 0.90.3 which is being provided with this update. http://www.linuxsecurity.com/content/view/128433 * Mandriva: Updated file packages fix vulnerabilities 5th, June, 2007 The update to correct CVE-2007-1536 (MDKSA-2007:067), a buffer overflow in the file_printf() function, introduced a new integer overflow as reported by Colin Percival. This flaw, if an atacker could trick a user into running file on a specially crafted file, could possibly lead to the execution of arbitrary code with the privileges of the user running file (CVE-2007-2799). The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/128439 * Mandriva: Updated libpng packages fix vulnerability 5th, June, 2007 A flaw how libpng handled malformed images was discovered. An attacker able to create a carefully crafted PNG image could cause an application linked with libpng to crash when the file was manipulated. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/128440 * Mandriva: Updated lha packages fix unsafe temporary files 6th, June, 2007 lharc.c in the lha package does not securely create temporary files, which might allow local users to read or write files by creating a file before LHA is invoked. Updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/128442 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: mutt security update 4th, June, 2007 An updated mutt package that fixes several security bugs is now available for Red Hat Enterprise Linux 3, 4 and 5.A flaw was found in the way Mutt used temporary files on NFS file systems. Due to an implementation issue in the NFS protocol, Mutt was not able to exclusively open a new file. A local attacker could conduct a time-dependent attack and possibly gain access to e-mail attachments opened by a victim. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128423 * RedHat: Moderate: fetchmail security update 7th, June, 2007 An updated fetchmail package that fixes a security bug is now available for Red Hat Enterprise Linux 2.1, 3, 4 and 5. Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128462 +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ * Slackware: firefox-seamonkey-thunderbird 2nd, June, 2007 New mozilla-firefox and seamonkey packages are available for Slackware 10.2, 11.0, and -current to fix security issues. New thunderbird packages are are available for Slackware 10.2 and 11.0 to fix security issues. More details about this issue may be found at these links: http://www.linuxsecurity.com/content/view/128416 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: clamav 0.90.3 (SUSE-SA:2007:033) 6th, June, 2007 The anti-virus scan engine ClamAV was upgraded to version 0.90.3 to fix several security bugs. One is a heap corruption causing denial-of-service with corrupted rar archive. http://www.linuxsecurity.com/content/view/128445 * SuSE: asterisk (SUSE-SA:2007:034) 6th, June, 2007 The Open Source PBX software Asterisk was updated to fix several security related bugs that allowed attackers to remotely crash asterisk or cause information leaks.Asterisk allowed remote attackers to cause a denial of service (crash) by sending a Session Initiation Protocol (SIP) packet without a URI and SIP-version header, which results in a NULL pointer dereference. http://www.linuxsecurity.com/content/view/128447 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: Firefox vulnerabilities 1st, June, 2007 Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/128414 * Ubuntu: Thunderbird vulnerabilities 6th, June, 2007 Ga'tan Leurent showed a weakness in APOP authentication. An attacker posing as a trusted server could recover portions of the user's password via multiple authentication attempts. (CVE-2007-1558) Various flaws were discovered in the layout and JavaScript engines. Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it. (CVE-2007-2867, CVE-2007-2868) http://www.linuxsecurity.com/content/view/128441 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From alerts at infosecnews.org Mon Jun 11 02:03:09 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] No 10 security breached as couple slip into Downing Street unnoticed Message-ID: http://www.thisislondon.co.uk/news/article-23400051-details/No+10+security+breached+as+couple+slip+into+Downing+Street+unnoticed/article.do 11.06.07 A drug addict and his girlfriend breached heavy security to get within yards of Tony Blair's personal office in Downing Street, it has emerged. The couple were also able to walk near to the nerve centre of anti-terrorism operations. Wearing a tracksuit and T-shirt, Obadiah Marius, 34, and his girlfriend Victoria Smith, 19, walked in off the street into the Cabinet Office, went through at least two doors and strolled freely around. They were arrested only when they reached the secret corridor which joins the building to No 10. It leads directly to the Cabinet room and Mr Blair's "den". The Prime Minister was in London at the time of the alert last Tuesday but it is not known whether he was at his desk. A security guard was facing the sack last night as a full-scale investigation continued. A Whitehall source said: "If they had been terrorists, it doesn't bear thinking about." The pair entered the Cabinet Office on Whitehall through an open door as a member of staff was leaving. The security guard buzzed them through an internal door. Once inside, they got near to the Cobra emergency room where the Prime Minister, senior Ministers and police chiefs meet in the event of a terror attack or other critical threat. The windowless room is protected by an electronic security system. The couple's route bypassed the massive security gates installed in the 1980s to counter IRA attacks. When they were finally stopped they said they were looking for work. Last night at his home in Stratford, East London, Mr Marius said: "There was no way that I should have got where I got, it was ridiculous." Miss Smith said: "How can anyone just walk in off the street? We didn't even know where we were until we got arrested." Mr Marius denied "trespassing on a protected site" at Westminster Magistrates' Court hearing on Thursday. His lawyer said it was a genuine mistake and neither had known they were trespassing. The offence is usually dealt with in a civil court. However, under the 2005 Serious Organised Crime and Police Act, Downing Street and the Cabinet Office at 70 Whitehall have this month become "protected sites" where trespassers can be prosecuted under criminal law. A number of royal, government and military premises have similar status. The act was introduced after "comedy terrorist" Aaron Barschak gatecrashed Prince William's 21st birthday. Marius was released on bail but has been ordered to attend a drug dependency clinic and faces a trial in August. Smith has been charged under the same act and is due to appear in court later this month. A spokesman for Downing Street said: "We are satisfied with our security arrangements." A Cabinet Office spokesman said: "It is a matter for the police to investigate." From alerts at infosecnews.org Tue Jun 12 02:02:41 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Paychecks For Security Pros In The Heartland Catching Up To Northeast, Silicon Valley Message-ID: http://www.informationweek.com/security/showArticle.jhtml?articleID=199902153 By Sharon Gaudin InformationWeek Jun 7, 2007 IT security professionals living outside of Silicon Valley and the Northeast are getting substantial raises. An eight-year study by the SANS Institute shows that security professionals working in the rest of the country -- especially the Midwest, the Northwest, and the Southeast -- are catching up to their better-paid security brethren. When it comes to getting the best raises, these areas have been at the top of the charts since the end of the last century, with salary growth exceeding 7.5% yearly. "There has been a leveling," said Alan Paller, director of research at the SANS Institute, in an interview with InformationWeek. "It used to be that from New York to Boston and then in California, salaries were way ahead. That's where you went if you wanted a lot of money. Then the rest of the country discovered they were just as much a target for attacks as the California and New York firms were. It's not that they're getting paid more than New Engand, but they're getting bigger raises and catching up." Have they caught up, yet, though? According to Paller, the Mid-Atlantic region -- Pennsylvania, Maryland, Virginia and Washington -- has the biggest paychecks for security professionals, coming in at a mean salary of $95,615 for 2006. The Northeast came in second with $92,452, while the West, which includes Silicon Valley, rang in with $86,368. The Midwest is seeing a mean salary of $84,120, as the Northwest comes in at $81,186. The Southeast comes in at $80,123 and the U.S. Central, which includes Kansas, Oklahoma and Texas, came in at $78,666. Paller, though, was quick to point out that salary satisfaction doesn't come from having the highest salary. It comes from having consistent increases in your salary. "Satisfaction is less related to the absolute value of your salary than with the change," he explained. "People who are getting good raises every year are feeling appreciated. Those people will be much more satisfied with their compensation than people who are paid well but haven't gotten raises in two years. Satisfaction in security is much higher in areas outside of the traditional high-paid areas, like Silicon Valley." The SANS survey also shows that Federal Information Security Management Act and the advancement of China's technology capabilities are propelling salaries in industries like aerospace and professional service providers who work for government agencies, handling jobs like security assessments and auditing. Those are two of the industry segments that showed an eight-year total salary increase of 65%. Just a few weeks ago, the Department of Defense released a report saying that the People's Liberation Army in China is building up its cyberwarfare capabilities, even creating malware that could go after enemy computer systems in first-strike attacks. "It's two-thirds FISMA and one-third that the Chinese are all over the aerospace industry and government computers," said Paller. "We're trying to build protections against attacks. ... [The DOD] wouldn't have said it publicly if they didn't think that some action really needed to be taken. It's been known for some time but talking about it means they're really worried." Paller noted that salaries for security professionals working in the telecommunications and finance industries are growing strong, but that's not surprise since they have been for years. Who's not doing so well? Salaries in manufacturing, health care, and education aren't fairing nearly so well, coming in at the low end of the pay spectrum. "They've always been the lowest paid and they're getting the lowest raises," said Paller. As for what jobs are doing well, and not so well, it looks like managers are seeing more raises than the people they're managing. Some of the positions that saw their salaries grow by more than 65% in the past eight years are IT director; director or manger in information security or audit; CISO; CSO; chief compliance officer; chief privacy officer; chief of audit, and security auditor. Those who got smaller raises include security architects; systems or network managers; intrusion detection specialists; forensics investigators, and desktop support. "It's basically appreciation of the value of these people," said Paller. "Through these last seven years, people have valued writing about security higher than doing security and that's because of regulations. FISMA is not measured on how secure your systems are but how well-done your reports are. It's more or less the same with HIPAA and SOX. Most of the money went to people who wrote about security rather than those who did security. That's what these attacks from the Chinese and cybercrimals has changed. IT's moving security back into the operational people's hands " operational directors." SANS is in the process of running another salary survey. The new study will focus on the past year, as opposed to this study which focused on an eight-year span. To participate in the new study, go to this Web site [1]. [1] http://www.sans.org/salary2005/ From alerts at infosecnews.org Tue Jun 12 02:02:57 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Cyberwar is breaking out of sci-fi genre Message-ID: http://www.cbw.cz/phprs/2007061112.html By Pavla Kozkov 11.06.2007 Not so long ago Estonia made the headlines as the first country to hold its national elections via Internet. Now the country has taken center stage due to a different but much less pleasant first, and one which could hit closer to Czech homes than Czechs would like. Estonia is one of the most advanced countries in its use of Internet and e-government in Europe. An attack on its virtual world hit society where it counts the most. Estonia, which became independent of the former Soviet Union in 1991, pulled down a bronze statue of a Red Army soldier in the center of the capital city of Tallin at the end of April. The move provoked strong words from Russia and the largest riots among the Russian minority in Estonia since the collapse of the Soviet bloc. During the protests some 1,300 people were arrested, 100 injured and one person killed. The political row escalated in May when Estonia endured a two-week cyberwar that disabled Web sites of government, political parties, newspapers, banks and companies. The damage caused by the shutdowns hasnt been calculated yet. These attacks are the first known incidence of an assault on such a wide scale and caused alarm across the countries of North Atlantic Treaty Organization (NATO), which is examining the offensive and its implications. NATO even sent some of its top cyber-terrorism experts to the Estonian capital to investigate and strengthen the countrys electronic defenses. While no one is pointing fingers openly at Russia, all heads are turned in that direction. So far there has been no proof of Russias official involvement. The hackers have been disrupting Estonian Web sites using distributed denial of service attacks (DDoS), which swamp Web sites with tens of thousands of visits. The huge number of visits exceeds the capacity of the server and disables the sites. Estonian authorities claimed that one of the addresses sending the DDoS belonged to an official who works with Russian President Vladimir Putin, but the Russian government denied any involvement. According to online publication Boing Boing, a Russian youth group called Nashi, which has strong ties to Putin, claimed responsibility for the attacks. Whether it is the Russian state or some patriotic group that orchestrated this cyberwar isnt as important as that it alerted attention to possibilities and ramifications of Web aggression. The Czech angle The second largest city in the Czech Republic, Brno, South Moravia, is considering removing a memorial above the tomb of Red Army soldiers in Brnos district Kralovo Pole. The Russian general consulate in Brno already stated it would consider the removal of the memorial as a breach of interstate treaty and as a hostile step. The debate was started by Brno Deputy Mayor Ren Pelan who, in the district newsletter, called the structure a monster. The monument is shaped like a stone pyramid with a Cyrillic inscription saying that 326 Red Army soldiers, who died during Brnos liberation in 1945, are buried there. At the base of the monument is a flowerbed thats supposed to symbolize a grave. Pelan wants the space cultivated and proposed removing the memorial and replacing it with an irregular piece of rock. The new stone monument would bear the inscription to the memory of all victims of World War II, he suggested. It would make no specific reference to the Red Army. The Russian consulate said that victory in World War II was attained at the cost of huge Russian sacrifices, and thats why the attempts in a number of countries to rewrite the history of the war and to distort the importance of the victory are absolutely unacceptable. The consulate, however, said that it believes that the Czech Republic is not trying to rewrite the history, according to the Czech News Agency (CTK). Estonias lesson The events in Estoniataken seriously, not only by the country directly affected, but also by NATO officialsgives Czechs and other nations a flavor of what might happen if they anger another state. The memorial is scheduled for repair this year and apart from cleaning up the obelisk, it will get back the Russian symbols of a hammer and sickle, according to an agreement between the Ministry of Defense and Brnos City Hall. The symbols of the communist Soviet Union were originally part of the memorial and will most likely return, despite the protests from leaders in the Kralovo Pole district. This should serve to make the Russians happy. But there is another issue that for the past couple of months irks the Russians to such degree that they stated they would be willing to point their missiles at the Czech Republic: the U.S. radar base. The first round of the Czech-U.S. talks on the possible hosting of the U.S. radar base in the Czech Republic were completed in May. The talks are expected to last another several months but Russia is coming up with strongly worded comments on the issue almost daily. While so far the threats circle around the use of the conventional, old-fashioned missiles, the Estonian experience shows a way that countries can express dissatisfaction and cause damage without reverting to brute force. What would be the effects of such a shutdown in the Czech Republic? Even though the country isnt very advanced in e-government services yet, a cyber attack on the government Web sites would still result in significant inconvenience for officials and citizens. The attack could shut down portals for Web applications such as public transport schedules, for example. Shutdowns could also affect advertising income for portals. The effects of such a shutdown would be equally lethal for a company that generates its sales revenues from business deals closed solely on the Internet, such as Internet shops. The Czech largest online retailer in terms of revenue Internet Mall posted its sales exceeding Kc 1.37 billion ( 48.5 million) in 2006 and one day out of operation might cost the company almost Kc 3.8 million in lost revenues. The amount, naturally, would be lower for slow seasons such as summer and higher for high seasons such as December holidays but it gives us an idea what the cost of even a limited cyber attack could be. From alerts at infosecnews.org Tue Jun 12 02:03:10 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Best practices for BGP security Message-ID: http://www.gcn.com/online/vol1_no1/44433-1.html By William Jackson GCN Staff 06/06/07 The National Institute of Standards and Technology has released a set of best practices to help protect the Border Gateway Protocol, the core routing protocol used on the Internet. Although it can be used within large IP networks, BGP most commonly is used by gateway hosts for routing between autonomous networks on the Internet. It maintains a table of prefixes designating IP networks that can be reached. It is a decentralized routing protocol. Although end users do not often use BGP, Internet service providers often use it to establish routing with each other, so it is integral to the Internet. NIST Special Publication 800-54 [1], titled Border Gateway Protocol Security, gives an introduction to the protocol along with guidelines for securing it. The guidelines are intended to be easily implemented on most BGP routers using the current version of the protocol, Version 4. While enhanced protocols for BGP have been proposed, these generally require substantial changes to the protocol and may not interoperate with current BGP implementations, NIST said. The recommendations offered are intended to improve security within the present framework. The recommendations include the use of access control lists, restrictions on which networks and blocks are announced, the use of filtering and allowing peers to connect only through port 179. [1] http://csrc.nist.gov/publications/drafts/800-54/Draft-SP800-54-version2-Jun2007.pdf From alerts at infosecnews.org Tue Jun 12 02:03:31 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Law puts damper on web security research Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=9113 By Matthew Broersma Techworld 11 June 2007 Web security research is being seriously hampered by laws that punish researchers for even attempting to locate flaws in web software, much less disclosing those flaws, according to a new study. The report is the first by the Computer Security Institute (CSI), a research and training organisation under the aegis of CMP Technology. It draws on discussions by a broad working group, including security researchers and representatives of US law enforcement agencies. The upshot is that current legal frameworks designed to allow prosecution of web attackers also make it next to impossible to legally spot security flaws in the "web 2.0" applications quickly becoming ubiquitous on the Internet. Those researchers who do feel safe probing web software for flaws are probably not aware of their real legal position, the report said. Unlike researchers who address offline software and operating systems, web software researchers face significant legal restrictions designed to trap attackers, according to Jeremiah Grossman, chief technology officer of White Hat Security and a member of the working group. "Under some laws, a researcher could find himself prosecuted for simply looking for website vulnerability, much less disclosing it publicly," he said in a statement. The report is to be released on Monday at CSI's NetSec '07 conference in Scottsdale, Arizona. It suggests that changes may be needed if the emerging ecosystem of web applications is to be kept secure. That could include changes in the law, including to the assignment of liability, how "damage" is quantified and how disclosure and criminal intent figure into the picture, the report said. Short of changes to the law, the report suggested websites could encourage vulnerability disclosures through anonymous tip lines or the use of "dummy" sites specifically for the use of researchers. The working group included organisations such as Fortify Software, SPI Labs, the US Department of Justice, Cenzic and the Electronic Frontier Foundation. From alerts at infosecnews.org Tue Jun 12 02:03:43 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Anti-spam sites weather DDoS assault Message-ID: http://www.theregister.co.uk/2007/06/11/anti-spam_ddos/ By John Leyden 11th June 2007 Prominent anti-spam services came under a sustained denial of service attack late last week. The assault targeted Spamhaus, Spam URI Realtime Blocklists (SURBL), and Realtime URI Blacklist (URIBL). The URIBL (which, like SURBL - filters junk mail based on spam sites mentioned in their message bodies) website was rendered temporarily available by the assault between Wednesday and Friday. It used DDoS mitigation technology from Prolexic to restore services. Both Spamhaus and SURBL managed to keep their sites up and running during the onslaught. The Rules Emporium, which hosts additional rules for SpamAssassin, was unavailable on Friday, but it's unclear whether this was a direct result of the assault on fellow spam-busting sites. Last week's attacks were likely launched from a network of compromised (zombie) PCs and were of the same type as those that knocked out spam-busting outfit Blue Security last year, according to the Internet Storm Centre (ISC). "The attacks seem to be similar to those carried out against BlueSecurity last year, with the Storm malware. Storm is a botnet that can do basically anything..." security watchers at the ISC note [1]. On the plus side, the fact that spammers have taken to launching denial of service attacks might be a sign of desperation, it adds. ? [1] http://isc.sans.org/diary.html?storyid=2940 From alerts at infosecnews.org Wed Jun 13 01:01:45 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] =?utf-8?q?Spying_on_the_spy=3A_Raw_Story_interviews_former?= =?utf-8?q?_FBI_investigator_Eric_O=E2=80=99Neill?