From alerts at infosecnews.org Tue May 1 04:13:05 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] The Taiwan Scenario Message-ID: http://www.banktechnews.com/article.html?id=2007042535CP9MLX By Rebecca Sausner May 2007 The issue of China's cyberwarfare capabilities is intricately linked to the status of Taiwan. A quick brushup on foreign policy: the U.S. has pledged to defend Taiwan if China makes good on its long-held desire to reunite with the renegade island. In the event that conflict erupts over Taiwan, which is a common assumption, "the U.S. government can expect very specific attacks to be launched against very specific military and government targets, as well as economic targets," says Rick Fisher, vp at the International Assessment and Strategy Center, a Virginia-based think tank specializing in defense and security issues. There are those who argue that the increased cyber incursions we've seen of late are reconnaissance for just such an incursion. Their evidence? The targets that have reportedly been infiltrated by Chinese hackers within the last 18 months include: the Non-classified Internet Protocol Router Network, or NIPRnet, the Energy Department, the Commerce Department's Bureau of Industry and Security, the State Department, and The Naval War College. Last summer Maj. Gen. William Lord, director of information, services and integration in the AirForce's Office of Warfighting Integration and CIO, reportedly said China had downloaded 10 to 20 terabytes of data from NIPRnet, the unencrypted network the military uses for many logistic functions. Prominent Chinese military writers view information operations and computer network operations as worthy "supplements to conventional war fighting capability and powerful asymmetric options for overcoming the superior with the inferior," according to James Mulvenon, Deputy Director, Advanced Analysis at Defense Group Inc.'s Center for Intelligence Research and Analysis, who was speaking to the U.S. China Economic and Security Review Commission. Fisher lays out this scenario: Imagine a network incursion that reprogrammed traffic lights in Hawaii, leaving them red for hours just as the Chinese began their invasion of Taiwan. This could "cause a simple kind of chaos that would prevent the mobilization of American Naval forces," from Pearl Harbor, Fisher postulates. Or, imagine a more sinister scenario in which China disables American global positioning satellites, throwing our navigation and logistics into chaos. This scenario seemed a little far-fetched, until the news broke in January that China had used a missile to shoot down and orbiting satellite. "That would be a military catastrophe," Fisher says. In the Taiwan scenario military experts disagree about whether civilian targets-like the payments systems, or online banking sites-would be part of the attack vector. Some say our networks and markets would be at risk, but Mulvenon points to Chinese military writings that postulate a widespread attack against civilian infrastructure would "stiffen the back of a high tech enemy" and make war against China over Taiwan more palatable to the American public. (c) 2007 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com From alerts at infosecnews.org Tue May 1 04:13:18 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] China tops spy list: CSIS Message-ID: http://www.thestar.com/News/article/208929 Canadian Press April 30, 2007 OTTAWA ? Almost half the effort the country's spy-watchers put into monitoring suspicious foreign activity in Canada is devoted to Chinese operatives, the head of CSIS said today. Jim Judd, director of the Canadian Security Intelligence Service, said there are a lot of foreign agents operating in Canada, many adopting the guise of innocent visitors. "It's surprising, sometimes, the number of hyperactive tourists we get here and where they come from." Judd told the Senate committee on defence and national security that 15 countries account for most of the concern when it comes to foreign intelligence-gathering or interference in Canadian affairs. He wouldn't identify all those countries, but did tell senators that China tops the list. He said CSIS tries to keep close tabs on foreign operatives and hopes "that we have all the bases covered." Judd said his agency is charged with monitoring foreign efforts to collect information, both public and private; to meddle in Canadian affairs; or to foment trouble within ethnic communities China has been accused of all three activities in the past and has steadfastly denied it has spies in Canada. Earlier this month, a Chinese-language TV station demanded the expulsion of a Chinese diplomat for allegedly trying to block its licence approval. New Tang Dynasty TV said diplomat Huang Huikang tried to orchestrate a campaign to keep it from getting a broadcast licence from the CRTC. The station said the Chinese embassy has also tried to sabotage the station by urging Chinese-Canadians to boycott various activities. Two years ago a pair of Chinese officials who defected and sought asylum in Australia said China was running hundreds of spies and informants in Canada, mainly in Vancouver and Toronto. One of the defectors said some of those agents were charged with intimidating members of the Falun Gong sect in Canada. Prime Minister Stephen Harper, when he was still Opposition leader, claimed there were up to 1,000 Chinese agents in Canada. He quoted a CSIS official as saying that Chinese spies stole $1 billion worth of technological secrets every month. Last year, Foreign Affairs Minister Peter MacKay said he wanted a crackdown on Chinese espionage. MacKay is currently on a China visit. In a 2004 report, CSIS said Chinese economic espionage targeted information including contract details, supplier lists, planning documents, research and development data, technical drawings and computer databases. Foreign students and scientists, business delegations and immigrants were among those recruited as informants, the spy agency said. From alerts at infosecnews.org Tue May 1 04:13:40 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Steak n Shake beefs up security Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018289 By Jaikumar Vijayan April 30, 2007 Computerworld Credit card security may not exactly be a top-of-mind item for customers dining on steakburgers and milkshakes at any of the 450-odd Steak n Shake restaurants scattered around the Midwest and Southeast. But it has been a priority for the technology organization at the Indianapolis-based fast food chain since last August, when the number of credit card transactions the company accepts every year crossed the 6 million mark for the first time. That number put Steak n Shake into a category of businesses subject to the most stringent requirements of a data security standard being pushed by major credit card companies such as Visa International, MasterCard Worldwide, American Express and Discover. The standard, known as the Payment Card Industry (PCI) Data Security Standard, requires all entities that handle payment cards to implement a set of 12 security controls for protecting card data. The measures include encryption, periodic network vulnerability scans, logical and physical access controls, and activity monitoring and logging. Under PCI, companies are classified into four groups depending on the number of credit card transactions they handle annually, with Tier 1 being the largest. Companies that fail to implement the requirements are subject to substantial fines and can even have their right to accept cards revoked. For Steak n Shake, the Tier 1 classification last August had major IT implications, said Sean Smith, director of strategic technology services at the company. At that time, Steak n Shake had been accepting credit and debit cards payments for only about two and a half years and had been considered a Tier 4 merchant under PCI. "We went from ground zero to a Tier 1 in a very short period of time," Smith said. In the process, "our PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold," he said. Some of the biggest changes had to be made at the store level. For instance, the generic usernames and passwords that were used in the past by store employees who needed access to point-of-sales (POS) systems were replaced with an Active Directory-based unique username and password system that could be centrally monitored and managed. "Most store operations historically have had high [employee] turnover rates," so it was easier to have generic usernames and passwords for access to POS systems, Smith said. Under PCI, however, "we need to know who is accessing what, when and where," he said. The company also had to roll out tools for centrally managing the assets in its stores and for pushing out patches, antivirus updates and other software to them. The fast food chain has also put in place capabilities for logging and auditing all store-level transactions involving payment card data, as required by PCI. Steak n Shake is in the process of replacing its old VSAT communications links with a new T1 network featuring secure point-to-point VPN connections tying each store to headquarters. It is also revitalizing its perimeter security through the addition of new intrusion prevention and detection tools, as well as security event management technology for centralized event logging and correlation. PCI rules prohibit merchants from storing payment card data on any POS system, so Steak n Shake is upgrading all POS software systems to PCI-certified versions. The company has hired Qualys Inc. to perform quarterly vulnerability scans of its network perimeter as required by PCI. In addition, the restaurant chain is getting Qualys to perform a similar quarterly vulnerability assessment of its internal network to mitigate data threats from inside. Steak n Shake has also started a security awareness campaign designed to inform its 22,000 employees of what they can do to protect cardholder data. "Technology controls are great, but if people and processes are not there," the controls are worthless, he said. Implementing and demonstrating the controls that are needed in order to be PCI-compliant at a Tier 1 level can be challenging, said Terry Ramos, director of strategic development at Qualys. That's especially true for a company such as Steak n Shake, which as recently as last August was a Tier 4 vendor, he said. At the Tier 4 level, PCI requirements are really little more than recommended best practices with little or no validation requirements, Ramos said. A Tier 1 merchant, on the other hand, has to actually follow all of the requirements and then have a third party validate compliance, he noted. It's not just the systems that actually handle credit card data that need to be validated; all other network assets that connect to these systems have to be checked as well, Ramos