= Message-ID: http://rawstory.com/news/2007/Spying_on_spy_Raw_Story_interviews_0612.html By Larisa Alexandrovna June 12, 2007 Agent's riveting account is basis for the film, Breach. [1] Ask anyone in the intelligence community who was the most damaging spy in US history and the answer comes quickly: Robert Hanssen, a senior FBI agent who spied for the Soviet Union ? and, after the Cold War, for the Russians ? on and off for a period of 15 years. While much of the information Hanssen provided to the Russians remains classified, what has been released to the public illustrates the real life meaning of treason. At various times throughout his double-agent career at the FBI, Hanssen served as the head of the Soviet Analytical Squad, the chief of the National Security Threat List Unit, part of the Bureau?s computer espionage squad, and even part of the State Department?s Office of Foreign Missions. By all accounts he was an outstanding computer technician, even a hacker according to some, and a brilliant analyst. But he was also as enigmatic a person as counter-intelligence has ever encountered. Hanssen was a devout Catholic, a member of the controversial and influential conservative religious group known as Opus Dei; he was fiercely anti-Communist, a good father, a good husband, and mostly an underachiever, seemingly by choice. At the same time, Hanssen was also selling the most sensitive information from across several US intelligence agencies to the Russians, making pornographic films of his unsuspecting wife and later showing them to his friends, and masturbating at work to images of screen goddesses such as Catherine Zeta-Jones. For the information he provided to the Russians, he got comparatively little compensation, roughly $1.4 million in cash and diamonds. According to a 2003 Department of Justice Inspector General?s report [2], what Hanssen sold included some of the most classified and guarded information in the US government: ?During the next six years ? the last stages of the Cold War ? Hanssen delivered thousands of pages of highly classified documents and dozens of computer disks to the KGB detailing U.S. strategies in the event of nuclear war, major developments in military weapons technologies, identities of active and historical U.S. assets in the Soviet intelligence services, the locations of KGB defectors in the United States, analytical products from across the Intelligence Community, comprehensive budget and policy documents, and many other aspects of the Soviet counterintelligence program.? (A Review of the FBI's Performance in Deterring, Detecting, and Investigating the Espionage Activities of Robert Philip Hanssen) Although he managed to avoid detection for over 20 years, by 2000 an FBI task force was well in place and focusing exclusively on Hanssen. They only needed to catch him in the act of making what is called a dead drop for the Soviets. Enter Eric O?Neill, a 27 year old FBI investigator on the Bureau?s Special Surveillance Group, specializing in surveillance of terrorism suspects. O?Neill was assigned to be Hanssen?s assistant in a newly formed FBI computer squad. It was largely O?Neill?s attention to detail and confidence that provided the smoking gun needed to bring Hanssen in and led to his arrest on February 18, 2001. O'Neill on the film, Breach O?Neill?s riveting account of what transpired between himself and Hanssen over that final crucial period is the basis for the film Breach, released in theaters to high critical acclaim early this year. O?Neill is portrayed by Ryan Phillipe and Hanssen by Chris Cooper in an astonishing performance that, according to those who knew the spy, is chillingly accurate. RAW STORY's managing editor for investigative news and frequent reporter on intelligence and national security, Larisa Alexandrovna, caught up with O?Neill to discuss his role in the capture of Hanssen, the PROMIS software, the Valerie Plame leak, and other topics involving espionage and government secrecy. Even though O'Neill never had experience going face-to-face with a "target," he was trained as a "ghost," able to follow someone closely for weeks, "but you would never know I was there." Along with exposing the identities of foreign agents the US had "turned," According to O'Neill, Hanssen "gave the Russians our nuclear information, information about agents and assets working penetration, he even gave them the source code to the FBI?s automated case system program." Although he doesn't think there is any "correlation" between the Hanssen and Plame cases, O'Neill tells RAW STORY [3] "a journalist that knowingly or negligently releases/reveals classified information should face federal prosecution." O'Neill also believes "there are still moles in government agencies." "I?d like to think that Hanssen was the last FBI mole, but that?s probably wishful thinking," O'Neill said. "I do think that the Hanssen case made the FBI more sound ? better able to screen for spies, and better able to catch them once they activate." O'Neill added, "I think there will always be spies, for the same reason there will always be crime. Some people are so morally broken they see no problem with taking the easy road at the cost of others." -=- FULL TRANSCRIPT OF O'NEILL INTERVIEW Raw Story: Nice to meet you, Eric. Eric O?Neill: Yes, nice to meet you as well RS: Let?s begin with the obvious question, for me anyway: Why were you picked to get close to Hanssen? You were not an FBI agent, but an operative for the FBI ? working toward becoming an agent. Is that correct? EO: I was a member of a group of specialized FBI investigators called the SSG, Special Surveillance Group. It was [essentially] based on the [British] MI5 model? We were intelligence investigators in [the equivalent of] counterintelligence and handled such things as surveillance work ? using technology to target suspects, as well as penetration work, data collection, etc. RS: But you were on your way to becoming an agent? EO: Well, there are two separate tracks; you eventually hit a glass ceiling as an investigator. I originally applied to the FBI for the Special Agent?s class. At the time I was 22 years old and was told that 22 was too young to become a Special Agent. Instead, I was offered a position with the Special Surveillance Group ? a group of specially trained counter intelligence and counter terrorism operatives who focus on clandestine vehicular and foot surveillance of foreign nationals and American citizens known or suspected of spying or terrorism. The FBI made a decision to create squads of SSG ?Investigative Specialists? in order to overcome an institutional problem that Special Agents have always had with surveillance. SSG are called ghosts. When an Investigative Specialist is ?ghosting? a target, we are invisible. RS: And the schooling and training are comparable to that of Special Agents? EO: SSG are graduates of the FBI Academy in Quantico, VA, carry FBI credentials and badges, and conduct much of the same investigative work the Agents carry out. The singular distinctions are that SSG personnel do not carry firearms and do not make arrests. The goal of SSG is to follow a target without ever being seen. I eventually wanted to re-apply to Special Agent?s class, which would require me to return to the FBI Academy. [...] [1] http://www.amazon.com/exec/obidos/ASIN/B000OYAT3U/c4iorg [2] http://www.usdoj.gov/oig/special/0308/index.htm [3] http://rawstory.com/ From alerts at infosecnews.org Wed Jun 13 01:02:00 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Army weighs using RFID network partially owned by Chinese firm Message-ID: http://www.govexec.com/story_page.cfm?articleid=37173 By Bob Brewin June 12, 2007 The Army is considering using a radio frequency identification network in Pakistan that is partly owned by a Chinese company to track shipments to American forces in Afghanistan, according to internal briefing materials obtained by Government Executive. The Defense Department has used RFID tags with a range of 300 feet to track movements of containers and pallets to U.S. forces operating in Afghanistan and Iraq as well as other forces globally. The tags contain a computer chip that stores information about the cargo and an antenna that beams the information to RFID tag readers. From there, the information is passed to the Global Transportation Network operated by the U.S. Transportation Command. That network rides on the Defense's internal Non-Classified Internet Protocol Router Network. Authorized users of the Global Transportation Network can "see" in real time the arrival and departure of container shipments. The overall system consists of 2,700 tag sites which read more than 134,000 tags a week, according to the briefing, issued by the Army Program Manager for Joint-Automatic Identification Technology. But according to that briefing, Defense lacks the ability to read tags on shipments sent through Pakistani ports for onward movement by truck to Afghanistan "due to inability to obtain country clearance to install DoD fixed RFID infrastructure." The program manager's briefing said the Army intended to resolve that problem by using a commercial RFID infrastructure installed in Pakistan by a firm called Savi Networks. That company is a joint venture between Savi Technology, a wholly owned subsidiary of Lockheed Martin, and Hutchinson Port Holdings, a subsidiary of Hutchison Whampoa Limited of Hong Kong, controlled by Chinese billionaire Li Ka Shing. Savi Technology owns 51 per cent of Savi Networks and Hutchinson 49 per cent, according to a 2005 press release announcing the partnership. The Program Manager for Joint-Automatic Identification Technology briefing, done for the Navy this May, said it intended to modify its contract with Savi Technology to use the Savi Networks RFID infrastructure in Pakistan starting last Thursday. But in response to a query from Government Executive, Air Force Maj. Patrick Ryder, a Pentagon spokesman, said Defense "is still assessing whether to utilize a commercial solution for Pakistan ... in accordance with DoD information assurance policy." Ownership of commercial infrastructure is a factor that needs to be carefully considered during the risk assessment process, Ryder said. Mark Nelson, a spokesman for Savi Technology, said Defense should not have any concerns about the security or integrity of data riding over the Pakistan infrastructure, since Hutchinson is only a passive investor in Savi Networks. But Tom Fitton, president of Judicial Watch, a Washington-based foundation, charged that Hutchinson is "a front for the Chinese government," citing a Central Intelligence Agency analysis from 1998 concluding that Li Ka Shing "is directly connected to Beijing and is willing to use his business influence to further the aims of the Chinese government." Last month Defense issued its annual report on Chinese military capabilities to Congress, which included sections on increased use of information warfare. Philip Coyle, senior adviser for the Center for Defense Information, a Washington-based think tank focused on defense and security issues, said that if the Pentagon is "going to keep making China out to be an enemy, DoD should have security concerns about a Chinese-owned company running a U.S. Army information network." The Center for Public Integrity estimated last month that the United States has provided the government of Pakistan with $5 billion in funding since 2001. Coyle said considering that level of funding, "it does seem odd that Pakistan won't allow a DoD network infrastructure, especially when what it is being used for is to track U.S. Army supplies." From alerts at infosecnews.org Wed Jun 13 01:02:13 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Four deadly security sins Message-ID: http://www.zdnetasia.com/news/security/0,39044215,62020417,00.htm By Lynn Tan ZDNet Asia June 11 2007 Organizations should not rely on its staff to ensure its network is secured as employees are not infallible and one slip is all it takes for cyber criminals to launch a vicious attack. "If you are an organization that is relying on your employees to do the right thing with respect to security, you've already made a number of mistakes," said Scott Montgomery, global vice president for product management at Secure Computing, in a phone interview with ZDNet Asia. Montgomery noted that end users are typically the "least educated" of proper corporate security practices and are "most prone to doing things" that do not adhere to the company's security policy. He highlighted four most damaging security habits that are commonplace among organizations in this region and around the world, and underscored the need for IT administrators to closely monitor these areas. 1. Fixed passwords The Sans Institute, over the last decade, has identified passwords as one of top 10 most damaging security practices, Montgomery said. Unlike token-generated or one-time passwords, he noted that fixed passwords do not change and some users may even write them down to avoid forgetting the sequence. As such, fixed passwords are "dangerous" because any person who knows the right password can log into the network and cannot be identified as an imposter, he said. "Everybody knows that fixed passwords are weak and a problem. It's been the same way for 10 to 15 years, but it doesn't change organizations from investing in it," Montgomery said. In contrast, the use of one-time passwords has been found to "dramatically increase the security profile of organizations" because the perpetrator would not be able to compromise the user's credentials, he said. "Even the use of one-time password on an application-by-application basis dramatically increases your security profile because you can't do?password guessing," Montgomery said. He added that the use of a hardware token for one-time password deployment--whether it is time-based or event-based--is a good way to prevent systems from being compromised. 2. Neglecting inbound threats from e-mail, the Web and instant messaging When end-users receive a spam message in their e-mail inbox, their administrators have already "lost the battle", Montgomery said. "At that point, you're expecting the users to do the right thing [but] they won't... They don't have any perception of the greater risk of their activities." He noted that e-mail, Web mail and IM (instant messaging) are among the high-risk areas and IT administrators need to ensure data received via these platforms are safe and protected. 3. Forgetting that data traffic is two-way When keeping the organization's network secure, IT administrators should keep in mind that data traffic is bidirectional and consider possibilities of outbound data leakage. Montgomery noted that organizations often forget that their traffic is bidirectional and many spent the last several years protecting only the data that enters their networks. "Organizations have been very slow to look at what's leaving their network, in terms of data leakage, due to malicious and criminal intent or that are simply [the result of employee] mistakes," he said. 4. Not encrypting data Without encryption, data sent and received via email is literally "like putting an ad out in the paper" and for anyone in the public to view, said Montgomery. He added that some users wrongly assume the data they send is private and cannot be seen by the public. "People who want to read your e-mail will have to look for it to find it, but they can find it if they want to," he said. "There is a level of protection only if people use encryption in their e-mail, [but] most people don't," Montgomery said. From alerts at infosecnews.org Wed Jun 13 01:02:26 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Personal data on 17,000 Pfizer employees exposed; P2P app blamed Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9024491 By Jaikumar Vijayan June 12, 2007 Computerworld A Pfizer Inc. employee who installed unauthorized file-sharing software on a company laptop provided for use at her home has exposed the Social Security numbers and other personal data belonging to about 17,000 current and former employees at the drug maker. Of that group, about 15,700 individuals actually had their data accessed and copied by an unknown number of persons on a peer-to-peer network, the company said in letters sent to affected employees and to state attorneys general alerting them of the breach. Pfizer officials could not be immediately reached for comment. But copies of the letters were posted on several sites, including Pharmalot [1], a blog covering the pharmaceutical industry. The incident has prompted an investigation by Connecticut Attorney General Richard Blumenthal; some 305 Pfizer employees in that state were affected by the breach. In a June 6 letter (download PDF), Blumenthal asked Pfizer to provide details on the measures in place prior to the breach to protect against data compromises, as well as information about when the company discovered the breach and how it responded. Blumenthal's letter also asked Pfizer to describe how it was able to make a distinction between the data that was actually compromised and data that might only potentially have been accessed. Blumenthal's letter gave Pfizer until June 22 to respond. According to Pfizer's description of the incident in its letter to employees, the compromise stemmed from the use of unauthorized file-sharing software on an employee's laptop. The June 1 letter signed by Pfizer general counsel Lisa Goldman did not mention how the company discovered the breach. But she said that as soon as the company did become aware of the breach, it recovered the laptop from the employee and the file-sharing software was disabled. Because the system was being used to access the Internet from outside of Pfizer's own network, no other data was compromised. Goldman also apologized to the affected individuals for the inconvenience. Pfizer has contracted for a "support and protection" package with credit reporting agency Experian for all affected individuals, Goldman said. The packages include a year's worth of free credit monitoring service and a $25,000 insurance policy covering costs that individuals might incur as a result of the breach, Goldman noted. Such incidents highlight the importance of implementing controls for preventing either accidental or deliberate data leaks via file-sharing tools or applications such as instant messaging systems, said Devin Redmond, director of the security products group at security vendor Websense Inc. Such controls should include measures such as content filtering at network gateways, strong controls on access to sensitive data and prevention of access to file-sharing applications, he said. News of the Pfizer breach coincides with the release of a study by Dartmouth University's Tuck School of Business that looked into the dangers posed by file-sharing applications [3]. The study examined data involving P2P searches and files related to the top 30 U.S. banks over a seven-week period between December 2006 and February 2007. A surprisingly high number of people sharing music and other files on peer-to-peer systems are inadvertently exposing all sorts of bank account data and similar personal information on their computers to criminals lurking on the networks to harvest data, according to the report. [1] http://pharmalot.com/ [2] http://www.ct.gov/ag/lib/ag/consumers/pfizerdatabreachletter.pdf [3] http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=16&articleId=9024406 From alerts at infosecnews.org Wed Jun 13 01:10:32 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] CIOs Look Beyond Cops for Help Fighting Cybercrime Message-ID: http://www.cio.com/article/118500/CIOs_Look_Beyond_Cops_for_Help_Fighting_Cybercrime By Christopher Koch CIO June 11, 2007 When the website of the Central Florida Educators? Federal Credit Union was attacked by phishers last August, CIO and VP of Marketing Kevin Dougherty?s first instinct wasn?t to call the police. Though he did eventually contact the FBI, ?unless you can say you were hit with some very large dollar amounts I don?t think they have enough people to deal with this,? he says. And so CIOs like Dougherty are assembling crime-fighting coalitions from among consultants, vendors and telecom providers. There?s a historical parallel, says Peter Cassidy, secretary general of the Anti-Phishing Working Group. When banks opened up 150 years ago, there wasn?t an FBI, ?so banks hired private law enforcement like the Pinkertons,? he says. One day there will be routine cyber-investigations, ?but for now we are still in the Wild West.? Law enforcement faces several challenges. First is the nature of cybercrime: global and independent of geography. Hackers in Russia can steal money from a bank in the United States using a computer in France quickly, cheaply and with no human intervention required. And their fingerprints?the IP addresses of the computers that initiate the attacks?can be made to disappear before investigators can track them, according to Ron Plesco, director of the Privacy and Special Projects Group for consultancy SRA International. Internet service providers keep logs of every connection but can?t afford to hang on to the piles of data for more than a few days without overwhelming their storage systems. There?s also a shortage of computer expertise among the FBI and Secret Service, which investigate cybercrime, and the U.S. Department of Justice, which prosecutes it. Given the manpower shortages, investigators need to limit themselves to cases with big losses. Unfortunately, the majority of cybercrimes are committed by small operators, says Uriel Maimon, senior researcher in the Office of the CTO of security provider RSA.?There aren?t many $250,000 frauds,? he says, but there are a lot of $2,000 cases?a big-enough haul for a criminal in an impoverished country. Finally, there is the complexity of fighting crime across different countries, many of which lack laws that specifically target cybercriminals. Experts speculate that we could someday see the rise of a new global organization specifically targeted at cybercrime, much as the FBI was created to take on the automobile-fueled rise of interstate crime in the 1920s and ?30s. Painter is skeptical. ?What we need to do is connect the dots rather than create a new ?ber-organization,? he says. Painter chairs a G8 committee that has agreements with 48 countries, which have identified cyber-investigators whom they make available to the network 24/7, he says. ? 2007 CXO Media Inc. From alerts at infosecnews.org Thu Jun 14 00:07:53 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Over 1 Million Potential Victims of Botnet Cyber Crime Message-ID: http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm For Immediate Release June 13, 2007 Washington D.C. FBI National Press Office (202) 324-3691 Over 1 Million Potential Victims of Botnet Cyber Crime Today the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle botherders and elevate the publics cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity. A botnet is a collection of compromised computers under the remote command and control of a criminal botherder. Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy. The majority of victims are not even aware that their computer has been compromised or their personal information exploited, said FBI Assistant Director for the Cyber Division James Finch. An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised. The FBI also wants to thank our industry partners, such as the Microsoft Corporation and the Botnet Task Force, in referring criminal botnet activity to law enforcement. Cyber security tips include updating anti-virus software, installing a firewall, using strong passwords, practicing good email and web security practices. Although this will not necessarily identify or remove a botnet currently on the system, this can help to prevent future botnet attacks. More information on botnets and tips for cyber crime prevention can be found online at www.fbi.gov. The FBI will not contact you online and request your personal information so be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact the nearest FBI office or police department, and file a complaint online with the Internet Crime Complaint Center, www.ic3.gov. To date, the following subjects have been charged or arrested in this operation with computer fraud and abuse in violation of Title 18 USC 1030, including: * James C. Brewer of Arlington, Texas, is alleged to have operated a botnet that infected Chicago area hospitals. This botnet infected tens of thousands of computers worldwide. (FBI Chicago); * Jason Michael Downey of Covington, Kentucky, is charged with an Information with using botnets to send a high volume of traffic to intended recipients to cause damage by impairing the availability of such systems. (FBI Detroit); and * Robert Alan Soloway of Seattle, Washington, is alleged to have used a large botnet network and spammed tens of millions of unsolicited email messages to advertise his website from which he offered services and products. (FBI Seattle) The FBI will continue to aggressively investigate individuals that conduct cyber criminal acts. From alerts at infosecnews.org Thu Jun 14 00:08:06 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Download music, share bank account info for free on P2P networks Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9024406 By Jaikumar Vijayan June 12, 2007 Computerworld It's not just the Recording Industry Association of America that people need to worry about when downloading music from P2P networks. A surprisingly high number of consumers sharing music and other files on peer-to-peer systems are inadvertently exposing all sorts of bank account and similar personal information on their computers to criminals lurking on the networks to harvest data. And it's not just users at home who are exposing information about themselves; so are a large number of employees within banks, as well as banks' contractors and suppliers. That's the conclusion of a study on the dangers of inadvertent data disclosure on file-sharing networks that was conducted by Dartmouth University's Tuck School of Business. The study examined data involving P2P searches and files related to the top 30 U.S. banks over a seven-week period between December 2006 and February 2007. The university used a search engine technology from Tiversa Inc. to gather and analyze all P2P traffic that mentioned those banks by name or mapped to a specific digital footprint that Dartmouth created for each financial institution. Data was gathered from P2P networks such as Gnutella, FastTrack, eDonkey and BitTorrent. The analysis showed that a large number of searches made on those networks were aimed at uncovering sensitive financial data from individuals, said study author Eric Johnson, a professor of operations management at the school's Center for Digital Strategies. "Our analysis clearly reveals a significant information risk firms and individuals face from P2P file-sharing networks," he said. When people use popular P2P clients such as Kazaa, Lime Wire, BearShare, Morpheus and FastTrack, they often are sharing far more than just media files, Johnson said. "In many cases they are sharing the contents of their entire hard drive" with others on the file-sharing network, Johnson said. That's because many of these client tools are designed specifically to quickly search for and share certain types of media files on a user's system. Johnson said, Normally, such P2P clients allow users to download files to and share items from a particular folder. But if proper care is not taken to control the access that these clients have on a system, it is very easy to expose far more data than intended, he said. There are several ways this can happen, Johnson noted in his research paper. For instance, when a music file is accidentally dropped into a folder containing other data, the contents of the entire folder could end up being shared on a P2P network without a user's knowledge. Many P2P client software tools have confusing interfaces that could result in users sharing folders that they did not intend to. Similarly, some file-sharing apps feature wizards that scan an individual's computer and recommend folders containing media to share. If a sensitive file exists in one of those recommended folders, it could get exposed, Johnson wrote in his research. The kind of information that can be exposed in this manner is astounding, Johnson said. "We found files containing all the information needed to commit identity theft. We found almost every kind of business document, from spreadsheets to performance reviews. In one instance, we found a bank spreadsheet with account information on 23,000 business accounts that was leaked. We even found a security evaluation done by a third party contractor" of a bank network. Almost 80% of the leaked information analyzed in the Dartmouth study came from home PC users. The rest came from systems belonging to bank employees or banks' partners, Johnson said. While some of the information was inadvertently leaked, there are growing signs that cybercriminals are using P2P networks to specifically search for and harvest such data, Johnson said. A significant portion of the search terms that were analyzed during the Dartmouth study appeared to be looking for databases, account and user information, passwords and routing and PIN numbers, Johnson said, Sometimes, sensitive data was accidentally exposed via the coincidental association of a search term with sensitive information. For example, users searching for songs containing the words golden Or west in the title pulled up files containing account information belonging to Golden West bank, Johnson said in his report. Similarly users looking to download the song "State Street Residential" sometimes pulled in data belonging to State Street bank customers. The Dartmouth study raises concerns similar to those outlined in a report released in March by the U.S. Patent and Trademark Office (USPTO). That report was based on an analysis of five specific features included in file-sharing software from Kazaa, Lime Wire, Morpheus, BearShare and eDonkey. It concluded that the distributors of the software deliberately included those features in their tools, despite knowing that the features could cause users to inadvertently share sensitive data with others on P2P networks. The report was sent to the U.S. Department of Justice, the Federal Trade Commission and the National Association of Attorneys General. From alerts at infosecnews.org Thu Jun 14 00:09:00 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Security Fixes to Be Patented Message-ID: Forwarded with permission from: Security UPDATE PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: ALERT: "How a Hacker Launches a SQL Injection Attack!" White Paper http://list.windowsitpro.com/t?ctl=5A013:57B62BBB09A6927949837399EDFFF4AC CIPA--Keeping Students Safe on the Net http://list.windowsitpro.com/t?ctl=5A022:57B62BBB09A6927949837399EDFFF4AC Managing Risk Through Security http://list.windowsitpro.com/t?ctl=5A00C:57B62BBB09A6927949837399EDFFF4AC === CONTENTS =================================================== IN FOCUS: Security Fixes to Be Patented NEWS AND FEATURES - Solution to IIS Security Bug Is to Upgrade? - Google's Data Mining Reveals Web Server Security Trends - Watchfire to Become Part of IBM - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: It All Started 30 Years Ago; Microsoft Releases 6 Security Bulletins for June - FAQ: Vista's Symbolic Link Capabilities - From the Forum: How to Block an IP Address in Windows 2003 - Share Your Security Tips PRODUCTS - Wireless Intrusion Prevention in Service Form - Product Evaluations from the Real World RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: SPI Dynamics ====================================== ALERT: "How a Hacker Launches a SQL Injection Attack!" White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://list.windowsitpro.com/t?ctl=5A013:57B62BBB09A6927949837399EDFFF4AC === IN FOCUS: Security Fixes to Be Patented ==================== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Finding security vulnerabilities can sometimes be a tough, thankless job. But that might be about to change when people start patenting security fixes. Researchers spend untold amounts of time finding vulnerabilities, and in the somewhat distant past, there was no reward for that effort other than a possible public acknowledgment from the vendor whose product contained the vulnerability and the satisfaction of knowing that yet another security hole was closed, which benefits everyone who uses the product. Then came companies such as 3Com and iDefense, which began paying for vulnerability information. Discoverers receive cash for their hard work, and 3Com and iDefense earn income too by selling the information to their network of customers in one fashion or another. Now, yet another dimension is about to be added to the mix. In the latest evolution of vulnerability discovery, a company called Intellectual Weapons is offering to work with researchers to develop fixes for security vulnerabilities and then patent those fixes. Intellectual Weapons would then be in a position to license or sell the patent to vendors that need it. Of course, marketing a patent also requires aggressive enforcement of the patent, and the company says it does expect "major battles," which might occur when someone else discovers the same vulnerability or when a vendor designs around the intellectual property in the patent. The company says that it would give the discoverer 50 percent of any income generated by the patent. So how much does Intellectual Weapons intend to charge a vendor for some form of rights to the patents it obtains? According to a published FAQ, "The vendor [will be] asked to pay something close to the true value of the vulnerability, i.e. the cost to them if it goes unchecked." Exactly how that cost will be measured remains to be seen. In developing this concept into a business, Intellectual Weapons obviously saw gigantic dollar signs. The company cites numerous instances in which small companies have gained millions of dollars through patent infringement litigation. For example, according to Intellectual Weapons, Eolas won $520 million and Stac Electronics won $120 million from Microsoft. Clearly, there is big money to be made through patenting inventions, and I suspect that money is Intellectual Weapons' primary motive. I think the company name speaks pretty loudly. I also think that what the company is doing might change the patent process to some extent, if only to set some significant legal precedents over time. Furthermore, it could instigate other companies who routinely provide temporary third-party fixes to patent their methodology too, or even cause such companies to stop providing such fixes. Overall, something about this entire idea bothers me. To read more about Intellectual Weapons' proposed plan of operation visit the URL below. http://list.windowsitpro.com/t?ctl=5A024:57B62BBB09A6927949837399EDFFF4AC What's your opinion on this plan? Post your comments with this article at http://list.windowsitpro.com/t?ctl=5A01A:57B62BBB09A6927949837399EDFFF4AC Or post your thoughts on the Security Forum at http://list.windowsitpro.com/t?ctl=5A012:57B62BBB09A6927949837399EDFFF4AC === SPONSOR: Cyberoam ========================================== CIPA--Keeping Students Safe on the Net Protecting students from the millions of sites that house pornography, adult chat rooms, violence & hacking can provide not just a safe surfing atmosphere to minors in schools and libraries, but also qualify the institutions for federal E-rate funding through CIPA compliance. http://list.windowsitpro.com/t?ctl=5A022:57B62BBB09A6927949837399EDFFF4AC === SECURITY NEWS AND FEATURES ================================= Solution to IIS Security Bug Is to Upgrade? An authentication bug in Microsoft IIS 5.x surfaced last December, and recently Microsoft said that the fix is to upgrade to IIS 6.0. http://list.windowsitpro.com/t?ctl=5A019:57B62BBB09A6927949837399EDFFF4AC Google's Data Mining Reveals Web Server Security Trends Google recently launched its Online Security Blog, in which new information reveals which server platforms host the most malware, including drive-by downloads. http://list.windowsitpro.com/t?ctl=5A01D:57B62BBB09A6927949837399EDFFF4AC Watchfire to Become Part of IBM IBM announced its intention to acquire privately held security and compliance testing company Watchfire. http://list.windowsitpro.com/t?ctl=5A01B:57B62BBB09A6927949837399EDFFF4AC Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=5A014:57B62BBB09A6927949837399EDFFF4AC === SPONSOR: Neverfail ========================================= Managing Risk Through Security Every business faces risk. Have you properly assessed your company's risk and put a focus on business continuity? Attend this free Web seminar and learn how you can ensure seamless recovery of your key systems and keep your users continuously connected. On-demand Web seminar. http://list.windowsitpro.com/t?ctl=5A00C:57B62BBB09A6927949837399EDFFF4AC === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: It All Started 30 Years Ago; Microsoft Releases 6 Security Bulletins for June by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5A021:57B62BBB09A6927949837399EDFFF4AC Who would have guessed that events in the summer of 1977 would lead us to where we are today? For some interesting history and nostalgia about Apple plus information about Microsoft's latest security bulletin release, go to http://list.windowsitpro.com/t?ctl=5A010:57B62BBB09A6927949837399EDFFF4AC FAQ: Vista's Symbolic Link Capabilities by John Savill, http://list.windowsitpro.com/t?ctl=5A01F:57B62BBB09A6927949837399EDFFF4AC Q: How do I create symbolic links in Windows Vista? Find the answer at http://list.windowsitpro.com/t?ctl=5A01C:57B62BBB09A6927949837399EDFFF4AC FROM THE FORUM: How to Block an IP Address in Windows 2003 A forum participant has a VoIP switch hosted in the US. An intruder repeatedly tried to access all his SIP accounts one by one, so he changed the passwords to keep the intruder out, but the intruder kept coming back. The intruder's IP address was known, so the forum participant blocked it in Microsoft IIS. He wants to know how he can block the IP address in Windows Server 2003 to help prevent other possible types of access by the intruder. Join the discussion at http://list.windowsitpro.com/t?ctl=5A00B:57B62BBB09A6927949837399EDFFF4AC SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@securityprovip.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@windowsitpro.com Wireless Intrusion Prevention in Service Form VeriSign and AirMagnet launched VeriSign Wireless Intrusion Prevention Service (IPS), which uses AirMagnet's Enterprise solution to shield corporate wireless networks from theft and other security threats. By combining AirMagnet technology with VeriSign Teraguard, companies can integrate IPS for both wireless and wired networks. VeriSign designs and deploys the wireless IPS devices and then monitors them 24x7. VeriSign Wireless IPS is a new offering in VeriSign's Managed Security Services portfolio. For more information, go to http://list.windowsitpro.com/t?ctl=5A00A:57B62BBB09A6927949837399EDFFF4AC PRODUCT EVALUATIONS FROM THE REAL WORLD Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to whatshot@windowsitpro.com. === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=5A01E:57B62BBB09A6927949837399EDFFF4AC Join Paul Robichaux as he presents a checklist you can use to help guide your Exchange 2000/2003/2007 disaster recovery planning. Learn what you should do first, last, and in between to solidify your Exchange infrastructure and be assured of a successful disaster recovery operation. On-demand Web seminar http://list.windowsitpro.com/t?ctl=5A00E:57B62BBB09A6927949837399EDFFF4AC IT Pro Connections in Amsterdam, 19-20 June 2007, offers the deepest, most relevant education for Microsoft IT professionals. The real-world experience of expert presenters will help you prepare for the newest technologies and products. Insider details help you make sense of new technologies, learn how to apply them to your environment, and master them quickly and effectively. Immerse yourself in PowerShell, Exchange Server 2007, Vista, Windows Server 2008, SharePoint Server, Live Communications Server, the System Center family, XP, Forefront, and more, with experts from Microsoft and world-renowned subject matter experts! Post-conference workshops 21 June 2007. http://list.windowsitpro.com/t?ctl=5A025:57B62BBB09A6927949837399EDFFF4AC Learn how to achieve ROI with your log management system in a matter of months without costly or complex investments. This Web seminar explains how to ensure that your organization gets the most out of its log management investment, the key requirements and architectural differences you need to consider, and the caveats and risks to watch for when you spec out your requirements and design. http://list.windowsitpro.com/t?ctl=5A00D:57B62BBB09A6927949837399EDFFF4AC Disaster recovery isn't just theory for most businesses--it's a harsh business reality. Improve your own disaster recovery efforts today and learn from real-life disaster survivors. Make sure that your plan is ready before a disaster strikes--download this free white paper today! http://list.windowsitpro.com/t?ctl=5A011:57B62BBB09A6927949837399EDFFF4AC === FEATURED WHITE PAPER ======================================= This paper begins with a brief review of the difference between high availability and disaster recovery, then describes the related features of Exchange 2007 with an eye toward how they map to specific types of failures and outages. Finally, it examines a solution that delivers additional value beyond what Microsoft offers in Exchange 2007. http://list.windowsitpro.com/t?ctl=5A00F:57B62BBB09A6927949837399EDFFF4AC === ANNOUNCEMENTS ============================================== Introducing a Unique Exchange and Outlook Resource Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on messaging topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=5A016:57B62BBB09A6927949837399EDFFF4AC Special Invitation for VIP Access Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, Exchange & Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now!: http://list.windowsitpro.com/t?ctl=5A015:57B62BBB09A6927949837399EDFFF4AC ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=5A020:57B62BBB09A6927949837399EDFFF4AC http://list.windowsitpro.com/t?ctl=5A026:57B62BBB09A6927949837399EDFFF4AC Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=5A018:57B62BBB09A6927949837399EDFFF4AC Be sure to add Security_UPDATE@list.windowsitpro.com to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=5A023:57B62BBB09A6927949837399EDFFF4AC About your product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=5A017:57B62BBB09A6927949837399EDFFF4AC Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. From alerts at infosecnews.org Thu Jun 14 00:09:15 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] China aims to top U.S. in cyberspace: U.S. general Message-ID: http://www.ibtimes.com/articles/20070613/china-internet.htm By Jim Wolfwed 13 June 2007 China is seeking to unseat the United States as the dominant power in cyberspace, a U.S. Air Force general leading a new push in this area said Wednesday. "They're the only nation that has been quite that blatant about saying, 'We're looking to do that,"' 8th Air Force Commander Lt. Gen. Robert Elder told reporters. Elder is to head a new three-star cyber command being set up at Barksdale Air Force Base in Louisiana, already home to about 25,000 military personnel involved in everything from electronic warfare to network defense. The command's focus is to control the cyber domain, critical to everything from communications to surveillance to infrastructure security. "We have peer competitors right now in terms of doing computer network attack ... and I believe we're going to be able to ratchet up our capability," Elder said. "We're going to go way ahead." The Defense Department said in its annual report on China's military power last month that China regarded computer network operations -- attacks, defense and exploitation -- as critical to achieving "electromagnetic dominance" early in a conflict. China's People's Liberation Army has established information warfare units to develop viruses to attack enemy computer systems and networks, the Pentagon said. China also was investing in electronic countermeasures and defenses against electronic attack, including infrared decoys, angle reflectors and false-target generators, it said. The Chinese Foreign Ministry rejected the U.S. report as "brutal interference" in China's internal affairs and insisted Beijing's military preparations were purely defensive. Elder described the bulk of current alleged Chinese cyber-operations as industrial espionage aimed at stealing trade secrets to save years of high-tech development. He attributed the espionage to a mix of criminals, hackers and "nation-state" forces. Virtually all potential U.S. foes also were scanning U.S. networks for trade and defense secrets, he added. "Everyone but North Korea," he said. "We've concluded that there must be only one laptop in all of North Korea -- and that guy's not allowed to scan" overseas networks, Elder said. In October, the U.S. Joint Chiefs of Staff defined cyberspace as "characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures." The definition is broad enough to cover far more than merely defending or attacking computer networks. Other concerns include remotely detonated roadside bombs in Iraq, interference with Global Positioning Satellites and satellite communications, Internet financial transactions by adversaries, and radar and navigational jamming. From alerts at infosecnews.org Thu Jun 14 00:09:30 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Updates readied for cryptographic hashes Message-ID: http://www.gcn.com/online/vol1_no1/44453-1.html By William Jackson GCN Staff 06/13/07 The National Institute of Standards and Technology has revised two Federal Information Processing Standards specifying algorithms for cryptographic hashing. Drafts of FIPS 180-3 [1] and FIPS 198-1 [2] have been released for three months of public comment. FIPS 180-3 replaces Publication 180-2 and specifies five secure hash algorithms (SHAs). The algorithms, when combined with a message, produce a message digest that should be unique to the original message. These can be used for digital signatures and message authentication codes. In the new draft, SHA-1, SHA-224 and SHA-256 are used to produce digests of shorter messages, while SHA-384 and SHA-512 can be used for longer messages. They produce digests ranging in length from 160 to 512 bits, depending on the algorithm used. The algorithms are called secure because it is unlikely that the original message could be derived from the digest produce by the algorithm, or that the algorithm could produce the same digest for more than one message. This gives a high probability that each digest is unique to its message and that the digest can be used to accurately verify a digital signature or a message authentication code. FIPS 198-1 replaces Publication 198 and specifies an algorithm for applications requiring message authentication. Using a secret key that is shared with the intended recipient of a message, the sender produces a code or message digest unique to the message being sent. The recipient uses the same key to produce a code of the message being received. If the codes match, the recipient can be sure that the message has not been altered and that it came from the other holder of the key. Comments are being accepted on both proposed standards until Sept. 10. Comments should be sent either to proposed180-3 (at) nist.gov or to proposed198-1 (at) nist.gov, with a subject line that reads Comments on draft 180-3 or Comments on draft 198-1. [1] http://csrc.nist.gov/publications/drafts/fips_180-3/draft_fips-180-3_June-08-2007.pdf [2] http://csrc.nist.gov/publications/drafts/fips_198-1/draft_FIPS-198-1_June-08-2007.pdf From alerts at infosecnews.org Thu Jun 14 00:09:52 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Security Reseacher Hopes He Has iPhone Security Exploit At the Ready Message-ID: http://blog.wired.com/27bstroke6/2007/06/security_reseac.html By Ryan Singel June 13, 2007 Like many geeks, security researcher David Maynor is eager to get his hands on an iPhone. Unlike many geeks, Maynor also has harsh feelings about the Think Different company and what he says is an undisclosed vulnerability in Apple's Safari browser that he hopes will let him hack into the hugely anticipated device. After Apple released the beta version of Maynor took a whack at Apple's Safari browser for Windows using fairly easily available bug-finding tools and says he found six bugs in a day. Maynor