said. For large companies with legacy environments, such validation can be a huge challenge, he said. As a result, many companies are now looking to segment their networks to keep payment card processing systems separate from other systems, he said. "The one thing about PCI that is very different [from other standards] is that it gives very specific requirements for companies to follow," Ramos said. "It gives people a good idea of what they need to do." From alerts at infosecnews.org Tue May 1 04:14:28 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] F1 engineers plan appeal in Ferrari espionage case Message-ID: http://www.theregister.co.uk/2007/04/30/ferrari_espionage_conviction/ By John Leyden 30th April 2007 Two former Ferrari engineers accused of stealing trade secrets have been convicted of industrial espionage. Angelo Santini and Mauro Iacconi were last week sentenced by an Italian court to jail terms of nine and 16 months respectively over charges of stealing confidential engineering data from Ferrari and using it to design cars for motor racing rivals Toyota. Both intend to appeal. Sensitive data stolen from Ferrari - including engineering documents, test data and other undisclosed documents ? was allegedly used to develop the 2002 and 2003 edition of Toyota?s car. Iacconi, a wind tunnel engineer who worked at Ferrari between 1986 and 2000 before moving to Toyota, said the data in question was dated and was of no value in the design of Toyota?s car, Autosport.com reports.. Security firms were quick to highlight the case as an example of the dangers of uncontrolled use of removable storage devices in facilitating data theft. ?This prosecution highlights the seriousness of the ?insider threat?. Disgruntled employees still find it all too easy to take company secrets off the network and onto portable storage devices such as CDs and USB sticks,? said Matt Fisher, VP of Centennial Software. ?You don?t have to work in Formula One for your secrets to be valuable to the competition. With corporate IP the fuel that keeps business running, all companies are vulnerable to damage from data leaks,? he added. ? From alerts at infosecnews.org Tue May 1 04:14:40 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Researcher to demonstrate Vista attacks Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=8709 By Matthew Broersma Techworld 30 April 2007 Joanna Rutkowska, a security researcher known for picking apart the security mechanisms built into Windows, is to demonstrate new ways for hackers to invade Windows Vista, including rootkit techniques and ways to defeat BitLocker drive encryption. Rutkowska recently announced she will be running a training session called "Understanding Stealth Malware" during the Black Hat Briefings and Training event in Las Vegas, which runs from from 28 July to 2 August. The training session, which will be co-presented by researcher Alex Tereshkin, promises to demonstrate new rootkits developed for Vista, ways of defeating hardware-based forensics systems and other techniques Microsoft would probably prefer the world didn't know. Rutkowska said she, too, is aware of the need for discretion. "For ethical reasons we want to limit the availability of this course to only 'legitimate' companies," she said in a post on her blog, Invisible Things. Rutkowska isn't against Windows as such, but has a track record of ferreting out its weaknesses. She recently uncovered a number of flaws in Vista's much-hyped User Account Control (UAC) feature, which led Microsoft to declare that the feature wasn't really intended for security after all. Until recently she was a researcher for Coseinc, but is now in the process of founding a security start-up based in Poland, she said. Earlier this spring she demonstrated several methods that sophisticated rootkits can use to hide from even the most reliable detection method currently available - hardware-based products that read a system's RAM. The demonstration in July will cover such methods, but will be more comprehensive, including unpublished techniques, implementation details, new code and sample rootkits. The target will be Windows and specifically 64-bit Vista, including new kernel attacks against the latest 64-bit Vista builds. "These attacks, of course, work on the fly and do not require system reboot and are not afraid of the TPM/BitLocker protection," she wrote. TPM (Trusted Platform Module) refers to security systems with a hardware component built into the processor, designed to improve security and specifically to make copy-protection systems more difficult to circumvent. Rutkowska said the demonstrated techniques would work against copy-protection systems, but that this side of things wouldn't be specifically discussed at the demonstration. The training is aimed at security and OS developers, forensic investigators and penetration testers, Rutkowska said. From alerts at infosecnews.org Tue May 1 04:14:55 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] BlackBerry outage underscores need for a backup plan Message-ID: http://www.gcn.com/print/26_09/43568-1.html By Patrick Marshall GCN Staff 04/30/2007 issue You don?t miss the water until your well runs dry. And when millions of BlackBerrys lost their e-mail capability April 17, it suddenly became clear how dependent many people in federal agencies and departments have become on the devices. ?Certainly, the senior folks in the agency view them essentially as an extension of their bodies,? Corey Booth, chief information officer of the Securities and Exchange Commission, told Government Computer News. And when the e-mail service went out, Booth said dryly, ?it was certainly a source of complaint.? At first, Research in Motion offered few details of why the service was down. Only two days later did the company explain the outage, chalking it up to insufficient testing of new caching software in its network operations center (NOC) in Canada. One factor that made the outage more widespread than it otherwise might have been is the BlackBerry system?s highly centralized message routing. All e-mails are routed though one of two NOCs ? one in Canada serving the Western Hemisphere and one in England serving Europe, Africa and the Middle East. Booth said agencies and departments would be well-advised to plan on future failures. ?The thing that everyone has to understand is that there are very few forms of technology, particularly of communications technology, that are foolproof,? Booth said. ?You can have a RIM-related failure, you can have a telephone company-related failure, you can have a failure within our e-mail system, you can have a failure at any of the gateways between those various systems. There are a lot of places where problems can occur.? That?s why it?s critical for staff to have a Plan B. ?Plan B can be pretty simple,? Booth said. ?It can be just carrying around peoples? cell phone numbers. Plan B can be knowing how to log in to your e-mail from home. There are lots of things that people can do that are in the category of somewhat inconvenient but workable workarounds.? Some analysts have also voiced concerns about the security and reliability of a system that depends on such a centralized architecture. And, particularly for federal agencies and departments, there may be concerns about routing e-mails through NOCs that reside in a foreign country. ?If the software vendor can be forced to cooperate with government agencies, the possibility exists that the wireless e-mail software could include hidden eavesdropping capabilities in accordance with governments or intelligence agencies for various purposes,? a recent Gartner report states. For that reason, some governments ? including France, Germany, Great Britain and the Netherlands ? have opted not to rely on such systems. However, Booth said, not all federal agencies need to be concerned. ?I?m not arrogant enough to believe that our business [at SEC] is so mission-critical that we would be unable to perform our mission without having two NOCs owned by RIM,? he said. On the other hand, ?if we were, say, a first-response agency of some kind ? like a FEMA or a DOD ? I might have some concern.? RIM?s response to the outage is not likely to put concerned minds at ease. Apart from its brief statement citing the software glitch as the culprit, the company has been quiet on the issue. A week after the incident, no mention of the outage or its cause had been posted on the company?s Web site nor had RIM responded to a request for an interview. From alerts at infosecnews.org Wed May 2 02:20:22 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Wi-Fi networks still insecure in London's City Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=8721 By John E. Dunn Techworld 01 May 2007 After years of stark warnings, many Wi-Fi networks located in Londons City financial district still lack basic levels of security, a security vendor claims to have found. According to security testing company NTA Monitor, which recently assessed security using passive monitoring, internal resources such as printer queues could be found quite easily, while other networks used only weak WEP security to keep network traffic from prying eyes. Astonishingly, others used no encryption at all. If a stranger walks into an office and connects to your network, its quite likely that theyd be challenged by someone working there. But by sitting in a caf with a laptop theyre pretty inconspicuous and probably out of sight of the office whose network theyre connecting to, said NTAs technical director Roy Hills. For a malicious user wishing to connect to a corporate network, the City seems to be an ideal location," he said. A further problem the company noticed was that access points could be named in ways that might make users susceptible to hacking. For instance, where more than one Wi-Fi node was in use by one enterprise, names could often be very similar, as well as generic. Using distinctive names, and keeping access points separate in the minds of users would make it harder for hackers to impersonate access points using similar-sounding evil twins. The company gave no details of which size of companies were found to have problems, nor any percentages on specific security problems. The issue is timely. At last weeks Infosecurity Europe Show, the issue of evil twin access points reared its head once again. According to ISS, these are still one of the commonest ways to mine credit card and other password data from the general public, despite having been a high-profile problem for several years. From alerts at infosecnews.org Wed May 2 02:20:42 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] How to become an exceptional security manager Message-ID: http://www.infoworld.com/article/07/04/27/18OPsecadvise_1.html By Roger A. Grimes April 27, 2007 I recently listened to a wonderful science program on