says one of them allows him to execute code remotely and he's "weaponized" it, according to his blog. "One of the six is robust. I'm going to work on better remote execution and then wait for the iPhone," Maynor told THREAT LEVEL today as part of an interview for a Wired News story running Thursday. "Everyone I know is eager to hack the iPhone. Maybe that would actually break into it." "I'm going to the first in line," he added later, saying that after Apple CEO Steve Jobs announced that developers can write apps for the iPhone through Safari, "it's going to be a free-for-all." For for those who don't know, Maynor and Apple are not friends. Far from it. He refuses to report bugs to Apple following an incident last summer when he divulged a wireless driver bug to Apple. He later demoed an exploit on a non-Apple wireless adapter in a video to a conference. Apple then tried to make him say the code wouldn't work on a MacBook and denied he provided Apple with enough info for them to find the bug. Mac backers accused Maynard and security journalist Brian Krebs of overblowing the situation. Apple later patched the bug with no mention of Maynard. While Maynard was not able to reveal emails he sent from his employer at the time, he was largely vindicated when he released some emails to and from Apple in a later presentation, though he did apologize for the manner in which he publicized the exploit. It was an ugly fight, and now Maynor may be holding a zero-day exploit for the iPhone. He's certainly not going to let it loose in the wilds, but if you were an Apple engineer, wouldn't you have nightmares about that very possibility? I mean what malicious hacker wouldn't want to be the first to control an iPhone botnet? From alerts at infosecnews.org Thu Jun 14 00:10:08 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] SonicWall buys Aventail on the cheap Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=9136 By John E. Dunn Techworld 13 June 2007 Remote access specialist Aventail is to be acquired by larger rival SonicWall for $25 million in cash. The deal, which is expected to close in the remarkably quick timeframe by the end of July, will see the privately-owned Aventail add its SSL VPN range of products to strengthen SonicWalls. It was not made clear in the official announcement how the two will merge their products, and whether either companys lines will lose out. The modest price for Aventail suggests that SonicWall might be in search of the formers premium customers, however, rather than its technology alone. SonicWALL is number one in SSL VPN unit share worldwide, and this acquisition will help grow our revenue share. We will compete more effectively in the remote access space, building on complementary elements in our two organisations, and offer new solutions that enhance our relevance for todays dynamic enterprise, said SonicWall CEO Matthew Medeiros, offering few clues. Aventail will be remembered both a pioneer of SSL VPN access and as an advocate of the awfully-termed de-perimeterised network, where users are secured according to criteria such as what they are connecting from rather than where they are physically. It looks as if Aventails shareholders have decided that its growth possibilities as a small company were becoming limited, and that the best option was a sell-out. The company, founded in 1996, was financed by a several rounds of venture capital, one of which totalled $55 million during the tech slump of 2001. The end price will disappoint many. From alerts at infosecnews.org Thu Jun 14 00:10:35 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] 10 reasons why the Black Hats have us outgunned Message-ID: http://www.theregister.co.uk/2007/06/13/black_hat_list/ By Robin Bloor IT-Analysis.com 13th June 2007 Here they are: 1. The Black Hats form a well integrated community that shares knowledge effectively. Should you, after months of research and effort, create an exploit that allows you to hack Windows or any other frequently used software product, you can auction the exploit on the internet in a well organised manner. Yes, the hackers have their own auction sites (it's true). And if you're looking to write a virus, say, well, there are hundreds of sites out there that can provide you with source code to help you construct something really fiendish. Different modules for setting up a mail server or planting a specific Trojan or whatever. Open source is all the rage, even among hackers. 2. Becoming a Black Hat is a career option even for those who are not super geeks. Time was when Black Hats needed to have a computer science degree or a similar level of exposure to computer technology in order to operate effectively. It's comforting to know, should you want to become a Black Hat, that the barriers to entering the trade are much lower now. It's true that you'll never become a "legendary Black Hat" if you can't cut a little C++ code. Nevertheless, out there on the internet there are websites where you can buy fully functional software for launching exploits that others have written for you. Yes, there are indeed hacker-devoted software products freely available for purchase by anyone capable of installing software. $200 or so should buy you something useful (including updates). 3. There are even specialist virus tools designed to circumvent specific AV products. You know how it is. You want revenge on some company or other who sold you something that turned out to be dud and refused to allow you to return it. So you send them a virus or two, but you just can't seem to infect them because the AV technology they use has the signature of every virus at your disposal. Have no fear. The same software vendors that can sell you exploit tools also have specific viruses for sale which are guaranteed to get around any specific AV product that you can name. There's one for Norton, one for McAfee, one for Kaspersky, and ones for AV products that you may never even have heard of. Hell, there's lots of specialist software out there. If you have a budget in the $1,000 to $5,000 region, you can even buy Trojans that are purpose built to steal credit card data and mail it to you. 4. There are SDKs for the more advanced hackers. "OK, nice to know that lame-brains can become hackers, but I'm more ambitious than that. I want to cut code with the best of them. I want to be a genuine fully fledged bad-ass Black Hat". Well Cinderella, you can indeed go to the ball. To get started all you'll need is one of those comprehensive hacker SDKs (cost about $320, but hey you can't be a carpenter without tools can you?) Yes, there are indeed such products for sale out there. It helps if you can read Russian, by the way, given the limitations of Babel Fish. 5. There's a market for your data. "OK, I go out onto the net and try an exploit here or there and I hit pay dirt - a whole file of thousands of credit card details. What do I do now?" My advice to you dear boy, is forget about trying to buy stuff on eBay or Amazon with all that stolen data. Simply sell the data and leave it to someone else to do all the dirty work. How much to sell for? Well it depends, but you should be able to get $30 per credit card as an absolute minimum and if you've got really lucky and managed to get the PIN number of the card (a difficult data item to get your hands on) then it should be close to $500 per card. Yes, there are markets out in cyberspace where you can sell data - not just credit card data, but Social Security Card data (for US citizens), birth certificate data, billing data, and driving license data (all of which can be used to set up bogus bank accounts). 6. There are botnets to rent. Don't tell me, let me guess. You've got a great scheme in mind to flood the world with a particular kind of spam and it's bound to pay off. But you just don't have the computer power you need. Let me introduce you to an Asian friend of mind who's been established in the Black Hat trade for a year or two. He repeatedly floods the internet with Trojan viruses to continuously assemble and grow a botnet. He has to keep on doing it because every now and then PCs get cleaned and fall out of the net and anyway the bigger the botnet the more the commercial opportunity. My friend will rent you a portion of his botnet for 20 cents per PC per day (roughly current rates) and he'll throw in a whole database of email addresses too. He thinks of himself as an Internet Service Provider. 7. Some rogue websites are very subtly managed. You're thinking of setting up a website with some "poisoned downloads" and perhaps even a script or two which runs in the browser and will infect visitors with a virus given half the chance, but you've heard of security companies that send spiders round the web examining sites and testing for malware, so they can put you on a blacklist. So what's the point in putting in the effort if it all comes to nothing? Well don't despair. I know a Black Hat who keeps an up-to-date list of the IP addresses of all those spiders. He'll rent it to you and you can build the site so that it presents innocuous executables to the spiders and infects everyone else. Would I steer you wrong? 8. Good hackers know how to stay safe (they stay abroad) It's what may keep you up at nights. You've pulled off some real coups; stealing data here and there, setting up a healthy spam business, arranging a few rogue auctions on eBay, assembling a sizable botnet and so on. Then the news breaks that a hacker in Denmark has just been arrested and the net is awash with pictures of him. It looks like he's going to spend years and years in a place where champagne is never served. That must be the third hacker arrest this year - dammit this is becoming a dangerous profession. Sometimes hackers even get caught. Well, please bear in mind that 30 percent of all Black Hat activity is in the US and, well, it's not often that you hear of a US hacker getting banged to rights. I mean the average bank robbery with a gun in the US nets less than $10,000, while the average bank robbery with a PC nets more than 10 times that figure. Many more of the gun-toting bank robbers get caught than the PC-toting ones and some of them even get shot. Your chances of getting caught are slim to zero - especially if you initiate it all remotely through a server somewhere in Moldova. Well, OK, you're a worrier, so move to Moldova. Sensible hackers don't hack in their own back yard - so change back yards. And when was the last time you heard of a hacker from Moldova getting caught? 9. The banking system has its channels "OK so I've moved to Moldova, but how am I going to pick up the money I'm earning?" Gosh, you don't know much about the international banking system do you? Here's my advice. Set up a convenient little off-shore account in the Cayman Islands and pass the money through there. Even in this internet era when it is oh-so-difficult to ensure the secrecy of data, no data ever seems to escape from those Cayman banks. And as regards your Black Hat activity, my advice to you, as a Moldovan, is to specialise in denial of service attacks (software to carry them out available from the usual suppliers). The DOS ransom fees are around $50,000, if you hit a big company, and you can usually extort $10,000 from the smaller ones. That's good pay for a week or two's hard hacking. 10. Not all businessmen are entirely averse to the odd hack (on a competitor) As you seem determined to embark on a life of cybercrime I have one last piece of advice for you. Don't ignore the business world as a lucrative source of income. I know what you're thinking. Those guys are my prey. Well it's true that some of them are, but some of them could become your customers - if you make the right contacts and do the right kind of marketing. I mean, which businessman could fail to be pleased when his major competitor suffers a big data hack or loses a few days web business because of a DOS attack. Which businessman doesn't think, "hey what if I arranged for something like that to happen?" And which businessman having formulated a good competitive tactic doesn't put it into practice. There's good money to be made in focused hacks, theft of intellectual property, denial of service and large scale data theft. You might even get paid twice - by the customer and the victim. -=- Acknowledgments: Some of the information used to produce this article was gathered from presentations given to me by Yuval Ben-Itzhak of Finjan and Patricia Booth of CA, both of whom have a deep knowledge of the extent of the IT security malaise. It's no longer just a serious threatit's a well organized and expanding industry. Copyright 2007, IT-Analysis.com From alerts at infosecnews.org Fri Jun 15 01:24:31 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] US Embassy probes hacking of online visa appointment system Message-ID: http://www.rjr94fm.com/news/story.php?category=2&story=36819 June 13, 2007 RJR News has been informed that the United States Embassy has launched an intensive probe into what is reported to be the recent hacking of its online non-immigrant visa appointment system. While the extent of the breach is unclear, it is understood that unknown persons managed to access the on-line immigrant visa appointment system and tampered with the names and appointment dates of visa applicants. A small group of student athletes who were scheduled to attend the Reebok Classic earlier this month were unable to do so reportedly due to the problem. Our source says track officials had applied for appointments ahead of schedule however they were unable to obtain dates, even up to the day of the track meet. Some of the athletes never made the trip. The US Embassy in a statement Wednesday afternoon confirmed that it had launched an investigation into the attempted manipulation of its online non-immigrant visa appointment system. The Embassy warned members of the public to avoid dealing with persons offering to procure early visa appointments. According to the Embassy a growing number of appointments made on the agency's online system contain fictitious information and have been made simply to hold a place in the interview schedule. Embassy officials says fictitious appointments pose problems for everyone, and added to the waiting time for legitimate travelers from Jamaica to secure a timely appointment. The Embassy says persons found to be tampering with the appointment data base and/or filing fraudulent appointments will be reported to the Jamaican authorities for possible criminal prosecution. From alerts at infosecnews.org Fri Jun 15 01:25:13 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Apple Goes on Safari With Hostile Security Researchers Message-ID: http://www.wired.com/gadgets/mac/news/2007/06/researchersmeetsafari By Ryan Singel Wired.com 06.14.07 Security researchers have long speculated that Apple has benefited from security by obscurity, escaping attention from malicious hackers because Windows-based computers dominate in homes and offices. But Apple's new Safari for Windows puts it right in hackers' crosshairs. The browser gives hackers another way to attack Windows and security researchers will now likely spend hours hunting down holes in the code. But Apple's culture of secrecy and slick marketing has put it at odds with a community that values openness and honesty -- a lot of computer security experts aren?t very fond of the computer maker. Indeed some in the security community think Apple's stance towards security is as bad as Microsoft's was in the days when it was called the "Evil Empire," prior to Bill Gates's declaration in 2002 that security was the company's top priority. When asked over the phone if Apple treated security researchers well, Black Hat founder Jeff Moss relayed the question to researchers at the Computer Security Institute conference. Howls of derisive laughter came pouring through his cell phone. "They are vulnerable like anyone else, but they are still controlled by marketing campaigns," said Moss. "Their approach will change -- but when will it change?" Apple has a mixed reputation in the security community. It's been criticized for how it handles reports of vulnerabilities, how it reports the severity of bugs in automatic security updates and how long it takes to patch flaws. In addition, Moss said Apple has a reputation of not crediting researchers who find bugs. Security researchers generally adhere to a policy of reporting bugs quietly to software vendors ahead of time in return for public credit when a fix is shipped. However, Apple has been accused of fixing bugs silently, or fixing a security bug and reclassifying it as a "usability bug" rather than crediting researchers. By releasing a beta version of Safari to the public, Apple expects to get feedback on bugs and vulnerabilities, but some researchers are loath to provide it unless they get proper credit. Security researcher David Maynor said he found six Safari bugs in one day using commonly available tools that Apple engineers should have used themselves. "Apple is using the research community as their (quality assurance) department, which makes me not want to report bugs," he said. "If they aren't going to run these tools, why should I run them and report them?" While Maynor says he follows this policy for companies like Microsoft, he refuses to report bugs to Apple following a vitriolic contretemps last summer involving a wireless-driver bug. Maynor contends Apple attacked his credibility, while Maynor?s detractors say he overstated the severity of the exploit. One of the bugs is a remote exploit that works on the beta browser and the current production version of Safari for Mac OS X, according to Maynor. Maynor says he plans to hold onto the exploit until he can buy an iPhone and break into it. Maynor is not alone in probing the new browser. Just one day after Apple released the Safari beta, security researchers published detailed accounts of critical vulnerabilities in the browser, ranging from attacks that simply crashed the browser, to one that allowed a website to run commands on the computer of a visitor running Safari. But animus towards Apple is not universal in the security community. Dino Dai Zovi, a security researcher who recently won $10,000 by taking over a Mac remotely, says he's reported nine vulnerabilities to Apple and found them to be as responsive as most in the industry. Apple tends to be slow issuing patches, according to Dai Zovi, but can be quick when there's a lot of public scrutiny, such as with his QuickTime/Java exploit, which it fixed in a "groundbreaking" eight days. But Dai Zovi said Apple may be about to enter much hotter water, thanks to its new Windows browser, the hot new iPhone and increased Mac market share. "They are going to have to deal with a lot more vulnerability reports," Dai Zovi said. "Just like Microsoft, once the public perception of security impacts sales, Apple will most likely step it up." David Goldsmith, the president Matasano Security, echoed Dai Zovi's take on Apple's handling of reports, saying he's never had a problem with Apple not crediting him for a bug, but that in the past Apple had a habit of underplaying the severity of the bug. Goldsmith said Apple might have to fix bugs faster because more people will be watching what the company does. "Apple has a reputation of being more secure and one of the theories is that it is because less people are looking at it (for vulnerabilities)," Goldsmith said. "(The Windows Safari browser) may prove to be a way of validating that claim. It is safe to say they are going to change the way they react to these communications just because they will have more exposure to them." Apple was not immediately available for detailed comment, but a spokesperson pointed out that the Safari browser relies on an open-source browser engine that has been well tested and used by companies like Nokia. From alerts at infosecnews.org Fri Jun 15 01:25:31 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-24 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-06-08 - 2007-06-15 This week: 81 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ======================================================================== 2) This Week in Brief: It has been Patch Tuesday again for all Windows users, with Microsoft releasing six security bulletins, including one for Windows Vista. The vulnerabilities range from the ?less critical? information disclosure vulnerability in Vista, to ?highly critical? ones found in Internet Explorer (IE), Visio, Outlook Express, and in the Windows code itself. MS07-030 discusses two vulnerabilities in Microsoft Visio, which could be exploited to execute arbitrary code. http://secunia.com/advisories/25619/ MS07-031 discusses a vulnerability in the Microsoft Windows Secure Channel Digital Signature security package, which on Windows XP could be exploited to execute arbitrary code, and on Windows 2000 and Server 2003 cause a Denial of Service (DoS) condition. http://secunia.com/advisories/25620/ MS07-032 discusses a vulnerability in Windows Vista, which could be used by malicious, local users to disclose possibly sensitive information. http://secunia.com/advisories/25623/ http://secunia.com/advisories/25623/ MS07-033 discusses six vulnerabilities in Internet Explorer, which can be exploited to spoof the contents of an arbitrary site, or to gain access to a vulnerable system. http://secunia.com/advisories/25627/ MS07-034 discusses three vulnerabilities in Micosoft Outlook Express and Windows Mail, which could be exploited to read data on the system or execute arbitrary code. http://secunia.com/advisories/25639/ MS07-035 discusses a vulnerability in the Microsoft Windows Win32 API, which could be exploited to execute arbitrary code using a local application, for example when a user is tricked into viewing a web site hosting malicious code. http://secunia.com/advisories/25640/ -- Some vulnerabilities have been reported in OpenOffice this week, one resulting from an error when parsing data within RTF files, and the other as a vulnerability carried over from OpenOffice's use of the Freetype library, which contains an error when parsing malformed TTF fonts. A patch has been released for these vulnerabilities, and all users are urged to update as soon as possible. Several Linux distributions have also released patches, such as Debian and Red Hat: http://secunia.com/advisories/25650/ http://secunia.com/advisories/25673/ For more information, read the OpenOffice advisory here: http://secunia.com/advisories/25648/ -- VIRUS ALERTS: During the past week Secunia collected 231 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14921] Microsoft Windows Message Queuing Buffer Overflow Vulnerability 2. [SA25547] Yahoo! Messenger Two ActiveX Controls Buffer Overflows 3. [SA25594] Linux Kernel Multiple Vulnerabilities 4. [SA25640] Microsoft Windows Win32 API Code Execution Vulnerability 5. [SA25620] Windows Secure Channel Digital Signature Parsing Vulnerability 6. [SA18787] Internet Explorer Drag-and-Drop Vulnerability 7. [SA25619] Microsoft Visio Two Code Execution Vulnerabilities 8. [SA25627] Internet Explorer Multiple Vulnerabilities 9. [SA25639] Microsoft Outlook Express and Windows Mail Multiple Vulnerabilities 10. [SA25648] OpenOffice RTF File and FreeType Font Parsing Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA25672] Corel ActiveCGM Browser ActiveX Control Multiple Buffer Overflows [SA25640] Microsoft Windows Win32 API Code Execution Vulnerability [SA25639] Microsoft Outlook Express and Windows Mail Multiple Vulnerabilities [SA25627] Internet Explorer Multiple Vulnerabilities [SA25625] Zoomify Viewer ActiveX Control Multiple Buffer Overflows [SA25624] HP Help and Support Center Unspecified Vulnerability [SA25620] Windows Secure Channel Digital Signature Parsing Vulnerability [SA25619] Microsoft Visio Two Code Execution Vulnerabilities [SA25604] Vitalize! Cellosoft Tokens Object Extension "RemoveChr()" Buffer Overflow [SA25593] Blue Coat K9 Web Protection Management Service Buffer Overflow [SA25602] D-Link DWL-G650+ Wireless Driver Beacon TIM Buffer Overflow [SA25606] BrightStor ARCserve Backup for Laptops & Desktops Unspecified Vulnerabilities [SA25643] TEC-IT TBarCode TBarCode7 ActiveX Control "SaveImage()" Insecure Method [SA25623] Microsoft Windows Vista User Information Disclosure [SA25663] Microsoft Internet Explorer 7 HTTP Basic Authentication IDN Spoofing [SA25603] Kaspersky AntiVirus klif.sys Hooked