National Public Radio discussing a book called Better: A Surgeon's Notes on Performance [1] along with its author, Dr. Atul Gawande. The book discusses the reasons why some practitioners excel while others just meet the standards or perform poorly. Its hypothesis and conclusions can be universally applied in business and even life. It was easy for me to draw connections to my own experiences and relate the lessons to computer security. Here are some of the excerpts and the corollaries I drew (I apologize to the author in advance for any inaccuracies or misinterpretations): The number one indicator for above-average medical care was often simply consistency. In the story related on NPR, the author discussed how one doctor was able to have significantly longer survival rates for his cystic fibrosis patients (47 years) as compared to the national average (33 years). The secret? Consistency. The doctor determined that many patients simply were not taking the recommended medicines consistently and timely. Once he realized this, he focused on making his patients more consistent, especially stressing that they should continue to take the medicine during the majority of the time when they felt well. The outcome was significantly longer living patients. How many of us work in computer security environments where basic security recommendations are not applied consistently? I think it is nearly impossible to find a company that consistently and universally applies basic security tenets. So, we have inconsistencies, cracks in the system, and bad things are allowed to occur. The very human nature of purposefully allowing inconsistency as a norm leads to below-average outcomes. Taking a personal and institutionalized interest in applying basic security principles consistently will mitigate more risk and lead to a more secure environment. Another conclusion was that improving the existing system often provides better outcomes than just adopting new technology. In the book's example, it talked about how the U.S. Army was trying to improve the survival rate of wounded soldiers in Iraq. Prior to the recent Middle East conflicts (say WWII and Vietnam), wounded soldiers died 25 percent of the time. The Army spent half a billion dollars developing new medical aids, technologies, and treatments, but found out that improving the basics -- and applying them consistently -- provided better outcomes. For example, by ensuring that soldiers always wore their body armor, instead of removing it when it was hot, more soldiers lived. Moving the medical tents closer to the battlefield saved more lives. By focusing on better meeting the "golden hour" rule, they saved even more. They even experimented with essentially going against standard medical practices in some instances (for example, allowing field personnel more leeway to make medical decisions and to apply treatment without waiting for absolute test confirmation), and in doing so saved even more lives. The result was that now only about 10 percent of our soldiers die from their battlefield wounds even in a time of conflict where the average injury is much more serious. This is not to say that new medical inventions and techniques don't help decrease the death rate; I'm sure they do. The key takeaway point is that much of the success is due to the re-application of existing systems. If you're a security manager, focus more on the basics (e.g. patch management, password policy, malware blocking) and less on the latest and greatest new artificial-intelligence anti-malware product of the day. Truly secure environments are consistency secure and have the basics well covered. Pick good metrics. "Metrics" is often a word bandied about by managers seeking ways to report meaningful and measurable statistics to upper management. Metrics are a good thing, but many times, the metrics chosen take more time to collect than the value they provide. Security becomes more about collecting the right metrics and moving the metric in the perceived right direction than actually bettering security. The book talks about APGAR scores [2] and how they have significantly improved the lives of newborn babies. The APGAR score measures five metrics of a newborn baby (what is their color, how well they are breathing, etc.) and assigns a 0-2 point score based on the observed result. Babies with low APGAR scores are considered critical cases, and additional treatment modalities are brought to bear quickly. As a five-year EMT paramedic, I can tell you that an APGAR score only takes seconds to do and becomes second nature. It has been credited with saving the lives of millions of babies. Do you have good metrics? Evaluate the current list of metrics and reports that you collect on a daily, weekly, and monthly basis. Does anyone read them? If you want to find out who does, put very big, bogus outliers in the report and see how long it takes anyone to notice. If you can, analyze the metrics you do collect and decide which ones have the best bang for the buck. Becoming a better computer security worker or manager means taking a step back and analyzing the overall system. Improved processes and more consistent application of current rules will often pay higher dividends than any new technology or product. Roger A. Grimes is contributing editor of the InfoWorld Test Center. [1] http://www.amazon.com/exec/obidos/ASIN/0805082115/infoworldcom-20 and http://www.shopinfosecnews.org [2] http://en.wikipedia.org/wiki/Apgar_score From alerts at infosecnews.org Wed May 2 02:21:08 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Gartner: Hack contests bad for business Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018378 By Gregg Keizer May 01, 2007 Computerworld A pair of Gartner analysts today denounced a recent hack challenge that uncovered a still-unpatched QuickTime bug, calling it "a risky endeavor" and urging sponsors to reconsider such public contests. The research manager of TippingPoint, the company that paid $10,000 for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties. Dino Dai Zovi was the first to hack a MacBook Pro at CanSecWest, a Vancouver security conference held two weeks ago. For his trouble, Dai Zovi took home the $10,000 prize offered by TippingPoint's Zero Day Initiative, a bug bounty program that's been in operation nearly two years. Security researchers have called the QuickTime bug, which can be exploited through any Java-enabled browser, "very serious." Apple Inc. has yet to patch, or announce when it will patch, the vulnerability. "Public vulnerability research and 'hacking contests' are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," said analysts Rich Mogull and Greg Young in a research note published by Gartner Inc. yesterday. "Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue ... could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers." "There are a lot of definitions of 'responsible disclosure,'" retorted Terri Forslof, TippingPoint's manager of security research. "What it means to us is that the vulnerability and its exploit are kept quiet and the vendor's given the time to patch the issue. "It comes down to the facts of the case. The [CanSecWest] organizers took great pains to secure the network that was actually used for the challenge. As for the idea that this added some risk [that the vulnerability would be made public], I don't find it to be the case." Mogull and Young recommended that security vendors call an end to public contests. "Consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users," they concluded. "This wasn't our idea," Forslof said. "We didn't host this challenge, and we didn't organize it. It was an on-the-spot decision [to offer the prize]." Dai Zovi, who dug up the QuickTime bug and crafted an exploit in a 9- to 10-hour stretch, has said the money wasn't his motivation. "The challenge, especially with the time constraint, was the real draw," he said last Friday in an e-mail interview. "On the record, I think all vulnerabilities should be disclosed only through the vendor or through a responsible third party," said Forslof. "But users were never at risk here." From alerts at infosecnews.org Wed May 2 02:21:24 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Apple plugs QuickTime zero-day flaw Message-ID: http://news.com.com/Apple+plugs+QuickTime+zero-day+flaw/2100-1002_3-6180679.html By Joris Evers Staff Writer, CNET News.com May 1, 2007 Apple on Tuesday released a QuickTime update to fix a security flaw that was used to breach a MacBook Pro at a recent security conference. The media player vulnerability lies in QuickTime for Java, Apple said in a security alert. The hole could be exploited through a rigged Web site and let an attacker commandeer computers running both Mac OS X and Windows, the Mac maker said. "By enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker can trigger the issue, which may lead to arbitrary code execution," Apple said. Only computers running an unfixed version of QuickTime would be at risk. Security monitoring company Secunia deems the flaw "highly critical," one notch below its most serious rating. The update, QuickTime 7.1.6, repairs the problem by performing additional checking. Apple credits bug hunter Dino Dai Zovi and the TippingPoint Zero Day Initiative for reporting the issue. Apple's fix comes just over a week after the vulnerability was used to grab a $10,000 prize and a MacBook Pro in a hack-a-Mac contest at the CanSecWest conference in Vancouver, British Columbia. Security researcher Shane Macaulay worked with Dai Zovi to break into the Mac and took home the computer. Dai Zovi subsequently submitted the bug to TippingPoint, which sweetened the competition by offering a $10,000 bounty through its Zero Day Initiative program. Apple on Tuesday also put out an updated version of a security update originally released last month. Version 1.1 of the 2007-004 patch repairs a couple of problems with the original fix, which may cause wireless connections to drop and allow limited FTP users access beyond their privileges on an Apple FTPServer, Apple said in another alert. Apple's security updates are available through the Software Update application in its operating system and QuickTime software and from the Apple Web site. From alerts at infosecnews.org Wed May 2 02:21:35 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Vista hacks to be demoed at Black Hat conference Message-ID: http://www.tgdaily.com/content/view/31858/108/ By Humphrey Cheung May 01, 2007 Las Vegas (NV) - A hacker duo will demonstrate several ways of getting past Windows Vista security in an upcoming Black Hat training class. Polish security researcher Joanna Rutkowska and Alex Tereshkin will show off new rootkits and ways to defeat Vistas vaunted BitLocker drive encryption. The two day training class titled Understanding Stealth Malware will cost a cool $3000 and running from July 28th to August 2nd. The class is part of collection of classes and briefings offered at the Black Hat security convention, a convention that is considered an almost mandatory event by many of the worlds top hackers. Students in the class will need to have a basic understanding of the C programming language and will use disassemblers and other tools to crack 64-bit Vistas kernel and drive protections. Students will also learn data hooking malware, antimalware techniques and possibly Northbridge motherboard hacking. Rutkowska claims the attacks will bypass BitLocker and will not require a reboot. BitLocker is Microsofts next generation drive encryption software that uses trusted chips, passwords and USB authentication devices. The class is sure to fill up quickly, if it hasnt done so already. According to the Black Hat course description, these classes will be the only public classes on the subject offered by Rutkowska this year. Rutkowska is a regular on the security speaking circuit and gave several talks last year regarding Vistas User Access Control security. She recently quit her job at COSEINC and is forming her own security company. Black Hat and Defcon is a de-facto summer tradition for many hackers with many of them traveling from across the globe to attend. For the past there years weve covered the conferences and we plan to the same this year. From alerts at infosecnews.org Thu May 3 01:23:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] DDoS attacks fall as crackers turn to spam Message-ID: http://www.theregister.co.uk/2007/05/02/dos_trends_symantec/ By John Leyden 2nd May 2007 Denial of service attacks are falling out of favour with black hat hackers because using compromised machines to send spam is a more lucrative - and less risky - way of making money illicitly. Networks of compromised PCs can be used for purposes including relaying junk mail or flooding targeted websites with spurious traffic. Symantec reckons the noticeable fall in denial of service attacks it witnessed in the second half of 2006 is down to the growing difficulty in launching such attacks, and getting victims to pay up even if these assaults are successful. Stealthier misuse of compromised PCs - such as sending spam - poses far less risk, the security firm argues. Symantec recorded an average of 5,213 denial of service (DoS) attacks per day in the second half of 2006, down from 6,110 in the first half of last year. The US was the target of most DoS attacks accounting for 52 per cent of the worldwide total. "DoS attacks are loud and risky. Whenever a bot-network owner carries out a denial of service attack they run the risk of losing some of their bots. This could happen either because an attacking computer is identified and disinfected, or if it is simply blocked by its ISP from accessing the network," Symantec researcher Yazan Gable notes in a posting to Symantec's Security Response Weblog. Gable adds that the "up-front" costs in setting up a botnet before any hope of payment, as well as the possible loss of an entire bot network if a command and control server is identified, also act as a deterrent. "It is likely that bot network owners are now moving away from DoS extortion and towards more lucrative ventures like spam. Not surprisingly, we saw a noted increase in spam volumes in the last six months of 2006," he added. From alerts at infosecnews.org Thu May 3 01:23:24 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Homeless man disrupts Internet2 service Message-ID: http://www.networkworld.com/news/2007/050207-internet2-fire.html By Adam Gaffin Network World 05/02/07 A fire started by a homeless man knocked out service between Boston and New York on the experimental Internet2 network Tuesday night. Chris Robb, an engineer at Indiana University's Global Network Operations Center who works on Internet2, says Level 3 Communications cables used by the network went up in flames. The cables were on the Longfellow Bridge, which connects Boston and Cambridge across the Charles River. Robb, who co-authors the Internet2 Network Upgrade blog [1], writes that Level 3 engineers estimate it could take one to two days to restore the circuit. Engineers are looking at rerouting a Chicago-to-New York OC-192 circuit that normally goes through Boston to Washington until service is restored. Robb writes: "Question: When can a cigarette take down your network? Answer: When you throw it at a bridge and light it on fire." Authorities say the fire, which also disrputed service on the Red Line subway, started around 8:20 p.m. when a homeless man tossed a lit cigarette. The cigarette landed on a mattress, which ignited and led to a two-alarm fire [2]. [1] http://i2net.blogspot.com/2007/05/question-when-can-cigarette-take-down.html [2] http://wbztv.com/topstories/local_story_121202334.html From alerts at infosecnews.org Thu May 3 01:24:56 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] A Different Kind of Honeypot Project Message-ID: Forwarded with permission from: Security UPDATE PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: Email Security for the 21st Century http://list.windowsitpro.com/t?ctl=54849:57B62BBB09A692798684B08A92833E46 Roadmap to Email Archiving and Compliance http://list.windowsitpro.com/t?ctl=5484B:57B62BBB09A692798684B08A92833E46 Enterprises Rate Important IP Telephony Features http://list.windowsitpro.com/t?ctl=5485E:57B62BBB09A692798684B08A92833E46 === CONTENTS =================================================== IN FOCUS: A Different Kind of Honeypot Project NEWS AND FEATURES - Dangerous QuickTime and Java Flaw Affects Windows - Browser Toolbars Integrate Real-Time Anti-Malware Defenses - Microsoft Prepares Forefront Client Security for May Release - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Vbootkit Bypasses Vista Code Signing - FAQ: Get Windows 2003 SP2 - From the Forum: Looking for Password Analyzer - We Need Your Feedback About the Products You Use - Share Your Security Tips PRODUCTS - Easier Management of Data Encryption Appliances RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: Ironport ========================================== Email Security for the 21st Century Protect your users and your network against email-borne threats. This free eBook gives you the knowledge required to understand the real threat that email-borne attacks pose, and how to address those attacks in a way that reduces risk while ensuring users aren't impacted. Download it today! http://list.windowsitpro.com/t?ctl=54849:57B62BBB09A692798684B08A92833E46 === IN FOCUS: A Different Kind of Honeypot Project ============= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Honeypots are excellent tools for preemptive forensic investigation. They let you see what intruders are targeting in your network, monitor their activity, capture their exploits, and more. So when I think of honeypots, that's typically the image that comes to mind. But a new type of honeypot project is aimed squarely at spammers. Project Honey Pot is a community effort that aims to identify spammers and email address harvesters and put them out of business by eliminating their ability to deliver spam and thus hitting them where it hurts most: in the pocketbook. The way it works is relatively simple. Web developers insert special code into their Web server platform that communicates with Project Honey Pot servers. The code grabs unique email addresses (tied to the IP address of the Web site visitor) from Project Honey Pot servers that are then inserted into the Web site dynamically. The email addresses of course are spam traps operated by Project Honey Pot. So when robots or people harvest those addresses and mail arrives in those traps, the project can track and identify the spammers. Project Honey Pot also operates a new blacklist DNS system (called http:BL), similar to those used by email DNS blacklist providers. Web site developers can use Project Honey Pot's API to query the http:BL DNS servers by using a Web site visitor's IP address. The DNS query results reveal whether the visitor is a known harmless search engine robot, a known spammer, or a known email harvester. Code written by the Web developer can then take action based on the visitor's categorization. For example, If the DNS query returns info that says the visitor IP address is that of a spammer, code can prevent the visitor from posting a comment and thus prevent comment spam. Overall, I think the project is a pretty good idea. Integrating a spam trap into your site isn't incredibly difficult. After you sign up for an account, you can download ready-made code in one of several languages, including Active Server Pages (ASP), PHP, Perl, Python, ColdFusion, and more. You drop the code into your Web site and make a link to it somewhere. If you run Apache, module code is available that you can integrate directly to work with http:BL. You can also donate MX records from your own domains that will be used to create spam traps shared at Project Honey Pot. So far, the project has identified more than 15,000 email address harvesters and 2.5 million spam servers and currently operates more than 2.2 million spam traps. Last week, the project announced that it has filed a $1 billion lawsuit, the largest antispam suit ever, against spammers for harvesting email addresses and spamming Project Honey Pot members. The suit comes as a result of two years of tracking spammers. You can read more about the suit at the first URL below (click the days of the week on the left-hand side of the screen to see other recent announcements, including integration information). If you're interested in joining the project, visit the home page at the second URL below, where you'll find a link to register along with links to a FAQ and more. http://list.windowsitpro.com/t?ctl=54859:57B62BBB09A692798684B08A92833E46 http://list.windowsitpro.com/t?ctl=54860:57B62BBB09A692798684B08A92833E46 === You can win $100 by voting for the products you find most useful in Windows IT Pro's Community Choice Awards! Give us your feedback to qualify to win one of twelve $100 Amazon.com gift certificates. Voting is open through May 21. Winners will be announced in the August 2007 issue of Windows IT Pro. Go to http://list.windowsitpro.com/t?ctl=54848:57B62BBB09A692798684B08A92833E46 === SPONSOR: Sherpa Software =================================== Roadmap to Email Archiving and Compliance How will compliance regulations affect your IT infrastructure? Help design your retention and retrieval, privacy and security policies to make sure that your organization is compliant. Download the free eBook today! http://list.windowsitpro.com/t?ctl=5484B:57B62BBB09A692798684B08A92833E46 === SECURITY NEWS AND FEATURES ================================= Dangerous QuickTime and Java Flaw Affects Windows At the recent CanSecWest conference, Shane Macaulay and Dino