Functions Denial of Service UNIX/Linux: [SA25673] Red Hat update for openoffice.org [SA25667] Xoops XT-Conteudo Module "spaw_root" File Inclusion [SA25665] Xoops Cjay Content WYSIWYG IE Module "spaw_root" File Inclusion [SA25660] Avaya Products PHP Multiple Vulnerabilities [SA25652] Xoops Tiny Content Module "spaw_root" File Inclusion [SA25651] Xoops Horoscope Module "xoopsConfig[root_path]" File Inclusion [SA25650] Debian update for openoffice [SA25647] Mandriva update for mozilla-firefox [SA25635] Debian update for xulrunner [SA25591] SGI Advanced Linux Environment Multiple Updates [SA25669] Red Hat update for kdebase [SA25666] Sun Java System Directory Server Two Vulnerabilities [SA25664] Debian update for icedove [SA25662] Konqueror Flash Player Plug-in Vulnerability [SA25655] Red Hat update for mod_perl [SA25654] Mandriva update for freetype2 [SA25653] fuzzylime (forum) "topic" SQL Injection and Cross-Site Scripting [SA25644] Mandriva update for mozilla-thunderbird [SA25622] Gentoo update for madwifi [SA25621] Ubuntu update for libexif [SA25613] Debian update for lighttpd [SA25612] Debian update for freetype [SA25609] Red Hat update for freetype [SA25608] Sun Solaris sshd Identical Blocks Denial of Service Vulnerability [SA25599] Mandriva update for libexif [SA25594] Linux Kernel Multiple Vulnerabilities [SA25676] Avaya Products OpenLDAP slapd "selfwrite" Security Issue [SA25661] Avaya CMS Sun Solaris "in.iked" Denial of Service Vulnerability [SA25658] Mandriva update for libwmf [SA25657] Mandriva update for gd [SA25649] HP-UX update for Bind [SA25646] Mandriva update for tetex [SA25633] Red Hat update for gcc [SA25632] Red Hat update for gdb [SA25628] Red Hat update for openldap [SA25616] Maran PHP Blog "id" Cross-Site Scripting [SA25600] Mail Notification "WITH_SSL" Plaintext Password Security Issue [SA25590] rPath update for gd, php, php-mysql, and php-pgsql [SA25668] Sun Solaris 10 NFS XDR Handling Vulnerability [SA25631] Red Hat update for pam [SA25630] Red Hat update for kernel [SA25629] Red Hat update for shadow-utils [SA25598] Cisco Trust Agent "User Notification" Authentication Bypass [SA25596] Ubuntu update for kernel [SA25679] Red Hat update for iscsi-initiator-utils [SA25610] Ubuntu update for xscreensaver [SA25607] Sun Solaris scp Command Line Shell Command Injection Other: [SA25611] ARRIS Cadant C3 CMTS IP Options Handling Denial of Service [SA25592] Novell Modular Authentication Service NMASINST Information Disclosure Cross Platform: [SA25656] YaBB CRLF Injection Privilege Escalation Vulnerability [SA25648] OpenOffice RTF File and FreeType Font Parsing Vulnerabilities [SA25641] Mbedthis AppWeb URL Protocol Format String Vulnerability [SA25626] PHPMailer "Sender" Arbitrary Command Execution [SA25615] PHP Real Estate Classifieds "loc" File Inclusion [SA25614] Link Request Contact Form PHP File Upload [SA25597] Sun Java System Products NSS SSLv2 Processing Buffer Overflows [SA25642] libexif EXIF Information Integer Overflow Vulnerability [SA25605] e-Vision CMS Multiple Vulnerabilities [SA25595] PhpWiki Empty LDAP Passwords Authentication Bypass [SA25601] Firebird "connect" Request Handling Buffer Overflow Vulnerability [SA25638] dotProject Cross-Site Scripting Vulnerability [SA25637] Invision Power Board Profile Updating Security Issue [SA25634] Beehive Forum "links.php" Cross-Site Scripting [SA25617] Sporum Forum "view" and "mode" Cross-Site Scripting Vulnerabilities [SA25636] Mbedthis AppWeb HTTP TRACE Response Cross-Site Scripting ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA25672] Corel ActiveCGM Browser ActiveX Control Multiple Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-14 Will Dormann has reported some vulnerabilities in ActiveCGM, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25672/ -- [SA25640] Microsoft Windows Win32 API Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2007-06-12 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25640/ -- [SA25639] Microsoft Outlook Express and Windows Mail Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2007-06-12 Some vulnerabilities have been reported in Microsoft Outlook Express and Windows Mail, which can be exploited by malicious people to disclose sensitive information and compromise a user's system. Full Advisory: http://secunia.com/advisories/25639/ -- [SA25627] Internet Explorer Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Spoofing, System access Released: 2007-06-12 Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks or compromise a user's system. Full Advisory: http://secunia.com/advisories/25627/ -- [SA25625] Zoomify Viewer ActiveX Control Multiple Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-12 Will Dormann has reported some vulnerabilities in Zoomify Viewer ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25625/ -- [SA25624] HP Help and Support Center Unspecified Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-13 HP has acknowledged a vulnerability in Help and Support Center, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25624/ -- [SA25620] Windows Secure Channel Digital Signature Parsing Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-06-12 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25620/ -- [SA25619] Microsoft Visio Two Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-12 Two vulnerabilities have been reported in Microsoft Visio, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25619/ -- [SA25604] Vitalize! Cellosoft Tokens Object Extension "RemoveChr()" Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-13 Haikz has reported a vulnerability in Cellosoft Tokens Object extension for Vitalize!, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25604/ -- [SA25593] Blue Coat K9 Web Protection Management Service Buffer Overflow Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2007-06-08 CSIS Security Group has reported a vulnerability in BlueCoat K9 Web Protection, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25593/ -- [SA25602] D-Link DWL-G650+ Wireless Driver Beacon TIM Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-12 Laurent Butti has reported a vulnerability in the D-Link DWL-G650+ wireless driver, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25602/ -- [SA25606] BrightStor ARCserve Backup for Laptops & Desktops Unspecified Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2007-06-11 Some vulnerabilities have been reported in BrightStor ARCserve Backup for Laptops & Desktops, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25606/ -- [SA25643] TEC-IT TBarCode TBarCode7 ActiveX Control "SaveImage()" Insecure Method Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2007-06-13 shinnai has reported a vulnerability in TEC-IT's TBarCode TBarCode7 ActiveX control, which can be exploited by malicious people to overwrite arbitrary files. Full Advisory: http://secunia.com/advisories/25643/ -- [SA25623] Microsoft Windows Vista User Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2007-06-12 A security issue has been reported in Microsoft Windows Vista, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/25623/ -- [SA25663] Microsoft Internet Explorer 7 HTTP Basic Authentication IDN Spoofing Critical: Not critical Where: From remote Impact: Spoofing Released: 2007-06-14 A weakness has been discovered in Internet Explorer 7, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/25663/ -- [SA25603] Kaspersky AntiVirus klif.sys Hooked Functions Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-06-12 EP_X0FF has reported some vulnerabilities in Kasperky AntiVirus, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25603/ UNIX/Linux:-- [SA25673] Red Hat update for openoffice.org Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-14 Red Hat has issued an update for openoffice.org. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25673/ -- [SA25667] Xoops XT-Conteudo Module "spaw_root" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-06-14 FiSh has discovered a vulnerability in the XT-Conteudo module for Xoops, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25667/ -- [SA25665] Xoops Cjay Content WYSIWYG IE Module "spaw_root" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-06-14 FiSh has discovered a vulnerability in the Cjay Content WYSIWYG IE module for Xoops, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25665/ -- [SA25660] Avaya Products PHP Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, System access Released: 2007-06-14 Avaya has acknowledged some vulnerabilities in various Avaya products, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions and potentially by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25660/ -- [SA25652] Xoops Tiny Content Module "spaw_root" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-06-13 Sp[L]o1T has discovered a vulnerability in the Tiny Content module for Xoops, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25652/ -- [SA25651] Xoops Horoscope Module "xoopsConfig[root_path]" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-06-13 BeyazKurt has discovered a vulnerability in the Horoscope module for Xoops, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25651/ -- [SA25650] Debian update for openoffice Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-13 Debian has issued an update for openoffice. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25650/ -- [SA25647] Mandriva update for mozilla-firefox Critical: Highly critical Where: From remote Impact: Spoofing, Exposure of sensitive information, DoS, System access Released: 2007-06-13 Mandriva has issued an update for mozilla-firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25647/ -- [SA25635] Debian update for xulrunner Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, DoS, System access Released: 2007-06-13 Debian has issued an update for xulrunner. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25635/ -- [SA25591] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2007-06-08 SGI has issued multiple updates for SGI Advanced Linux Environment. These fix some vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges or gain escalated privileges, by malicious users to cause a DoS (Denial of Service), and by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25591/ -- [SA25669] Red Hat update for kdebase Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2007-06-14 Red Hat has issued an update for kdebase. This fixes a vulnerability, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25669/ -- [SA25666] Sun Java System Directory Server Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2007-06-14 Two vulnerabilities have been reported in the Sun Java System Directory Server, which can be exploited by malicious people to disclose potentially sensitive information or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25666/ -- [SA25664] Debian update for icedove Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-14 Debian has issued an update for icedove. This fixes some vulnerabilities, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25664/ -- [SA25662] Konqueror Flash Player Plug-in Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2007-06-14 A vulnerability has been reported in Konqueror, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25662/ -- [SA25655] Red Hat update for mod_perl Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-14 Red Hat has issued an update for mod_perl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25655/ -- [SA25654] Mandriva update for freetype2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-14 Mandriva has issued an update for freetype2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25654/ -- [SA25653] fuzzylime (forum) "topic" SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2007-06-13 Silentz has discovered some vulnerabilities in fuzzylime (forum), which can be exploited by malicious people to conduct SQL injection attacks and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25653/ -- [SA25644] Mandriva update for mozilla-thunderbird Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-13 Mandriva has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25644/ -- [SA25622] Gentoo update for madwifi Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-12 Gentoo has issued an update for madwifi. This fixes some vulnerabilities, which can be exploited by malicious, local users and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25622/ -- [SA25621] Ubuntu update for libexif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-12 Ubuntu has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25621/ -- [SA25613] Debian update for lighttpd Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-11 Debian has issued an update for lighttpd. This fixes some vulnerabilities, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25613/ -- [SA25612] Debian update for freetype Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-11 Debian has issued an update for freetype. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25612/ -- [SA25609] Red Hat update for freetype Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-11 Red Hat has issued an update for freetype. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25609/ -- [SA25608] Sun Solaris sshd Identical Blocks Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-11 Sun has acknowledged a vulnerability in Sun Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25608/ -- [SA25599] Mandriva update for libexif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-11 Mandriva has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25599/ -- [SA25594] Linux Kernel Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Brute force, Exposure of sensitive information, DoS Released: 2007-06-08 Two vulnerabilities and a weakness have been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information and malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25594/ -- [SA25676] Avaya Products OpenLDAP slapd "selfwrite" Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-06-14 Avaya has acknowledged a security issue in various Avaya products, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25676/ -- [SA25661] Avaya CMS Sun Solaris "in.iked" Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2007-06-14 Avaya has acknowledged a vulnerability in Avaya CMS (Call Management System), which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25661/ -- [SA25658] Mandriva update for libwmf Critical: Less critical Where: From remote Impact: DoS Released: 2007-06-14 Mandriva has issued an update for libwmf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25658/ -- [SA25657] Mandriva update for gd Critical: Less critical Where: From remote Impact: DoS Released: 2007-06-14 Mandriva has issued an update for gd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25657/ -- [SA25649] HP-UX update for Bind Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-06-13 HP has issued an update for HP-UX. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25649/ -- [SA25646] Mandriva update for tetex Critical: Less critical Where: From remote Impact: DoS Released: 2007-06-14 Mandriva has issued an update for tetex. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25646/ -- [SA25633] Red Hat update for gcc Critical: Less critical Where: From remote Impact: System access Released: 2007-06-12 Red Hat has issued an update for gcc. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25633/ -- [SA25632] Red Hat update for gdb Critical: Less critical Where: From remote Impact: DoS, System access Released: 2007-06-12 Red Hat has issued an update for gdb. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges or malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25632/ -- [SA25628] Red Hat update for openldap Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-06-12 Red Hat has issued an update for openldap. This fixes a security issue, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25628/ -- [SA25616] Maran PHP Blog "id" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-12 ls has discovered a vulnerability in Maran PHP Blog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25616/ -- [SA25600] Mail Notification "WITH_SSL" Plaintext Password Security Issue Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2007-06-11 Ted Percival has reported a security issue in Mail Notification, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25600/ -- [SA25590] rPath update for gd, php, php-mysql, and php-pgsql Critical: Less critical Where: From remote Impact: DoS Released: 2007-06-08 rPath has issued an update for gd, php, php-mysql, and php-pgsql. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25590/ -- [SA25668] Sun Solaris 10 NFS XDR Handling Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2007-06-14 A vulnerability has been reported in Solaris 10, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25668/ -- [SA25631] Red Hat update for pam Critical: Less critical Where: Local system Impact: Security Bypass Released: 2007-06-12 Red Hat has issued an update for pam. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25631/ -- [SA25630] Red Hat update for kernel Critical: Less critical Where: Local system Impact: DoS Released: 2007-06-12 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25630/ -- [SA25629] Red Hat update for shadow-utils Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-06-12 Red Hat has issued an update for shadow-utils. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/25629/ -- [SA25598] Cisco Trust Agent "User Notification" Authentication Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2007-06-12 Adam Blake has reported a security issue in Cisco Trust Agent, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25598/ -- [SA25596] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: Brute force, Exposure of sensitive information Released: 2007-06-11 Ubuntu has issued an update for the kernel. This fixes a security issue and two weaknesses, which can be exploited by malicious, local users and malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25596/ -- [SA25679] Red Hat update for iscsi-initiator-utils Critical: Not critical Where: Local system Impact: DoS Released: 2007-06-14 Red Hat has issued an update for iscsi-initiator-utils. This fixes some security issues, which can be exploited by malicious, local users to cause a DoS (Denial of Service), Full Advisory: http://secunia.com/advisories/25679/ -- [SA25610] Ubuntu update for xscreensaver Critical: Not critical Where: Local system Impact: Security Bypass Released: 2007-06-13 Ubuntu has issued an update for xscreensaver. This fixes a weakness, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25610/ -- [SA25607] Sun Solaris scp Command Line Shell Command Injection Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-06-11 Sun has acknowledged a weakness in Sun Solaris, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/25607/ Other:-- [SA25611] ARRIS Cadant C3 CMTS IP Options Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-06-12 A vulnerability has been reported in ARRIS's Cadant C3 CMTS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25611/ -- [SA25592] Novell Modular Authentication Service NMASINST Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2007-06-11 A security issue has been reported in Novell Modular Authentication Service, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/25592/ Cross Platform:-- [SA25656] YaBB CRLF Injection Privilege Escalation Vulnerability Critical: Highly critical Where: From remote Impact: Privilege escalation Released: 2007-06-13 A vulnerability has been reported in YaBB, which can be exploited by malicious users and malicious people to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25656/ -- [SA25648] OpenOffice RTF File and FreeType Font Parsing Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-13 Some vulnerabilities have been reported in OpenOffice, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25648/ -- [SA25641] Mbedthis AppWeb URL Protocol Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-06-12 Nir Rachmel has discovered a vulnerability in Mbedthis AppWeb, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25641/ -- [SA25626] PHPMailer "Sender" Arbitrary Command Execution Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-12 Thor Larholm has discovered a vulnerability in PHPMailer, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25626/ -- [SA25615] PHP Real Estate Classifieds "loc" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-06-13 not sec group has reported a vulnerability in PHP Real Estate Classifieds, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25615/ -- [SA25614] Link Request Contact Form PHP File Upload Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-11 CorryL has discovered a vulnerability in Link Request Contact Form, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25614/ -- [SA25597] Sun Java System Products NSS SSLv2 Processing Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2007-06-12 Sun has acknowledged some vulnerabilities in various Sun Java System products, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25597/ -- [SA25642] libexif EXIF Information Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-06-13 A vulnerability has been reported in libexif, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25642/ -- [SA25605] e-Vision CMS Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2007-06-11 Silentz has discovered some vulnerabilities in e-Vision CMS, which can be exploited by malicious people to disclose sensitive information or to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25605/ -- [SA25595] PhpWiki Empty LDAP Passwords Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-06-11 A vulnerability has been reported in PhpWiki, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25595/ -- [SA25601] Firebird "connect" Request Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2007-06-12 Cody Pierce has reported a vulnerability in Firebird, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25601/ -- [SA25638] dotProject Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-14 A vulnerability has been reported in dotProject, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25638/ -- [SA25637] Invision Power Board Profile Updating Security Issue Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2007-06-12 A security issue has been reported in Invision Power Board, which can be exploited by malicious users to manipulate certain data. Full Advisory: http://secunia.com/advisories/25637/ -- [SA25634] Beehive Forum "links.php" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-12 Ory Segal has discovered some vulnerabilities in Beehive Forum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25634/ -- [SA25617] Sporum Forum "view" and "mode" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-12 r0t has discovered two vulnerabilities in Sporum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25617/ -- [SA25636] Mbedthis AppWeb HTTP TRACE Response Cross-Site Scripting Critical: Not critical Where: From remote Impact: Cross Site Scripting Released: 2007-06-13 A weakness has been reported in Mbedthis AppWeb, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25636/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From alerts at infosecnews.org Fri Jun 15 01:25:54 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Online bank security worsens Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=9162 By Matthew Broersma Techworld 14 June 2007 Banks' online security is getting worse as they rush to offer services online, according to new research. This year's Annual Security Report from NTA Monitor, a security testing firm, found that 20 percent more security vulnerabilities turned up in the infrastructures of banks, building societies and other financial institutions compared with last year's report. The survey covers networks, applications and systems. By comparison, a month ago NTA reported that the security of UK organisations in general improved year-on-year. Thirty-two percent of UK organisations tested had critical vulnerabilities that are widely known and exploited, compared to 61 percent in 2006. Meanwhile, financial organisations tested positive for an average of three more vulnerabilities in the 2007 survey, NTA said. A common category was buffer overflows in Bind running on DNS servers, which could allow an attacker access to the server. Another common problem