Dai Zovi worked in tandem to successfully break into a MacBook Pro running OS X by using a zero-day exploit. The security flaw is now believed to also affect Windows platforms. http://list.windowsitpro.com/t?ctl=54854:57B62BBB09A692798684B08A92833E46 Browser Toolbars Integrate Real-Time Anti-Malware Defenses Toolbars from Exploit Prevention Labs and Finjan help protect against malicious content in Web sites and search results by scanning Web page content in real time without the use of signature databases. http://list.windowsitpro.com/t?ctl=54858:57B62BBB09A692798684B08A92833E46 Microsoft Prepares Forefront Client Security for May Release Microsoft will ship its long-awaited Forefront Client Security product--a managed security solution for enterprises--in "the next month or so," according to Microsoft CEO Steve Ballmer. http://list.windowsitpro.com/t?ctl=54853:57B62BBB09A692798684B08A92833E46 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=5484C:57B62BBB09A692798684B08A92833E46 === SPONSOR: ShoreTel ========================================== Enterprises Rate Important IP Telephony Features This comprehensive guide is invaluable for those evaluating VoIP and shows how organizations can reduce cost and improve operations to help you to plan and implement an IP phone system. Define system components - Identify network requirements - Learn important standards - Learn deployment options: http://list.windowsitpro.com/t?ctl=5485E:57B62BBB09A692798684B08A92833E46 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: Vbootkit Bypasses Vista Code Signing by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5485D:57B62BBB09A692798684B08A92833E46 As expected, Vista isn't perfect. It's possible to load unsigned code into the kernel. Vbootkit proves it. http://list.windowsitpro.com/t?ctl=54855:57B62BBB09A692798684B08A92833E46 FAQ: Get Windows 2003 SP2 by John Savill, http://list.windowsitpro.com/t?ctl=5485B:57B62BBB09A692798684B08A92833E46 Q: Where can I download Windows Server 2003 SP2? Find the answer at http://list.windowsitpro.com/t?ctl=54856:57B62BBB09A692798684B08A92833E46 FROM THE FORUM: Looking for Password Analyzer A forum participant is looking for some sort of utility to run on a server that would find weak user passwords and send an alert about them. Join the discussion at http://list.windowsitpro.com/t?ctl=54847:57B62BBB09A692798684B08A92833E46 WE NEED YOUR FEEDBACK ABOUT THE PRODUCTS YOU USE! Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to whatshot@windowsitpro.com. SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@securityprovip.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@windowsitpro.com Easier Management of Data Encryption Appliances Decru announced the Decru SecureView framework to centralize management of its encryption and key management appliances. The appliances are used to encrypt stored data. The framework provides secure management of up to 1,000 devices from one interface. Features include administrator management, role-based access controls (RBAC), configuration and patch management, rolling upgrades, performance and access monitoring, and centralized graphical and command-line interfaces to enable the automation of operations across groups of appliances. For more information, go to http://list.windowsitpro.com/t?ctl=54862:57B62BBB09A692798684B08A92833E46 === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=5485A:57B62BBB09A692798684B08A92833E46 Windows + UNIX/Linux = You Need TechX World! If you work in an environment that includes both Windows and UNIX or Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today! http://list.windowsitpro.com/t?ctl=54857:57B62BBB09A692798684B08A92833E46 Get Ready for Exchange & Office 2007 Roadshow--free! The successful Microsoft-partnered Get Ready for Exchange & Office 2007 Roadshow is coming to Stockholm! Three independent, respected technical speakers--Jim McBee, Mark Arnold, and Ben Schorr--will deliver tracks on securing, managing, and deploying Exchange and Office 2007 and using Exchange Server 2007 capabilities to improve your messaging environment. Register today for this free day-long event. Your delegate bag will include Microsoft Exchange Server 2007 and Office 2007 Beta 2 Software Kits. Venue: Berns Hotel, Stockholm Date: Monday, 14 May 2007 http://list.windowsitpro.com/t?ctl=54852:57B62BBB09A692798684B08A92833E46 Get Ready for the Windows Server Longhorn Roadshow! Seize control of your Windows infrastructure with Microsoft's biggest server release since Windows 2003. Get a live, under-the-hood look at Longhorn virtualization, deployment, Web services, and breakthroughs in core reliability. This one-day event is filled with demonstrations and in-depth discussions designed for IT pros who want a deep understanding of Windows Server Longhorn. http://list.windowsitpro.com/t?ctl=54850:57B62BBB09A692798684B08A92833E46 === FEATURED WHITE PAPER ======================================= Increase customer confidence with the latest breakthrough in online security--Extended Validation SSL. Extended Validation triggers a green address bar in Internet Explorer 7.0 that proves site identity. Get the green bar and higher sales by reading the technical white paper "Maximizing Site Visitor Trust Using Extended Validation SSL." http://list.windowsitpro.com/t?ctl=5484A:57B62BBB09A692798684B08A92833E46 === ANNOUNCEMENTS ============================================== Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=5484E:57B62BBB09A692798684B08A92833E46 Introducing a Unique Exchange and Outlook Resource Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on messaging topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=5484D:57B62BBB09A692798684B08A92833E46 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=5485C:57B62BBB09A692798684B08A92833E46 http://list.windowsitpro.com/t?ctl=54861:57B62BBB09A692798684B08A92833E46 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=54851:57B62BBB09A692798684B08A92833E46 Be sure to add Security_UPDATE@list.windowsitpro.com to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=5485F:57B62BBB09A692798684B08A92833E46 About your product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=5484F:57B62BBB09A692798684B08A92833E46 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. From alerts at infosecnews.org Thu May 3 01:25:12 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199203277 By Sharon Gaudin InformationWeek May 2, 2007 The security breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion, according to the calculations of a database security company. IPLocks, a compliance and database security company, is basing the estimate on the accumulated costs of fines, legal fees, notification expenses and brand impairment, according to Adrian Lane, the company's chief technology officer. He added that $100 per lost record is an average figure for major data breaches, but they calculated expenses particular to TJX and came out with the same figure. The Ponemon Institute, a think tank focused on record privacy and data protection, expects the TJX breach costs to be even higher. They cite costs in the range of $182.00 per record, based on research from November 2006 of the cost of breaches incurred in 31 separate incidents. For TJX, this translates to $8.6 billion. "The effectiveness of the people who stole the information is critical here," said Lane in an interview with InformationWeek. "They did it for a long time. They sold [the stolen information] out to multiple sources. Those credit card numbers are showing up in foreign countries. This is not just a U.S. security breach anymore." Just last week, TJX was the subject of a class-action law suit seeking "tens of millions of dollars." The Massachusetts Bankers Association, which represents 207 financial institutions, announced that it is filing the suit in federal court in Boston. The news came less than a month after TJX disclosed in a Securities and Exchange Commission filing that more than 45 million credit and debit card numbers may have been stolen from its IT systems over an 18-month period. The MBA also said in a release that the Connecticut Bankers Association, the Maine Association of Community Banks, and individual banks are joining as co-plaintiffs. Together, the three associations represent nearly 300 banks. Other banks can still join the suit. TJX is the parent company of T.J. Maxx, Marshall's, HomeGoods, and other retailers. The security breach, which was announced in January, is the largest customer data breach on record. "There are still so many unknowns with this breach that reliable assessments are truly impossible, but our estimate of more than $1 billion is not unreasonable given the total number of affected credit cards and the long time period over which the breaches occurred," said Lane. "As an example, the ChoicePoint breach cost approximately $100 per record..." The IPLocks and Ponemon estimates fall in line with figures that Forrester Research released earlier this month. The industry analyst firm calculated that the average security breach can cost a company between $90 and $305 per lost record. Forrester reported that analysts arrived at that number by surveying 28 companies that had some type of data breach. Lane added that he hopes companies see these kinds of costs and learn a lesson from TJX's troubles. "We keep seeing these breaches but we don't see the call to arms," he said. "They're not taking care with that data. If you're going to earn a profit on it, you need to protect it." From alerts at infosecnews.org Thu May 3 01:25:31 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] RIM's outage spreads to Europe and mid-East Message-ID: http://www.theinquirer.net/default.aspx?article=39340 By Tony Dennis 02 May 2007 GIVEN THE adverse publicity which a recent outage in North America caused for Blackberry maker, RIM, you'd have thought that the company would be more forthcoming about a similar problem in Europe. But an INQ reader working in a small City bank claims his five users have been without service since Friday 27th April. Complaining to his local service provider, O2, he was told that RIM had performed a 'cosmetic' upgrade to its system over the weekend. The outage appears to be affecting only those who connect directly to their own Microsoft Exchange server and not those who employ RIM's own BES server solution. The INQ has seen an email from RIM confirming that the 'high severity outage' has indeed taken place. Although the email says the problem is confined to Europe, the reader's sister company in Dubai has also been affected. Naturally our reader investigated to see if the problem was his end. He happens to have several MDA Vario wireless PDAs on loan from T-Mobile and has discovered that they can access mail from the Exchange server with no problems. The most frustrating part to this whole incident is that RIM has