was expired SSL certificates, which force users to acknowledge that they know the certificate is invalid before they can access the site. NTA technical director Roy Hills said the increase in security problems is due to growing pressure on financial organisations to go online. "Whilst this extra accessibility is of benefit to many customers, at the same time it can increase the exposure to external attacks," he said in a statement. Among NTA's recommendations are to ensure SSL certificates are always renewed on time, to change default settings on Apache, in order to avoid denial of service attacks, and to keep up to date with patches. From alerts at infosecnews.org Fri Jun 15 01:26:09 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] TorrentSpy ruling a 'weapon of mass discovery' Message-ID: http://news.com.com/TorrentSpy+ruling+a+weapon+of+mass+discovery/2100-1030_3-6190900.html By Greg Sandoval Staff Writer, CNET News.com June 14, 2007 news analysis - It was a pro-copyright ruling that stunned nearly everyone dealing with the issue of online piracy. In a decision reported late Friday by CNET News.com, a federal judge in Los Angeles found (PDF) [1] that a computer server's RAM, or random-access memory, is a tangible document that can be stored and must be turned over in a lawsuit. If allowed to stand, the groundbreaking ruling may mean that anyone defending themselves in a civil suit could be required to turn over information in their computer's RAM hardware, which could force companies and individuals to store vast amounts of data, say technology experts. Roaming the Web anonymously was already nearly impossible. This ruling, which brings up serious privacy issues, could make it a lot harder. "I think that people's fears about a potential invasion of privacy are quite warranted," said Ken Withers, director of judicial education at The Sedona Conference, an independent research group. "The fear is that we're putting in the hands of private citizens and particularly well-financed corporations the same tools that heretofore were exclusively in the hands of criminal prosecutors, but without the sort of safeguards that criminal prosecutors have to meet, such as applying for search warrants." U.S. Magistrate Judge Jacqueline Chooljian issued the decision while presiding over a court fight between the film industry and TorrentSpy, which is accused of copyright infringement in a lawsuit filed last year by the Motion Picture Association of America. Following her decision, Chooljian ordered TorrentSpy to begin logging user information and allowed the company to mask the Internet Protocol addresses belonging to visitors of the Web site. TorrentSpy must then turn the data over to the MPAA. The judge stayed the order pending an appeal, which the company filed on Tuesday. It's not clear when the appeal will be heard. The question now, of course, is whether Chooljian's ruling will hold up legally or technically. From a legal standpoint, Withers said he feared the judge's decision may mean a "tremendous expansion" of the scope of discovery in civil litigation. The trend in the courts lately has been to create what Withers called "weapons of mass discovery." Discovery is the legal process by which lawyers obtain documents and other materials to help defend their case. He also said that the judge's order for a defendant (TorrentSpy) to create logs of user activity so they can be turned over to a plaintiff (MPAA) is unprecedented. "There's never been a requirement that (defendants) must create documents that they wouldn't ordinarily maintain for the purpose of satisfying some (plaintiff's) discovery requests," said Withers. But on the technical side, Dean McCarron, principle analyst at Mercury Research, said the judge erred by defining volatile computer memory as "electronically stored information." RAM is a computer's ephemeral and temporary memory that helps it access data quickly. Think of RAM as the yellow post-it notes that people keep to remind themselves of tasks. Once completed, the note is tossed out. Data in a computer's hard drive is stored permanently and is more like filing documents away in a cabinet. "RAM is the working storage of a computer and designed to be impermanent," McCarron said. "Potentially your RAM is being modified up to several billions of times a second. The judge's order simply reveals to me a lack of technical understanding." A "tap" can be installed in a server, McCarron offered. But that means keeping a running log of IP addresses and other information. A tap would also require a company to store enormous amounts of data, an expensive process, he said. But lawyers who represent copyright holders cheered Chooljian's decision. "Unfortunately for TorrentSpy, Judge Chooljian's decision may herald the end of an era," Richard Charnley, a Los Angeles-based attorney, said in a statement. "The process, if affirmed, will expose TorrentSpy's viewer-users and, in turn, will allow the MPAA to close another avenue of intellectual property abuse." Lauren Nguyen, an MPAA attorney, maintains that because TorrentSpy is allowed to redact IP addresses, nobody's privacy is in jeopardy. "The user privacy argument is simply a red herring," Nguyen said. She also said that the judge "broke no new ground in the case." The courts have long considered computer RAM as "electronically stored information," she said. To understand the significance of the decision, one must consider that many Web sites promise to keep users' information private. Some, like TorrentSpy, do this by switching off their servers' logging function, which typically records visitors' IP addresses as well as their activity on the site. While protecting its users' privacy, TorrentSpy also makes it easier for those who download pirated material to work in the shadows, MPAA's attorneys argued. The MPAA has estimated that the illegal downloading of copyright movies costs the six largest U.S. studios more than $2 billion annually. To prove that TorrentSpy was making it easier to share files, the studios told Chooljian that it was necessary that they obtain records of user activity. They convinced her that the only way to do this was to obtain the data from RAM. Ultimately, pulling user information off a server's RAM might be a bigger privacy problem than it's worth, said one file sharer, who asked to remain anonymous. "To imagine my information being disseminated without my written or verbal consent is unnerving," she said. "Then again, if I'm doing something I know is illegal, can I protest?" [1] http://i.i.com.com/cnwk.1d/pdf/ne/2007/Torrentspy.pdf From alerts at infosecnews.org Fri Jun 15 01:26:24 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] VA sets aside $20 million to handle latest data breach Message-ID: http://www.govexec.com/story_page.cfm?articleid=37191 By Daniel Pulliam govexec.com June 14, 2007 The Veterans Affairs Department has set aside more than $20 million to respond to its latest data breach, the agency's top technology officer said Thursday. The department does not expect to spend the full $20 million, but designated that much because the breach potentially puts the identities of nearly a million physicians and VA patients at risk, said Bob Howard, the department's chief information officer. Howard spoke at The E-Gov Institute's Government Health IT Conference and Exhibition in Washington. "We have no evidence that [information is at risk]. None whatsoever, but we don't take the chance," Howard said. "The attitude of the VA right now is if we think we've put anybody's information at risk, then we need to step up to the plate and try to remedy that." The breach occurred in January, when a hard drive went missing from a Birmingham, Ala., VA medical research facility. The drive contained highly sensitive information on nearly all U.S. physicians and medical data for more than a half million VA patients. Any physician who billed Medicaid and Medicare through 2004 could be affected. The hard drive has not been recovered. The VA estimates that about half of the 1.3 million doctors whose information was on the hard drive, and 254,000 veterans, are potentially at risk. This group was notified by mail at the end of May. The letters noted that VA is providing credit monitoring services through a General Services Administration blanket purchase agreement from the multiple award schedules program. The credit monitoring funds will come out of the VA's fiscal 2007 cybersecurity budget, but Congress included an extra $15 million in the recently passed emergency supplemental bill for funding the wars in Iraq and Afghanistan (H.R. 2206), Howard said. Because the January data breach occurred in a medical research facility, the technology office tried to get health care-related funds reprogrammed to cover the credit monitoring, Howard noted, but the effort was unsuccessful. "We were very worried about using cyber money that was needed to fix other things so they listened to us and helped us out [through the supplemental]," Howard said. "I'm spending my life in the protection of information. The fact of the matter is that it is a very important aspect to us." Investigators are still trying to locate the hard drive and the FBI has offered a $25,000 reward for information leading to its return. In May 2006, the VA shocked Congress, the veterans community and the military by announcing that a laptop computer containing personal data on 26.5 million veterans and active-duty military personnel had been stolen. This prompted multiple hearings and legislation intended to better protect the government's sensitive information. Howard said the department's health care information system, known as VistA, has weaknesses since it was built at a time when the VA did not worry as much about security. Department officials are looking at ways of speeding up the modernization of VistA, which is scheduled to take until at least 2015, Howard said. The update is intended to make the medical records stored on the system available worldwide via the Internet but at the same time protect security. "We're not satisfied with the timeline we've laid out for VistA," Howard said. "We want to accelerate it, and it may take additional money, but we're not sure. The biggest concern we have is money. You don't want to just throw money at the problem unless you know what you're doing." Currently the system is "facility centric," revolving around the department's 1,400 locations. With patients moving out of the Defense Department's health system and in and out of private health care systems, VA has to be able to access the medical information through a single portal from anywhere, Howard said. The modernization of VistA is "enormously complex," since the system was "built internally over time by the officials who work with the requirements," Howard said. The modernization will be approached incrementally, rather than with a "big bang approach," he said. "We are not there by any sense of the imagination," he said. "That's a tall order, but that's the vision that we're focused on and hopefully we can figure out how to do that at some point." Howard said the fact the department is now working with the Defense Department to build a joint electronic health system has improved the prospects of securing resources from Congress to hasten the VistA upgrade. In addition, the centralization of IT authority around the CIO's office has improved the VA's ability to implement the upgrade, Howard said. "We've got it all now. We've got the people. We've got the money. The IT appropriation. But we've also got the problems," Howard said. "Centralization has already begun to help us get things done faster, improve standardization, improve compatibility -- all of the things that will help us modernize our electronic health records." From alerts at infosecnews.org Fri Jun 15 01:31:50 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] CFB (Call for Boxen) 0wn the box? Own the box! Message-ID: Forwarded from: sk00t [ New contest for those attending Defcon 15 - WK ] http://ownthebox.cipherpunx.org https://forum.defcon.org/forumdisplay.php?f=337 # ?wn the box? Own the box! Are you a defensive ninja? Are your services unbreakable, your builds airtight? Do your countermeasures have countermeasures for counter-countermeasures? So prove it, bucko... Bet your box on it, on the most hostile network in the world. Bring your laptop/server/desktop, hardened to the nines, running exactly two (2) visible services, to our specs, and we'll offer you up for the slaughter. The first person to compromise you walks away with your gear. When you're ?wned, you're owned. It's that simple. The last box(en) standing, unowned, wins, and the winner(s) can take his/her precious back home, safe in the knowledge that if it survived at DC, it can survive anywhere. Plus, get cool prizes and mucho street cred. For the other side of the fence, the reward is clear... Pick your target, ?wn the box, and own the box. A shopping spree for the elite. # CFB: Call for Boxen Vendors, hardening projects and security-centric distros? Random people with Crays in their basement? Bring your gear, plug it in, and prove your worth. Earn cool prizes (we don't know what yet, but they'll be cool, we promise) and earn mucho street cred. If we don't see at least two boxes from the OpenBSD folks, and Adamantix, Hardened Gentoo and others, we can only assume you're nancy-boys. Here's a chance to put your money, and your gear, where your mouth is. But what about Vista? OSX? Quick Bill, tear the BlueHat boys away from their X-Boxes and get to work! Steve, bring the OSX security team (you have one, right?) back from the Ashram and tell them they have a chance to redeem their Karmic energy from the last few 0day embarassments! And how about the freaky stuff? Amigas running Cern httpd on Plan 9? Pocket calculators with IP stacks? Bring it on. We have at least one C64 coming that we know of, but we want more. For our part, we'll make sure the scenarios are real, and everyone gets a fighting chance. We're putting some of our own gear up for grabs as well. To sign up, post on the DC forums, or send a mail to ownthebox {at} cipherpunx {dot} org. # Whiskey Tango Foxtrot? This is all started with Dragos Ruiu's "pwn to own" contest this year at CanSec West with two Macbooks up for grabs, so much love and respect for the idea. Seriously, thanks, man. (Hey, the dude has a sword...) But it got us thinking, why not extend the concept a bit and ask the entire DC community to pitch in? We also thought the idea of something more casual, extending on the attackers / defenders scenario, would be fun... CTF and aCTF are awesome, but they're a lifestyle choice. Competing means giving up the B&W Ball, talks, and all else that is DC. The goal of this contest is to give attackers and defenders a chance to prove their worth, without giving up the rest of con, with some obvious real-world stakes. # Rules, Regs, Reqs Defenders: You will need to bring a machine running two visible services, that actually work, and do stuff, something beyond just a vanilla install of WhizzBangOS 9.0 with the latest patches. Be prepared for handling local / authenticated users as well. We're going to be a bit intentionally vague until closer to the con. Mail the address in the Call For Boxen for more detail. You will be placing a file somewhere on the box with a large random value, which can only be known to someone who successfully compromises the box. Expect this to not be easy, but expect it to be fair as well. Once you bring the box in, and cable it up, you will walk away until the end of the contest. You do not get to watch it, monitor it, or give it hugs and kisses. Imagine you're a sysadmin taking the weekend off in Vegas. Oh, wait... Attackers: Anyone can play, and everyone at con is a potential attacker. As long as you have an ethernet port, you will have access to the targets, on a local LAN. They may even end up on the DC Wifi, we're not sure yet. We'll provide the IP ranges and a scoreboard of what's available. If you can supply us with the random value placed on the filesystem of the box, you get the box. Stupid things like DOSing will be kind of pointless, but if you do them we will make sure Bad Things happen to you, okay? From alerts at infosecnews.org Mon Jun 18 01:03:33 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] House committee keeps pressing DHS on cybersecurity Message-ID: http://www.fcw.com/article103011-06-15-07-Web By Jason Miller June 15, 2007 Lawmakers continue to investigate the vulnerability of the Homeland Security Departments information technology networks. The investigation, which started April 30 with a letter to department Chief Information Officer Scott Charbo, will continue June 20 when the House Homeland Security Committees Emerging Threats, Cybersecurity, and Science and Technology Subcommittee will hold a hearing examining the issues DHS faces and what it is doing to improve its security. In a letter to Charbo May 31, committee Chairman Bennie Thompson (D-Miss.) asked an additional 12 questions about the status of DHS networks, how the agency is mitigating risks, when it last audited contractors and internal systems, and more specifics on the data security breaches Charbo reported in answers to the first set of questions. Charbo will testify next week along with Greg Wilshusen, director of information security issues at the Government Accountability Office, and Keith Rhodes, GAOs chief technologist. The subcommittee will begin examining specific incidents that occurred on DHS networks including rootkits, classified leaks, compromised Web sites, bot infections, unauthorized use of networks by contractors and viruses, according to a subcommittee briefing paper on the hearing. GAO will describe an engagement they completed for the chairman on a specific DHS network that is riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure.? The subcommittee will also look at DHS network consolidation project, called OneNet, and its plans to continue investigating incidents on contractor-run networks, the briefing paper states. Charbo has until today to answer Thompsons latest questions. Among the items Thompson is requesting: * A full network topology diagram. * DHS plans to remedy vulnerabilities before converging networks under OneNet. * A list of funding reductions for DHS directorates that are not mitigating risks and completing their security improvement milestones. * DHS latest assessment of its wireless systems. * DHS latest assessment of its contractor-run networks. From alerts at infosecnews.org Mon Jun 18 01:04:15 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:31 2008 Subject: [ISN] Lose a Finger, Save The Data Message-ID: http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=199904746 By Tom LaSusa June 15, 2007 In the James Bond movie "Die Another Day," 007 and his gal pal use a bad guy's severed hand to trick a biometric scanner into unlocking a room. Although it's true Hollywood takes certain liberties with how technology is perceived on film (do giant envelopes appear on your computer screen when you get e-mail?), the truth is that it's not unheard of for criminals to sever someone's fingers to attempt to bypass biometric security safeguards. Fortunately, Sony has been working on some advancements that will have biometric users clapping (with all digits intact). New Scientist [1] reports that Sony has developed a system that uses infrared light to see through the skin and scan a user's unique patterns of capillaries. If a criminal attempts to use a severed finger on a scanner, it won't work because blood is no longer pumping through it. Of course that's little comfort for the person who now has trouble whistling for a cab in the middle of rush hour. But imagine all the laughs they could have when they ask someone to pull their finger. [1] http://www.newscientist.com/blog/invention/2007/06/digit-saving-biometrics.html From alerts at infosecnews.org Mon Jun 18 01:05:35 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] Linux Advisory Watch - June 15th 2007 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 15th 2007 Volume 8, Number 24a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for openoffice, ipsec-tools, iceape, gimp, freetype, xulrunner, icedove, iceweasel, libexif, mod_perl, spamassassin, Thunderbird, Firefox, freetype2, gd, tetex, fetchmail, shadow-utils, pam, gcc, iscsi-initiator-utils, kernel, file, libpng, and xscreensaver. The distributors include Debian, Mandriva, Red Hat, Slackware, and Ubuntu. --- Vyatta - Linux-based Router, Firewall & VPN Vyatta software and appliances combine the features, performance and reliability of enterprise-class networking gear with the cost-savings and flexibility of linux-based solutions. Vyatta empowers you to replace overpriced proprietary router, firewall and VPN equipment with commercially supported open-source solutions. Free Vyatta Software & Live Webinars > > http://www.linuxsecurity.com/ads/adclick.php?bannerid=28 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- Review: Practical Packet Analysis In the introduction, McIlwraith points out that security awareness training properly consists of communication, raising of issues, and encouragement to modify behaviour. (This will come as no surprise to those who recall the definition of training as the modification of attitudes and behaviour.) He also notes that security professionals frequently concentrate solely on presentation of problems. The remainder of the introduction looks at other major security activities, and the part that awareness plays in ensuring that they actually work. http://www.linuxsecurity.com/content/view/128459/171/ --- Robert Slade Review: "Information Security and Employee Behaviour" The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/128404/171/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New OpenOffice.org packages fix arbitrary code execution 12th, June, 2007 John Heasman discovered a heap overflow in the routines of OpenOffice.org that parse RTF files. http://www.linuxsecurity.com/content/view/128510 * Debian: New ipsec-tools packages fix denial of service 7th, June, 2007 It was discovered that a specially-crafted packet sent to the racoon ipsec key exchange server could cause a tunnel to crash, resulting in a denial of service. We recommend that you upgrade your racoon package. http://www.linuxsecurity.com/content/view/128465 * Debian: New iceape packages fix several vulnerabilities 7th, June, 2007 Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problem and others. http://www.linuxsecurity.com/content/view/128467 * Debian: New Gimp packages fix arbitrary code execution 9th, June, 2007 A buffer overflow has been identified in Gimp's SUNRAS plugin in versions prior to 2.2.15. This bug could allow an attacker to execute arbitrary code on the victim's computer by inducing the victim to open a specially crafted RAS file. http://www.linuxsecurity.com/content/view/128474 * Debian: New lighttpd packages fix denial of service 10th, June, 2007 Two problems were discovered with lighttpd, a fast webserver with minimal memory footprint, which could allow denial of service. The Common Vulnerabilities and Exposures project identifies problems. One is a remote attackers could cause denial of service by disconnecting partway through making a request. http://www.linuxsecurity.com/content/view/128476 * Debian: New freetype packages fix integer overflow 10th, June, 2007 A problem was discovered with freetype, a FreeTyp2 font engine, which could allow the execution of arbitary code via an integer overflow in specially crafted TTF files. http://www.linuxsecurity.com/content/view/128477 * Debian: New xulrunner packages fix several vulnerabilities 12th, June, 2007 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the some problems. http://www.linuxsecurity.com/content/view/128509 * Debian: New icedove packages fix several vulnerabilities 13th, June, 2007 Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. http://www.linuxsecurity.com/content/view/128520 * Debian: New iceweasel packages fix several vulnerabilities 14th, June, 2007 Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identified the problems. http://www.linuxsecurity.com/content/view/128538 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 6 Update: libexif-0.6.15-1.fc6 11th, June, 2007 This update to the latest upstream release fixes a number of bugs, among them a possible integer overflow in the exif_data_load_data_entry function (CVE-2007-2645), which allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted EXIF data. http://www.linuxsecurity.com/content/view/128492 * Fedora Core 5 Update: mod_perl-2.0.2-5.2.fc5 11th, June, 2007 This update fixes a security issue in mod_perl. An issue was found in the "namespace_from_uri" method of the ModPerl::RegistryCooker class. If a server implemented a mod_perl registry module using this method, a remote attacker requesting a carefully crafted URI can cause resource consumption, which could lead to a denial of service. (CVE-2007-1349) http://www.linuxsecurity.com/content/view/128494 * Fedora Core 6 Update: mod_perl-2.0.2-6.2.fc6 11th, June, 2007 This update fixes a security issue in mod_perl. An issue was found in the "namespace_from_uri" method of the ModPerl::RegistryCooker class. If a server implemented a mod_perl registry module using this method, a remote attacker requesting a carefully crafted URI can cause resource consumption, which could lead to a denial of service. (CVE-2007-1349) http://www.linuxsecurity.com/content/view/128495 * Fedora Core 6 Update: spamassassin-3.1.9-1.fc6 13th, June, 2007 Local symlink vulnerability. Fedora is not vulnerable in any default or common configurations. Read upstream's announcement for details. http://www.linuxsecurity.com/content/view/128521 * Fedora Core 5 Update: spamassassin-3.1.9-1.fc5.1 13th, June, 2007 Local symlink vulnerability. Fedora is not vulnerable in any default or common configurations. Read upstream's announcement for details http://www.linuxsecurity.com/content/view/128522 * Fedora Core 6 Update: openoffice.org-2.0.4-5.5.23 13th, June, 2007 A heap overflow flaw was found in the RTF import filer. An attacker could create a carefully crafted RTF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix to correct this issue. http://www.linuxsecurity.com/content/view/128523 * Fedora Core 5 Update: 13th, June, 2007 This update to iscsi-initiator-utils is a rebase to the upstream open-iscsi-2.0-865 release. This release includes two security fixes which are described here https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243719 bug fixes and new features. http://www.linuxsecurity.com/content/view/128526 * Fedora Core 6 Update: 13th, June, 2007 This update to iscsi-initiator-utils is a rebase to the upstream open-iscsi-2.0-865 release. This release includes two security fixes, which are described here: http://www.linuxsecurity.com/content/view/128527 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated libexif packages fix crash and possible 8th, June, 2007 Integer overflow in the exif_data_load_data_entry function in exif-data.c in libexif before 0.6.14 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted EXIF data. Updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/128472 * Mandriva: Updated Thunderbird packages fix multiple 12th, June, 2007 A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 1.5.0.12. This update provides the latest Thunderbird to correct these issues. http://www.linuxsecurity.com/content/view/128511 * Mandriva: Updated Firefox packages fix multiple 12th, June, 2007 A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 1.5.0.12. This update provides the latest Firefox to correct these issues. http://www.linuxsecurity.com/content/view/128512 * Mandriva: Updated freetype2 packages fix integer overflow 13th, June, 2007 An integer overflow vulnerability was discovered in the way the FreeType font engine processed TTF files. If a user were to load a special font file with a program linked against freetype, it could cause the application to crash or possibly execute arbitrary code as the user running the program. http://www.linuxsecurity.com/content/view/128530 * Mandriva: Updated gd packages fix vulnerability 13th, June, 2007 A flaw in libgd2 was found by Xavier Roche where it would not correctly validate PNG callback results. http://www.linuxsecurity.com/content/view/128531 * Mandriva: Updated libwmf packages fix vulnerability 13th, June, 2007 A flaw in libgd2 was found by Xavier Roche where it would not correctly validate PNG callback results. If an application linked against libgd2 was tricked into processing a specially-crafted PNG file, it could cause a denial of service scenario via CPU resource consumption. http://www.linuxsecurity.com/content/view/128532 * Mandriva: Updated tetex packages fix vulnerability 13th, June, 2007 A flaw in libgd2 was found by Xavier Roche where it would not correctly validate PNG callback results. If an application linked against libgd2 was tricked into processing a specially-crafted PNG file, it could cause a denial of service scenario via CPU resource consumption. Tetex uses an embedded copy of the gd source and may also be affected by this issue. The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/128533 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: fetchmail security update 7th, June, 2007 An updated fetchmail package that fixes a security bug is now available for Red Hat Enterprise Linux 2.1, 3, 4 and 5. Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128462 * RedHat: Moderate: freetype security update 11th, June, 2007 Updated freetype packages that fix a security flaw are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5.An integer overflow flaw was found in the way the FreeType font engine processed TTF font files. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128479 * RedHat: Low: shadow-utils security and bug fix update 11th, June, 2007 An updated shadow-utils package that fixes a security issue and several bugs is now available.A flaw was found in the useradd tool in shadow-utils. A new user's mailbox, when created, could have random permissions for a short period. http://www.linuxsecurity.com/content/view/128482 * RedHat: Moderate: pam security and bug fix update 11th, June, 2007 Updated pam packages that resolves several bugs and security flaws are now available for Red Hat Enterprise Linux 3. A flaw was found in the way pam_console set console device permissions. It was possible for various console devices to retain ownership of the console user after logging out, possibly leaking information to an unauthorized user. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128484 * RedHat: Low: gdb security and bug fix update 11th, June, 2007 An updated gdb package that fixes a security issue and various bugs is now available.Various buffer overflows and underflows were found in the DWARF expression computation stack in GDB. http://www.linuxsecurity.com/content/view/128485 * RedHat: Moderate: gcc security and bug fix update 11th, June, 2007 Updated gcc packages that fix a security issue and another bug are now available.Jrgen Weigert discovered a directory traversal flaw in fastjar. An attacker could create a malicious JAR file which, if unpacked using fastjar, could write to any files the victim had write access to. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128486 * RedHat: Important: openoffice.org security update 13th, June, 2007 Updated openoffice.org packages to correct a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. A heap overflow flaw was found in the RTF import filer. An attacker could create a carefully crafted RTF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128517 * RedHat: Moderate: spamassassin security update 13th, June, 2007 Updated spamassassin packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5.Martin Krafft discovered a symlink issue in SpamAssassin that affects certain non-default configurations. A local user could use this flaw to create or overwrite files writable by the spamd process. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128518 * RedHat: Important: kdebase security update 13th, June, 2007 Updated kdebase packages that resolve an interaction security issue with Adobe Flash Player are now available.A problem with the interaction between the Flash Player and the Konqueror web browser was found. The problem could lead to key presses leaking to the Flash Player applet instead of the browser. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128519 * RedHat: Low: mod_perl security update 14th, June, 2007 Updated mod_perl packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, 5. An issue was found in the "namespace_from_uri" method of the ModPerl::RegistryCooker class. http://www.linuxsecurity.com/content/view/128535 * RedHat: Moderate: iscsi-initiator-utils security update 14th, June, 2007 Updated iscsi-initiator-utils packages that fix a security flaw in open-iscsi are now available for Red Hat Enterprise Linux 5. Olaf Kirch discovered two flaws in open-iscsi. A local attacker could use these flaws to cause the server daemon to stop responding, leading to a denial of service. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128536 * RedHat: Important: kernel security and bug fix update 14th, June, 2007 Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128537 * RedHat: Moderate: libexif integer overflow 14th, June, 2007 Updated libexif packages that fix an integer overflow flaw are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128539 +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ * Slackware: libexif 14th, June, 2007 New libexif packages are available for Slackware 10.2, 11.0, and -current to fix a crash and potential security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://www.linuxsecurity.com/content/view/128534 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: Linux kernel vulnerabilities 8th, June, 2007 USN-464-1 fixed several vulnerabilities in the Linux kernel. Some additional code changes were accidentally included in the Feisty update which caused trouble for some people who were not using UUID-based filesystem mounts. http://www.linuxsecurity.com/content/view/128473 * Ubuntu: file vulnerability 11th, June, 2007 USN-439-1 fixed a vulnerability in file. The original fix did not fully solve the problem. This update provides a more complete solution. http://www.linuxsecurity.com/content/view/128503 * Ubuntu: libexif vulnerability 11th, June, 2007 Victor Stinner discovered that libexif did not correctly validate the size of some EXIF header fields. By tricking a user into opening an image with specially crafted EXIF headers, a remote attacker could cause the application using libexif to crash, resulting in a denial of service. http://www.linuxsecurity.com/content/view/128504 * Ubuntu: libpng vulnerability 11th, June, 2007 It was discovered that libpng did not correctly handle corrupted CRC in grayscale PNG images. By tricking a user into opening a specially crafted PNG, a remote attacker could cause the application using libpng to crash, resulting in a denial of service. http://www.linuxsecurity.com/content/view/128505 * Ubuntu: libgd2 vulnerabilities 11th, June, 2007 A buffer overflow was discovered in libgd2's font renderer. By tricking an application using libgd2 into rendering a specially crafted string with a JIS encoded font, a remote attacker could read heap memory or crash the application, leading to a denial of service. http://www.linuxsecurity.com/content/view/128506 * Ubuntu: xscreensaver vulnerability 12th, June, 2007 It was discovered that xscreensaver did not correctly validate the return values from network authentication systems such as LDAP or NIS. A local attacker could bypass a locked screen if they were able to interrupt network connectivity. http://www.linuxsecurity.com/content/view/128513 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From alerts at infosecnews.org Mon Jun 18 01:05:56 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] New security breach revealed Message-ID: http://www.lamonitor.com/articles/2007/06/15/headline_news/news01.txt By ROGER SNODGRASS Monitor Assistant Editor June 17, 2007 Reports of a major breach of security involving the board of directors of the corporation managing Los Alamos National Laboratory came to light Thursday. The chairman of the House Energy and Commerce Committee that oversees the nuclear complex wrote to Energy Secretary Samuel Bodman citing information obtained by committee staff from sources outside the department. The letter expressed concern that information about the breach, reported on Jan. 19, 2007, was withheld from the committee, despite two subcommittee hearings that were held in the meantime for the express purpose of investigating security practices at LANL. Largely because of a series of security problems in the past, the contracts for LANL and its sister laboratory Lawrence Livermore National Laboratory were put out to bid. LANL's contract was awarded to Los Alamos National Security, (LANS), LLC, and they assumed responsibility on June 1, 2006. "Apparently, open e-mail networks were used by several LANS officials to share classified information relating to the characteristics of nuclear material in nuclear weapons," wrote committee chair John Dingle, D-Mich., to Bodman, in a letter detailing what the committee knows now. An article in Time magazine, first to publish the story on Thursday, said the highly sensitive message at issue came from the laptop computer of Harold P. Smith, a LANS consultant. The article said at least five LANS board members received the e-mail. The reported breach was rated as an Impact Measurement Index 1 (IMI-1) security incident, a reportable incident which "poses the most serious threats to national security interests and/or critical DOE assets or creates serious security situations." According to DOE guidelines, IMI-1 is "the most serious of the four categories of security incidents, established by DOE's Safeguards and Security Program Planning and Management manual dated Aug. 26, 2005." It is characterized by "actions, inactions, or events that pose the most serious threats to national security interests and/or critical DOE assets, create serious security situations, or could result in deaths in the workforce or general public." For comparison, IMI-2 involves those incidents "that potentially create dangerous situations." According to Dingell's letter, a University of California official notified the National Nuclear Security Administration about the breach on Jan. 19. NNSA is the agency that supervises the nuclear complex for DOE. NNSA deployed a team from Lawrence Livermore National Laboratory to "identify, recover and sanitize the computer laptops and hardware involved in the incident," Dingell wrote. LANS also began an investigation, completing a report conducted by LANL employees on May 18. LANL and NNSA have both declined comment on the issue, citing federal law. "For reasons of national security and consistent with federal law and the Laboratory's own longstanding policy, Los Alamos National Security, LLC, will not discuss the details of any purported security violation of vulnerability, regardless of whether it exists," stated Jeff Berger, director of the LANL Communications Office in a prepared statement Thursday afternoon. Bryan Wilkes, spokesperson for NNSA, in a prepared message Thursday, said much the same thing, adding that NNSA holds "our sites to very high levels of accountability when it comes to security." He stated, "If procedures are found to have been violated, then appropriate actions are taken." Peter Stockton, chief investigator for the Project on Government Oversight said he was concerned that NNSA had allowed LANL to investigate its own incident. "The first guy to the document and the witnesses can steer the investigation," he said. "They should have had federal guys out there to do that, whether it's the FBI or capable people from the Inspector General." POGO has specialized in safety and security incidents in the weapons complex and executive director Danielle Brian testified during the hearing on Jan. 30. Dingell's letter to Bodman requested answers to questions and additional documents, including a briefing and access to the investigation inquiry and an unclassified version of the report for the committee. Additionally, Bodman was asked to explain NNSA failure to notify the committee, and to emphasize the point, requested a list and summary descriptions of all reportable security incidents at LANL since June 30, 2006. At the time the e-mail incident was being reported to NNSA, the House was preparing to hold the first of two investigative hearings they conducted into security problems at LANL earlier this year. The first one on Jan. 30 focused on classified material found in a Los Alamos mobile home during a drug investigation. Thursday's article in Time magazine erroneously reported that "police stumbled on 1,500 highly classified nuclear weapons designs stashed in a trailer park near the lab..." In fact, the police found computer storage devices known as jump drives and pages of classified documents. Thomas D'Agostino, who was named acting NNSA administrator on Jan. 20, the day after the undisclosed breech occurred, was nominated to become deputy administrator and administrator of NNSA on May 17, the day before a report was completed on the LANS e-mail violation. In the acting capacity, D'Agostino replaced former administrator Linton Brooks, whose resignation was linked to the previous breach of security. The New Mexico Congressional delegation expressed concerns about the new revelations. Sen. Pete Domenici, R-N.M., referring to the Time article said he was once again "troubled and disappointed." He cautioned those who might try to use it "as another excuse to punish the entire laboratory," but he traced the root of a particular shortcoming by which sensitive material is still technically able to migrate to unclassified computers. Sen. Jeff Bingaman, D-N.M., said in his statement, "I am deeply disturbed that it happened even after extensive security measures were to have been put in place at the laboratory, and that I would have to learn about it from a news account." "I have no doubt the LANL community is as tired and frustrated with these repeated incidents as I am," said Rep. Tom Udall, D-N.M. in a statement on LANL security. He continued, "Enough is enough, and for the sake of the lab's future, those who are responsible must be held accountable to put an end to this broken record of breaches." From alerts at infosecnews.org Mon Jun 18 01:06:12 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] State hires computer security expert Message-ID: http://www.ohio.com/mld/beaconjournal/news/state/17383005.htm By Matt Reed Associated Press June 17, 2007 COLUMBUS, Ohio - The state has hired a computer security expert who specializes in civil and criminal cases to determine the likelihood of someone getting access to the data on a stolen backup storage device, Gov. Ted Strickland said Sunday. Matthew Curtin, 34, will begin Monday reviewing what's already known is on the device, whose theft was revealed on Friday. Also on Sunday, Strickland said the device contained the names and case numbers of the state's 84,000 welfare recipients, who face "a remote threat of identity theft," and the names and federal tax identification number of vendors that receive payroll deduction payments from the state - about 1,200 records. Sixteen of those records contain banking information, he said. Strickland said the Ohio Department of Commerce on Monday would send letters to banks, credit unions and other financial institutions alerting them that customers' information may have been compromised. Previously, it was revealed the device contained the names and Social Security numbers of all 64,000 state employees. It also contained bank account information about the state's school districts and Medicaid providers and information about 53,797 people enrolled in the state's pharmacy benefits management program and the names and Social Security numbers of about 75,532 dependents. Strickland again said that he has no reason to believe the information has been compromised because getting it requires special equipment and expertise. He also has issued an executive order to change the procedures for handling state data. Strickland and Curtin said the analysis of what's on the device should be finished on Monday. "The analysis of the data is nearly complete, but we have several additional files that are so complex that it will take some time," Strickland said at a Statehouse news conference on Sunday - his third in three days. Curtin founded Interhack Corp. in Columbus 10 years ago. "We make the bad guys give up," the company says on its Web site. Curtin said he would have a better idea on how someone could get access to information on the device on Monday. "We've just, just gotten started," Curtin said Sunday. "By tomorrow, I'll have some insight and have my hands around it." The State Highway Patrol also announced Sunday that a post office box had been established in Columbus in hopes that the storage device would be returned anonymously. The device - listed in a police report from suburban Hilliard as being worth $15 - was reported stolen along with a $200 radar detector, out of the car of 22-year-old Jared Ilovar, a college senior making $10.50 an hour in his state job. Ilovar is an intern with the Office of Management and Budget assigned to work on the state's $158 million payroll and accounting system. Telephone and e-mail messages seeking comment were left for Ilovar. Strickland said Ilovar mistakenly left the device in a vehicle parked outside an apartment when it was supposed to be taken into his home as part of a protocol in place since 2002. Sol Bermann, chief privacy officer at state Office of Information Technology, called Curtin one of the country's foremost data security experts. "It's a third-party validation of our work. It's important that someone double-checks for us so that nothing is missed." The state is expected to pay $50,000 to Curtin, who said he doesn't know how long his investigation will take. -=- Associated Press Writer John McCarthy contributed to this report ON THE NET http://web.interhack.com From alerts at infosecnews.org Mon Jun 18 01:06:47 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] Red Hat Linux Gets Top Government Security Rating Message-ID: http://www.pcworld.com/article/id,132978-c,redhat/article.html By Robert McMillan IDG News Service June 15, 2007 Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Last week IBM Corp. was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM. "This is the highest level of security function that anybody has," Frye said. "We have delivered LSPP functionality in Red Hat Enterprise Linux 5 and we have certified that at the EAL4 level of assurance." This rating is awarded by the government-funded National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme for IT Security program, which evaluates the security of commercial technology products. Red Hat Linux has been certified EAL4 Augmented with ALC_FLR.3 on IBM's mainframe, System x, System p5 and eServer systems. This level of security certification is not usually required for enterprise contracts, but it is mandatory for some programs within government agencies such as the U.S. Department of Defense and the U.S. National Security Agency, Frye said. Linux had already been certified at the EAL4 level, but this is the first time that the operating system has received the Labeled Security Protection Profile (LSPP) certification, which relates to its access-control features. Linux developers have been working to add these "SE Linux" access control features into the operating system for several years now. SE Linux shipped as part of Red Hat Enterprise Linux 5, and now it has been certified for government use, Frye said. "You now have a level of fine-grained control for everybody," he added. "You can set security based on groups or based on individuals." In addition to LSPP Red Hat Linux has also been certified with Role Based Access Control Protection (RBAC), and that too is noteworthy, said Red Hat Inc. "Historically, OS vendors have required you buy a separate branched OS to get something that is LSPP and RBAC certified," the company said in a statement. "This is something completely unique for commercial operating systems because the support for multilevel security is native to the OS." According to Frye, the certification is "big news for the Linux industry" because it shows that open-source software can be used for sensitive computing tasks. "If anyone had any doubts that you could do this with an open-source operating system, we've proved them wrong." From alerts