not given its users any indication of when the problem will eventually be fixed. From alerts at infosecnews.org Fri May 4 01:20:15 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] No medals for UK Government over London Olympics security Message-ID: http://www.itpro.co.uk/blogs/editorial-blogs/davey-winder/195108/no-medals-for-uk-government-over-london-olympics-security.thtml By Davey Winder 26 Apr 2007 Giving an otherwise rather dull and predictable keynote speech at Infosecurity Europe about the IT security demands of running the London Olympics, Derek Wyatt MP has let it slip that UK Government hands are tied when it comes to security technology. He also made it clear that he has no idea where the security threat will come from stating who are the enemy? I wish I knew and dont ever underestimate the intelligence of the opposition, whoever that is. But the biggest concern I have over the ramblings of the Right Honourable gentleman came when he started talking about the problems faced in identity management and authentication not only during the event but in the run up to it, with the construction of the venue. Wyatt sound quite upbeat about the possibility of using the London Oyster card, used for public transport travel, which could be upgraded fairly easily to incorporate biometric data and turned into a mini-ID card. He also sounded quite impressed with the idea of using the Nokia based authentication system for mobile phones. Upbeat and impressed, and then he dropped the bombshell, which I hope will not be a bad choice of words for the future, when he casually revealed that because neither of these companies was a major sponsor of the Olympics their technology could not be used. Yes, you read that right, as far as the technology behind the security of the London Olympic Games is concerned best of breed and suitability for purpose do not come into it, paying a large amount of money to the International Olympic Committee does. So who has bought their way into being the security experts of choice, and with whom our security and that of the visiting millions will rest? Visa. Oh whoopy-doo, I admit to feeling much more reassured now, after all these are the same people who do not suffer from any problems with identity and authentication and fraud and crime on a huge scale within their own business sector after all. Not. And in case you are wondering why anyone should get wound up by the ramblings of some MP you have never heard of, the fact that he was speaking in his official capacity as Chairman of the All Party Parliamentary Olympic Group might just grab your attention as it did mine. Even when questioned by a member of the British Computer Society Security Group who was as shocked as I, and expressed total disbelief that potentially far better technologies were to be overlooked simply because a sponsor had to be used, Wyatt gave a half-hearted shrug of the shoulders response along the lines of it is out of our hands. Personally I find it beyond contempt that security decisions that will impact upon the whole country, and the billions watching around the world, come down to a money making opportunity for a sponsor rather than being a Government controlled process. Wyatt readily admits it is nothing to do with him, his committee or indeed the Government as the deals arrangements are between the IOC and their sponsors. He also readily admits he doesnt see why the UK should have to foot the 1billion cost of security in that case. But again, he misses the point. Security in this case should not be about money, or who foots the bill, but about preventing lives from being lost and terror winning a gold medal on the world stage. Visa have, as of yet, to reveal what plans it has for the games.. From alerts at infosecnews.org Fri May 4 01:20:42 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] Senators voice alarm over terrorist Net presence Message-ID: http://news.com.com/Senators+voice+alarm+over+terrorist+Net+presence/2100-1028_3-6181269.html By Anne Broache Staff Writer, CNET News.com May 3, 2007 WASHINGTON -- Politicians on Thursday said the U.S. government must do more to counteract propagandizing by al Qaida and radical terrorist groups on the Internet. Leaders of the Senate Committee on Homeland Security and Governmental Affairs said they're troubled that extremists are increasingly flocking to the Web to recruit, organize, conduct online courses, raise funds and plan attacks in a manner that's cheaper and speedier than ever before. "We cannot cede cyberspace to the Islamist terrorists because if we do, they will successfully carry out attacks against us in our normal environment," Committee Chairman Sen. Joseph Lieberman (I-Conn.) said at a morning hearing here titled "The Internet: A Portal to Violent Islamist Extremism." Sen. Susan Collins (R-Maine), the committee's co-chairman, spoke of the need to "resist the perversion of the World Wide Web into a weapon of worldwide war." The use of the Internet by terrorist groups is hardly a new phenomenon. But according to the hearing's witnesses, the number of Web sites--many of them mirroring information published by leaders on core, authoritative sites--has multiplied from a handful in 2000 to many thousands today, with more added each week. Most of the 42 groups on the State Department's 2005 list of foreign terrorist organizations use Web sites "to promote their violent message," Collins said. Officials from the U.S. Army and the Department of Defense and the co-author of a new report on "Internet-facilitated radicalism" told politicians at the hearing that it's clear the preferred locale for the "war of ideas" perpetuated by terrorist groups is a new cyberbattlefield. "The Internet...is more than just a tool of terrorist organizations," said Michael Doran, a deputy assistant secretary in the Defense Department. "It is the primary repository of the essential resources for sustaining the culture of terrorism." The latest generation of radicals is using password-protected bulletin boards to exchange ideas, translating their video and audio tapes into various foreign languages, and employing readily available services like Google Earth to scheme up targeted attacks, the witnesses said. Some sites have become virtual libraries, housing thousands of electronic books and articles written by members of a global movement bent on waging war against the United States and its worldwide allies. "Internet chat rooms are now supplementing and replacing mosques, community centers and coffee shops as venues for recruitment and radicalization by terrorist groups like Al-Qaida," said Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University. He co-authored a report released Thursday (PDF) that details the use of the Internet by radical groups, some of whom live by the slogan "keyboard equals Kalashnikov." The question high on politicians' minds Thursday was how to respond. Lieberman asked about the extent to which government agents are pretending to be potential recruits to get information about potential plots. "I for one would like those who are operating those terrorist Web sites to know that we are working very hard to infiltrate them," he said. The government officials declined to comment on specific tactics in a public hearing. They repeatedly said the answer to dealing with what they deemed a serious threat lies in a combination of approaches: using technical measures to shut down sites deemed particularly threatening may sometimes be worthwhile, but it's often more prudent to allow sites to remain active for intelligence-gathering purposes. "We can monitor them to follow the networks and assess their operational capacity," said Lt. Col. Joseph Felter, director of the Combating Terrorism Center at the U.S. Military Academy. "We can sabotage them by infiltrating their networks and flooding the Web with bogus information." The witnesses repeatedly likened squelching the terrorist Internet presence to a game of "whack-a-mole"--when one site comes down, another one is bound to show up. They said it's particularly challenging to root out all the propaganda because al Qaida, for one, has established such strong online "branding" that its products are easily identified even when republished on unofficial sites. Some suggested another approach would be to attempt to introduce a "counternarrative" on the sites: that is, to find ways to "amplify" the voices of movement members who express skepticism about the terrorist plans, in hopes of discrediting them from within. "What we can do is get people who are versed in the Koran, we can get people who are versed in the culture, to be able to identify how these ideas are just flat wrong," Cilluffo said. The politicians said they won't be satisfied until the government does more about the perceived threat. The same committee has scheduled another hearing for next Thursday on the same topic, except with witnesses from the FBI and the State Department. "The question I have is, is there something that we can do that other countries are doing within the framework of our Constitution that would limit what is being delivered here in the United States?" said Sen. George Voinovich (D-Ohio). He later remarked, "We aren't doing the job." From alerts at infosecnews.org Fri May 4 01:21:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:26 2008 Subject: [ISN] RIM says there's no problem with European Blackberries Message-ID: http://www.theinquirer.net/default.aspx?article=39387 By Tony Dennis 03 May 2007 RIM HAS fervently denied experiencing any problems with its service in Europe. A spokesman told the INQ that any disruption over the last weekend was down to planned maintenance. He also stated, "The [recent] US outage is completely unrelated to whatever your reader's problem was." Or rather, still is. Our source is adamant, however, than the problems are very real. He's been forced to provide access to his Blackberry users via a POP3 link. He claims that this is highly unsatisfactory given that passwords and usernames are transmitted as clear text. Previously, it has been possible to provide access to an Exchange server via an https (secure Internet) link and use a certification server to authenticate users. Until now, this has been a viable alternative to installing a RIM BES server. Our source is adamant that RIM had provided no notification to its users of any so-called maintenance, two weeks ago as RIM has alleged. Asked if he had received such notification, our source replied, "there's no chance in hell." There is, of course, absolutely no mention of any recent US outage on the official RIM web site. Instead there's only a company statement which was sent out to 'key' publications. From alerts at infosecnews.org Fri May 4 01:21:24 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-18 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-04-26 - 