at infosecnews.org Mon Jun 18 01:07:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] HIPAA audit at hospital riles health care IT Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9024921 By Jaikumar Vijayan June 15, 2007 Computerworld An audit of Atlanta's Piedmont Hospital that was initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of more enforcement actions related to the data security requirements of the federal HIPAA legislation. The audit was the first of its kind since the Health Insurance Portability and Accountability Act's security rules went into effect in April 2005, joining data privacy mandates that were already in place. The security rules require organizations that handle electronic health data to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse. Neither Piedmont nor the HHS has confirmed that the audit was launched, and few details about it have been disclosed publicly. But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on. Among them were the hospital's policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of security rules by employees, and logging and recording of system activities. The document also requested items such as IT and data security organizational charts and lists of the hospital's systems, software and employees, including new hires and terminated workers. The mere fact that an audit of HIPAA security compliance was conducted for the first time has many in the health care industry preparing for more enforcement actions, according to Barry Runyon, an analyst at Gartner Inc. "I don't think Piedmont was an anomaly," he said. "My sense is that there is going to be more feet on the street from HHS going on unannounced audits." Randy Yates, director of security at Memorial Hermann Healthcare System in Houston, said the Piedmont audit contributed in a big way to the approval of a $1.3 million budget item for data encryption during the health care provider's next fiscal year. "Everybody is aware of the Piedmont audit notification," Yates said. He added that after hearing about it, "we did our own gap analysis and found out where we are at highest risk for noncompliance, and we have since taken steps to shore up [those areas]." As part of its efforts to bolster security, Memorial Hermann is also rolling out access management tools developed by Courion Corp. in Framingham, Mass. Yates said the software is expected to help the health care system automate policies for controlling access to protected medical information by its 19,000 employees. Also driving the increased focus on HIPAA compliance at Memorial Hermann is a directive issued last December by the federal Centers for Medicare & Medicaid Services (CMS), Yates said. The directive ordered entities that handle patient health information to implement stronger authentication mechanisms for controlling access to the data. Yates expressed confidence about the measures taken by Memorial Hermann to comply with the HIPAA requirements. But he added that the lack of detailed public information about what the HHS was looking for at Piedmont "is a little bit disconcerting." The fact that the audit appears to have been conducted by the Office of the Inspector General (OIG) at the HHS is puzzling, said Lisa Gallagher, director of privacy and security at the Healthcare Information and Management Systems Society in Chicago. She said most people in the health care industry had assumed that any security-related enforcement actions would be taken by the CMS, which administers the HIPAA security rules. "Nobody really knows why the OIG did it or what's going to be their criteria for selecting the next one," Gallagher said. "There's a lot of buzz in the industry." In addition, she voiced concerns about the checklist approach that the OIG auditors seem to have taken with their request for information from Piedmont. Officials at Piedmont didn't respond to a request for comment about the audit. An HHS spokesman said only that as a matter of general policy, the agency doesn't comment about ongoing audits. Chris Apgar, president of Apgar & Associates LLC, a Portland, Ore.-based consulting firm, said he thinks the HHS decided to conduct the audit at least partly because it was getting political and media pressure to enforce the HIPAA rules. Apgar expects to see more audits going forward. But he said they're unlikely to occur very frequently, because the HHS simply doesn't have the required staffing resources. Despite the industry buzz cited by Gallagher, Apgar said he's skeptical that the audit at Piedmont will spur many health care organizations to step up their efforts to comply with the security mandates. "Until at least several audits have been completed, and the industry sees action taken to enforce the HIPAA security rules, I think serious attention to compliance will not be a major focus," he said. However, it isn't just enforcement by the HHS that health care providers and other organizations handling medical data need to be concerned about, said Peter MacKoul, president of HIPAA Solutions, a Sugar Land, Texas-based firm that offers tools and services to help companies comply with the law. MacKoul said that increasingly, law enforcement authorities and courts are using and interpreting HIPAA in ways that could have broad implications for organizations handling health care data. For instance, the North Carolina Court of Appeals last year overturned the decision of a trial court to dismiss a HIPAA-related complaint brought by an individual against a psychiatrist's office. The verdict basically allowed the plaintiff to use HIPAA as "a standard of care" to bring an individual action against an organization, MacKoul said. In addition, he noted that HIPAA initially applied only to electronic medical records. But, MacKoul said, courts have extended the law to cover paper records as well -- a fact that some health care providers may not be aware of. From alerts at infosecnews.org Tue Jun 19 00:05:22 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] Feds choose 10 vendors to secure mobile data Message-ID: http://www.networkworld.com/news/2007/061807-federal-contracts-to-secure-mobile-data.html By Carolyn Duffy Marsan Network World 06/18/07 The U.S. government has awarded contracts to 10 software companies that meet its requirements for protecting sensitive information stored on laptops, handhelds and other mobile devices. The contracts, known as blanket purchase agreements, are open to all federal, state and local government agencies, as well as other North Atlantic Treaty Organization countries. The U.S. General Services Administration, which oversees the so-called Data at Rest Encryption Program, says the agreements could be worth $79 million or more. GSA is urging all government agencies to deploy encryption technology for its mobile devices to avoid data breaches, such as the one that the U.S. Department of Veterans Affairs experienced last year when a laptop containing personal information about 26.5 million military veterans and spouses was stolen. The 10 winning contractors are: * MTM Technologies, with Mobile Armor * Rocky Mountain Ram, with SafeBoot * Carahsoft Technology, with Information Security Corp.?s SecretAgent * Spectrum Systems, with SafeBoot * SafeNet * HiTech Services, with Encryption Solutions' SkyLock * Autonomic Resources, with WinMagic * GovBuys, with WinMagic * Intelligent Decisions, with Credant Mobile Guardian * Merlin International, with Guardian Edge Technologies Federal officials said 30 companies bid on its data encryption program, but only 10 of them were able to meet the more than 100 information security requirements put together by a Pentagon-led evaluation team. The encryption software provided in the contracts will secure laptops, PDAs, flash drives and other removable storage media. "This will raise the bar for security for everybody across DoD, for every laptop, every PDA, every mobile device," said Dave Wennegren, Deputy CIO of the Defense Department, at a press conference held Monday to announce the contract awards. Federal officials are urging commercial industry to follow its lead on encrypting data stored on mobile devices. "Whenever we band together to look for products that raise the bar for security, we?re helping everybody, including our private sector partners," Wennegren said. "The fact that we?re making a big deal out of these contracts will help resonate with our industry partners that this is important and it?s worth the cost. We found a bunch of companies that are going to do it effectively for us." All contents copyright 1995-2007 Network World, Inc. From alerts at infosecnews.org Tue Jun 19 00:05:48 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] IG: Justice inconsistent in reporting of data breaches Message-ID: http://www.govexec.com/dailyfed/0607/061807p1.htm By Daniel Pulliam June 18, 2007 Officials at the Justice Department have failed to report certain computer security incidents within the time frame required by the Office of Management and Budget, according to an audit report released Monday. The 142-page report [1] from Justice's inspector general office found that the department had not consistently implemented a July 2006 OMB requirement [2] that agencies report data breaches involving the loss of personally identifiable information within one hour of discovery. Recent computer security incidents, including the Veterans Affairs Department's May 2006 loss of 26.5 million records containing sensitive information on veterans, prompted the requirement. Two of nine agencies within the department had not updated their policies and procedures to include the new OMB requirement, the IG found. And an analysis of nearly 200 computer security incidents from July to November 2006 found that officials failed to consistently report the loss of personally identifiable information within one hour to the department's Computer Emergency Readiness Team. The audit found that none of the incidents were reported within one hour to the Homeland Security Department's Computer Emergency Readiness Team, or US-CERT, as required by OMB. Auditors also found that none of the department's component agencies have established procedures for notifying people who could be affected by the loss of personal information. "We believe that the lack of procedures could cause delays in notifying individuals whose information has been compromised, increasing the individuals' risk of falling victim to fraud or identity theft," the report stated. In addition, the IG found that officials at the nine Justice agencies believed their employees followed the proper internal reporting procedures when issuing notifications of security incidents. But the information technology staff of the FBI was not always doing so in practice, the auditors found. Incident reports are sent to two separate offices at the FBI, yet only one is required to relay them to the Justice team, the IG noted. The result is that some incidents do not get reported, the report stated. On a more positive note, the IG found that several Justice agencies have taken extra steps to minimize unauthorized access to sensitive information and to educate employees on reporting requirements. These include posting security information on their intranet sites or on employee computer monitors upon login. The IG urged officials to consider adopting these procedures across the department. Justice officials told the IG that reporting within an hour is not practical. They also said the guidance on reporting to US-CERT -- the organization responsible for coordinating the response to computer security incidents governmentwide -- is not clear on whether reports must arrive within the same hour as those to the Justice readiness team. But officials concurred with the IG's eight recommendations to help improve the department's procedures, including one to clarify the deadlines for reporting incidents. The department also agreed to instruct agencies on proper reporting of incidents with classified information, and is developing reporting measures for ensuring that all agencies meet established time frames. Additionally, officials are developing procedures for notifying people affected by a loss of personal information. [1] http://www.usdoj.gov/oig/reports/plus/e0705/final.pdf [2] http://govexec.com/dailyfed/0706/071406p1.htm From alerts at infosecnews.org Tue Jun 19 00:06:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] Mobile security requires an action plan Message-ID: http://www.fcw.com/article102990-06-18-07-Print By Alan Joch June 18, 2007 Security is one of the biggest management challenges that agencies face with mobile wireless devices. Chief among managers? worries is the risks associated with employees using their own smart phones and personal digital assistants for official work. ?If you don?t own the device, you can?t secure it,? said Michael King, a research director at Gartner. By provisioning devices for employees rather than allowing them to connect to agency networks using personal gear, managers can ensure that the right security software is running on each device and that hardware is up-to-date with software patches and other upgrades, said Ira Winkler, author of ?Zen and the Art of Information Security,? a book that examines digital security threats. Organizations that provision wireless devices also have better control of sensitive information if an employee leaves the agency, said Doug Landoll, general manager of En Pointe Technologies, a systems integrator. ?If it?s my PDA, and I leave the organization, how do you know that I?ve deleted the data?? Retaining the phone number is also important. ?When someone has been representing your agency, that number is a kind of advertising,? Landoll said. He recommends that agencies include representatives from organizations outside the information technology department when writing wireless management policies. ?There are questions for the legal department, and having the device returned when someone is terminated is a [human resources] issue,? Landoll said. ?When you?re writing policies, you need to integrate all those various departments.? Security policies should clearly spell out who receives reports of lost or stolen devices. Policies should also include procedures for decommissioning a missing unit to prevent someone from downloading or sending sensitive information, Landoll said. The Commerce Department uses a combination of strong passwords and encryption to keep unauthorized users from accessing data and wireless services. ?If someone gets access to my [e-mail account], he can send messages as though they came from me,? said John McManus, Commerce?s deputy chief information officer and chief technology officer. ?Things like phishing become easy to do when you?ve got access to a legitimate user?s account.? Commerce uses the standard security tools for the Research in Motion BlackBerry to protect devices and scramble data when its traveling through the wireless network, McManus said. Platform security The BlackBerry platform gets high marks from technology analysts for its security capabilities. Its closed-loop architecture connects agency e-mail servers to a BlackBerry Enterprise Server, which communicates via a secure channel to a network operations center and to BlackBerry devices. ?It?s one of the few wireless end-to-end systems that the [Defense Department] has said is okay,? King said. ?But because it?s a closed loop, it?s hard to expand that functionality beyond just e-mail. What you gain in security and manageability you sacrifice in flexibility and extensibility.? Platforms based on the Microsoft, Palm or Symbian mobile operating systems are easier to customize, King said, but they require more upfront work and third-party security tools, such as Sybase?s Afaria mobile security suite and encryption software from Bluefire Security Technologies, Certicom and VeriSign. ?I?m not suggesting that you can?t secure mobile devices on those platforms. I?m just saying security is not as built-in as on the BlackBerry side,? he said. Standard configurations To ensure that mobile wireless devices are secure, agencies also must take steps to securely configure the devices. Commerce technicians disable any default features on mobile devices that employees don?t require to do their jobs. That includes a sync feature that allows devices using Bluetooth technology to discover other compatible wireless hardware in the area. ?The default configuration would allow someone to come into the room with a Bluetooth device that says, ?Tell me all the other Bluetooth devices in here.? And your device would actually say, ?Hi, I?m here, and here?s my status,?? McManus said. ?You can also turn off things like file transfer, because you don?t usually expect people to be doing a file transfer from their BlackBerry to another BlackBerry. If I?m a consumer, I may not care if anybody can use the Bluetooth capabilities. But if I?m a senior executive in the federal government, [that?s] a whole new threat.? Agencies also need to control the amount and type of data their employees download onto their wireless hardware. ?They are going to put more data that you would never think of on the devices,? Winkler said, ?which means there?s going to be more data than you ever thought possible at risk.? -=- Joch is a business and technology writer based in New England. He can be reached at ajoch (at) worldpath.com. From alerts at infosecnews.org Tue Jun 19 00:06:20 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] PatchLink pounces on little SecureWave Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=9183 By John E. Dunn Techworld 18 June 2007 PatchLink has announced plans to acquire application security company SecureWave for an undisclosed sum. The deal is being structured as a merger, with SecureWave shareholders getting shares in the new company in return for their current holding. However, this is more than a passive acquisition - one of SecureWave?s founding shareholders, Mangrove Capital Partners, is to be given a seat on the merged board. Both companies are privately-held which makes price disclosure unlikely. This means two small but notable endpoint-related companies have been bought out in a week. On June 13, it was announced that SonicWall was acquiring SSL vendor Aventail for $25 million. In this latest acquisition, buying Securewave represents a new departure for PatchLink, which does not currently have application security products to sell with its patching and vulnerability management software. Securewave?s SecureEXE, in particular, is a good example of a ?whitelisting? application, an area some see as the future of software security. The software identifies authorised applications and allows only these to run, thereby excluding malware without the need for signature-based detection. "This emphasis on fixing problems before they occur will create a significant market for integrated security policy and remediation management. A proactive stance will also reduce security risk across the enterprise. PatchLink?s acquisition of SecureWave provides solutions to reduce risk,? the official released quoted IDC analyst Charles Kolodgy as saying. Neither company qualifies as startup fodder, despite their private ownership. PatchLink has been around since 1991, and even SecureWave ? the most notable tech company to come out of Luxembourg ? was founded as long ago as 1996. The newly combined company will have 230 employees, large for a private outfit. From alerts at infosecnews.org Tue Jun 19 00:06:41 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:32 2008 Subject: [ISN] Anti-hacking laws 'can hobble net security' Message-ID: http://www.theregister.co.uk/2007/06/18/hacking_laws_discourage_research/ By Robert Lemos SecurityFocus 18th June 2007 Jeremiah Grossman has long stopped looking for vulnerabilities in specific websites, and even if he suspects a site to have a critical flaw that could be compromised by an attacker, he's decided to keep quiet. The silence weighs heavily on the web security researcher. While ideally he would like to find flaws, and help companies eliminate them, the act of discovering a vulnerability in any site on the internet almost always entails gaining unauthorised access to someone else's server - a crime that prosecutors have been all too willing to pursue. "I have long since curtailed my research," said Grossman, who serves as the chief technology officer for website security firm WhiteHat Security. "Any web security researcher that has been around long enough will notice vulnerabilities without doing anything. When that happens, I don't tell anyone, rather than risk reputational damage to myself and my company." Grossman's fears underscore the fact that security researchers who find flaws in websites are crossing a line and trespassing on systems that do not belong to them. However, applying the law to good Samaritans interested in eliminating possible online risks only undermines the security of the Internet, a working group of researchers, digital-rights advocates and federal law enforcement officials concluded this week. "I think that if you look at the software security world, there has been many, many cases of someone knowing about a vulnerability before you do and be using it out in the wild," said Sara Peters, editor for the Computer Security Institute. "There is no way to say that these same things are not happening in the web world. Assuming that nothing is going wrong, because you haven't heard about it is a very myopic and callow way of looking at it." Dubbed the Working Group on Web Security Research Law, the panel of experts has started to study whether researchers have any ability to play the good Samaritan and find security flaws in websites without risking prosecution. The group met at the Computer Security Institute's NetSec on Monday and released an initial report that raises more questions about the status of web vulnerability research than provides answers to concerned bug hunters. While security researchers have been able to test computer software and disclose details about any flaws found, the working group concluded that there is no way to test a web server without prior authorisation and not run the risk of being prosecuted. Software security researchers are free to disclose flaws fully or take part in a process that allows the vendor to plug the holes, while web researchers that disclose vulnerabilities in a way that angers the website owner could easily be reported to law enforcement. "The way it is right now, if you find a vulnerability and the site owner finds about it, you can be held culpable for anything that happens after that," Peters said. "Perhaps, that is a bit of hyperbole, but not much. There is no culpability for the website owner." The working group's report, available from the Computer Security Institute (registration required), includes four case studies including that of Eric McCarty. In June 2005, McCarty, a prospective student at the University of Southern California, found a flaw in the school's online application system and notified SecurityFocus of the issue. SecurityFocus contacted the school at the request of McCarty and relayed the information to USC, which initially denied the seriousness of the issue but eventually acknowledged the vulnerability after McCarty produced four records that he had copied from the database. In April 2006, federal prosecutors leveled a single charge of computer intrusion against McCarty, who accepted the charge last September. As part of its policy, SecurityFocus did not publish an article on the issue until USC had secured its database. While CSI's Peters believes that good Samaritans should be given some leeway, a few of the comments found on McCarty's computer by the FBI - and repeated in court documents - suggested that vengeance was a motive. For that reason, Peters suggests that security researchers who decide to look for vulnerabilities in websites use discretion in dealing with site owners. "You can't let anyone run wild and hack into websites indiscriminately," Peters said. "If you publicly disclose a vulnerability in a website you are pointing a big red arrow at a single site, so there needs to be some discretion." The working group also concluded that the web is becoming increasingly complex as more sites share information and increase interactivity, characteristics of what is referred to as Web 2.0. Earlier this year, security researchers warn