2007-05-03 This week: 57 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: BETA TEST: The Network Software Inspector Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_Inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. -- NEW BLOG ENTRY Last December, Secunia released the Software Inspector, a revolutionary tool that changed the way users all across the globe identified missing security updates. Since then, over 300,000 inspections has been made using the Software Inspector. Secunia has received hundreds of emails with feedback, feature requests, and suggestions, all of which were thoroughly read and taken note of. Because of these, Secunia is able to finetune and improve the Software Inspector so that it can be a better tool for computer users everywhere. Now, Secunia is planning to release the Network Software Inspector (NSI) which basically is an expanded version of the Software Inspector geared for scanning on internal corporate networks. Read More: http://secunia.com/blog/9/ ======================================================================== 2) This Week in Brief: The Month of ActiveX Bugs project was launched in the beginning of the month, with what even the reporter claimed was just another Denial of Service bug in a Powerpoint viewer. However, Secunia Research was able to confirm that it was remotely exploitable, due to boundary errors within several areas in the code. These errors could be exploited to cause stack-based buffer overflows by passing long arguments to certain vulnerable methods. The vulnerable code was also confirmed to be in the Excel viewer and Word viewer products all from the same vendor. These vulnerabilities remain unpatched, and successful exploitation can occur if a user is tricked into visiting a malicious website. Secunia urges users to refrain from browsing untrusted websites. For more information, please refer to: http://secunia.com/advisories/25092/ http://secunia.com/advisories/25077/ http://secunia.com/advisories/25100/ -- Several vulnerabilities have been discovered in Trillian, the popular instant messaging application capable of connecting to various IM services. These vulnerabilities can be used by attackers to gain control of a user's system, or to read instant messages without the user's knowledge. These vulnerabilities have been patched in the latest version of Trillian, which is available in the vendor website. For more information, please refer to: http://secunia.com/advisories/25086/ -- A vulnerability has been discovered in Winamp, which can be used by attackers to gain access to a vulnerable computer. The vulnerability is due to an error in the way that Winamp handles MP4 files. Successful exploitation allows an attacker to execute arbitrary code on a system, but requires that the user is first tricked into opening a specially crafted MP4 file. The vulnerability remains unpatched; thus users are urged to avoid opening untrusted MP4 files. The vendor expects to release a new Winamp version to fix this vulnerability within the next few days. For more information: http://secunia.com/advisories/25089/ -- An error in the way that PNG files are handled was discovered in four different graphics editor programs: Corel Paint Shop Pro, Adobe Photoshop CS2 and CS3, and Adobe Photoshop Elements Editor for Windows. These programs were found to be vulnerable to various boundary errors in handling PNG files, which could be exploited to cause stack-based buffer overflows. Successful exploitation requires that an attacker create a specially crafted PNG file, and allows execution of arbitrary code. These vulnerabilities are unpatched, and users are urged to avoid opening untrusted PNG files. For more information: Corel Paint Shop Pro: http://secunia.com/advisories/25034/ Adobe Products: http://secunia.com/advisories/25044/ -- Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_Inspector/ -- VIRUS ALERTS: During the past week Secunia collected 169 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA25023] Adobe Photoshop BMP.8BI Bitmap File Handling Buffer Overflow 2. [SA25011] Apple QuickTime Java Extension "toQTPointer()" Code Execution 3. [SA25044] Adobe Products PNG.8BI PNG File Handling Buffer Overflow 4. [SA25089] Winamp MP4 File Handling Memory Corruption Vulnerability 5. [SA25013] Symantec Products Information Disclosure and Buffer Overflow 6. [SA25047] Cisco Products PHP "htmlentities()" and "htmlspecialchars()" Buffer Overflows 7. [SA25057] Ubuntu update for php 8. [SA25006] Sun Solaris X11 Multiple Vulnerabilities 9. [SA25037] Sun Solaris PostgreSQL SECURITY DEFINER Privilege Escalation 10. [SA25045] IBM WebSphere Application Server Unspecified Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA25100] Word Viewer OCX ActiveX Control Buffer Overflow Vulnerabilities [SA25092] PowerPoint Viewer OCX ActiveX Control Buffer Overflow Vulnerabilities [SA25089] Winamp MP4 File Handling Memory Corruption Vulnerability [SA25086] Trillian Information Leakage and Buffer Overflow Vulnerabilities [SA25077] Excel Viewer OCX ActiveX Control Buffer Overflow Vulnerabilities [SA25076] LiveData Protocol Server WSDL Request Buffer Overflow [SA25129] Progress WebSpeed "edit.r" Denial of Service Vulnerability [SA25113] LiveData Server Unspecified COTP Denial of Service [SA25126] AtomixMP3 mp3database.txt Handling Buffer Overflow Vulnerability [SA25087] Nukedit "terms" Cross-Site Scripting [SA25064] ZoneAlarm Pro vsdatant Driver Denial of Service UNIX/Linux: [SA25072] SUSE Update for Multiple Packages [SA25110] Gentoo update for mod_perl [SA25097] Gentoo update for ktorrent [SA25096] Gentoo update for freetype [SA25095] Debian update for qemu [SA25091] Sun Java System Directory Server Denial of Service [SA25083] rPath update for kernel [SA25071] Papoo CMS "menuid" SQL Injection Vulnerability [SA25068] Linux Kernel IPv6 Type 0 Route Headers Denial of Service [SA25062] Debian update for php5 [SA25057] Ubuntu update for php [SA25073] QEMU Various Vulnerabilities [SA25128] PHPChain Two Cross-Site Scripting Vulnerabilities [SA25108] Debian update for wordpress [SA25106] Gentoo update for tomcat [SA25084] Gentoo update for quagga [SA25115] Ubuntu update for net-snmp [SA25078] Debian update for linux-2.6 [SA25061] iputils rarpd Replies Denial of Service [SA25058] Ubuntu update for postgresql [SA25112] Avaya CMS / IR Sun Solaris libX11 Integer Overflow Vulnerability [SA25098] Red Hat Update for Multiple Packages [SA25080] Red Hat update for kernel [SA25066] HP Power Manager Remote Agent Unspecified Code Execution [SA25059] Gentoo update for beast [SA25118] Mandriva update for xscreensaver [SA25105] Red Hat update for xscreensaver [SA25081] Sun Solaris 9 Auditing BSM Denial of Service [SA25065] XScreenSaver "getpwuid()" Authentication Bypass Weakness Other: [SA25109] Cisco PIX and ASA Denial of Service and Security Bypass [SA25094] OpenVMS Exception Handling Denial of Service Cross Platform: [SA25074] WordPress wordTube Plugin "wpPATH" File Inclusion [SA25063] WordPress wp-Table Plugin "wpPATH" File Inclusion [SA25060] OPeNDAP CGI Server Command Execution Vulnerability [SA25120] 1024 CMS "item" Directory Traversal [SA25085] sendcard Local File Inclusion and Cross-Site Scripting [SA25082] CMS Made Simple "templateid" SQL Injection [SA25070] ISC BIND "query_addsoa" Denial of Service [SA25069] Java 2 Platform Privilege Escalation Vulnerability [SA25079] VMware Products Multiple Vulnerabilities [SA25127] DVDdb Cross-Site Scripting Vulnerabilities [SA25124] CodePress codepress.html Cross-Site Scripting [SA25090] Ariadne "ARLogin" Cross-Site Scripting [SA25088] All In One Control Panel (AIOCP) Cross-Site Scripting Vulnerability [SA25075] FileRun SQL Injection and Cross-Site Scripting [SA25067] LAN Management System "OD" Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA25100] Word Viewer OCX ActiveX Control Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-03 shinnai has discovered some vulnerabilities in Word Viewer OCX, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25100/ -- [SA25092] PowerPoint Viewer OCX ActiveX Control Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-02 shinnai has discovered some vulnerabilities in PowerPoint Viewer OCX, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25092/ -- [SA25089] Winamp MP4 File Handling Memory Corruption Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-01 Marsu has reported a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25089/ -- [SA25086] Trillian Information Leakage and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2007-05-01 Some vulnerabilities have been reported in Trillian, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. Full Advisory: http://secunia.com/advisories/25086/ -- [SA25077] Excel Viewer OCX ActiveX Control Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-02 shinnai has discovered some vulnerabilities in Excel Viewer OCX, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25077/ -- [SA25076] LiveData Protocol Server WSDL Request Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-05-03 A vulnerability has been reported in LiveData Protocol Server, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25076/ -- [SA25129] Progress WebSpeed "edit.r" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-03 Eelko Neven has reported a vulnerability in Progress, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25129/ -- [SA25113] LiveData Server Unspecified COTP Denial of Service Critical: Moderately critical Where: From local network Impact: DoS Released: 2007-05-03 A vulnerability has been reported in LiveData Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25113/ -- [SA25126] AtomixMP3 mp3database.txt Handling Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2007-05-03 Preth00nker has discovered a vulnerability in AtomixMP3, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25126/ -- [SA25087] Nukedit "terms" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-01 Nexus has reported a vulnerability in Nukedit, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25087/ -- [SA25064] ZoneAlarm Pro vsdatant Driver Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-05-02 Matousec has discovered a vulnerability in ZoneAlarm Pro, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25064/ UNIX/Linux:-- [SA25072] SUSE Update for Multiple Packages Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-04-30 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25072/ -- [SA25110] Gentoo update for mod_perl Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-02 Gentoo has issued an update for mod_perl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25110/ -- [SA25097] Gentoo update for ktorrent Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2007-05-02 Gentoo has issued an update for ktorrent. This fixes two vulnerabilities, which can be exploited by malicious people to overwrite arbitrary files on a user's system or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/25097/ -- [SA25096] Gentoo update for freetype Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-05-02 Gentoo has issued an update for freetype. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25096/ -- [SA25095] Debian update for qemu Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2007-05-01 Debian has issued an update for qemu. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25095/ -- [SA25091] Sun Java System Directory Server Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-02 A vulnerability has been reported in Sun Java System Directory Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25091/ -- [SA25083] rPath update for kernel Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-02 rPath has issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25083/ -- [SA25071] Papoo CMS "menuid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-04-30 Kacper has discovered a vulnerability in Papoo CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25071/ -- [SA25068] Linux Kernel IPv6 Type 0 Route Headers Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-04-30 A security issue has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25068/ -- [SA25062] Debian update for php5 Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2007-04-30 Debian has issued an update for php5. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, malicious users to disclose potentially sensitive information, bypass certain security restrictions or compromise a vulnerable system, and by malicious people to bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25062/ -- [SA25057] Ubuntu update for php Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2007-04-27 Ubuntu has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information, bypass certain security restrictions, gain escalated privileges, cause a DoS (Denial of Service), compromise a vulnerable system, and by malicious people to disclose potentially sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25057/ -- [SA25073] QEMU Various Vulnerabilities Critical: Moderately critical Where: Local system Impact: Security Bypass, DoS Released: 2007-05-01 Tavis Ormandy has reported some vulnerabilities in QEMU, which can be exploited by malicious uses to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25073/ -- [SA25128] PHPChain Two Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-03 r0t has discovered some vulnerabilities in PHPChain, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25128/ -- [SA25108] Debian update for wordpress Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2007-05-02 Debian has issued an update for wordpress. This fixes some vulnerabilities, which can be exploited by malicious users to conduct SQL injection attacks and bypass certain security restrictions, or by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25108/ -- [SA25106] Gentoo update for tomcat Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-05-02 Gentoo has issued an update for tomcat. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25106/ -- [SA25084] Gentoo update for quagga Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-02 Gentoo has issued an update for quagga. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25084/ -- [SA25115] Ubuntu update for net-snmp Critical: Less critical Where: From local network Impact: DoS Released: 2007-05-03 Ubuntu has issued an update for net-snmp. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25115/ -- [SA25078] Debian update for linux-2.6 Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2007-05-03 Debian has issued an update for linux-2.6. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges, and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/25078/ -- [SA25061] iputils rarpd Replies Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2007-04-30 A vulnerability has been reported in iputils, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25061/ -- [SA25058] Ubuntu update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2007-04-30 Ubuntu has issued an update for postgresql. This fixes a security issue, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25058/ -- [SA25112] Avaya CMS / IR Sun Solaris libX11 Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-05-03 Avaya has acknowledged a vulnerability in Avaya CMS and IR, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25112/ -- [SA25098] Red Hat Update for Multiple Packages Critical: Less critical Where: Local system Impact: Security Bypass, Spoofing, Privilege escalation, DoS, System access Released: 2007-05-02 Red Hat has issued updates for multiple packages. This fixes some vulnerabilities and security issues, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges or to gain escalated privileges, bypass certain security restrictions, and cause a DoS (Denial of Service), or by malicious users to bypass certain security restrictions and malicious people to spoof emails, cause a DoS or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25098/ -- [SA25080] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2007-05-01 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25080/ -- [SA25066] HP Power Manager Remote Agent Unspecified Code Execution Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-04-30 A vulnerability has been reported in HP Power Manager Remote Agent (RA), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25066/ -- [SA25059] Gentoo update for beast Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-04-30 Gentoo has issued an update for beast. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/25059/ -- [SA25118] Mandriva update for xscreensaver Critical: Not critical Where: Local system Impact: Security Bypass Released: 2007-05-03 Mandriva has issued an update for xscreensaver. This fixes a weakness, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25118/ -- [SA25105] Red Hat update for xscreensaver Critical: Not critical Where: Local system Impact: Security Bypass Released: 2007-05-03 Red Hat has issued an update for xscreensaver. This fixes a weakness, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25105/ -- [SA25081] Sun Solaris 9 Auditing BSM Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-05-02 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25081/ -- [SA25065] XScreenSaver "getpwuid()" Authentication Bypass Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2007-05-03 Alex Yamauchi has reported a weakness in XScreenSaver, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25065/ Other:-- [SA25109] Cisco PIX and ASA Denial of Service and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2007-05-03 Some vulnerabilities have been reported in Cisco PIX and ASA, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25109/ -- [SA25094] OpenVMS Exception Handling Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-05-01 A vulnerability has been reported in OpenVMS, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25094/ Cross Platform:-- [SA25074] WordPress wordTube Plugin "wpPATH" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-02 M.Hasran Addahroni has reported a vulnerability in the wordTube plugin for WordPress, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25074/ -- [SA25063] WordPress wp-Table Plugin "wpPATH" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-02 M.Hasran Addahroni has reported a vulnerability in the wp-Table plugin for WordPress, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25063/ -- [SA25060] OPeNDAP CGI Server Command Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-01 A vulnerability has been reported in OPeNDAP CGI Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25060/ -- [SA25120] 1024 CMS "item" Directory Traversal Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-05-03 Dj7xpl has discovered a vulnerability in 1024 CMS, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/25120/ -- [SA25085] sendcard Local File Inclusion and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2007-05-02 Some vulnerabilities have been discovered in sendcard, which can be exploited by malicious people to conduct cross-site scripting attacks and to disclose sensitive information. Full Advisory: http://secunia.com/advisories/25085/ -- [SA25082] CMS Made Simple "templateid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-02 Daniel Lucq has discovered a vulnerability in CMS Made Simple, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25082/ -- [SA25070] ISC BIND "query_addsoa" Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-01 A vulnerability has been reported in BIND, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25070/ -- [SA25069] Java 2 Platform Privilege Escalation Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-05-01 Sun has acknowledged a vulnerability in the Java Web Start of the Java 2 Platform, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25069/ -- [SA25079] VMware Products Multiple Vulnerabilities Critical: Moderately critical Where: Local system Impact: Security Bypass, DoS Released: 2007-05-01 Some vulnerabilities have been reported in various VMware products, which can be exploited by malicious users to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25079/ -- [SA25127] DVDdb Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-03 r0t has discovered vulnerabilities in DVDdb, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25127/ -- [SA25124] CodePress codepress.html Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-03 A vulnerability has been reported in CodePress, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25124/ -- [SA25090] Ariadne "ARLogin" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-01 Ronald van den Heetkamp has reported a vulnerability in Ariadne, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25090/ -- [SA25088] All In One Control Panel (AIOCP) Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-03 A vulnerability has been reported in All In One Control Panel (AIOCP), which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25088/ -- [SA25075] FileRun SQL Injection and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2007-05-02 r0t has reported some vulnerabilities in FileRun, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25075/ -- [SA25067] LAN Management System "OD" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-04-30 A vulnerability has been reported in LAN Management System, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25067/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From alerts at infosecnews.org Fri May 4 01:21:43 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Microsoft To Issue Seven Security Patches On Tuesday Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199203705 By Larry Greenemeier InformationWeek May 3, 2007 Microsoft customers can look forward to seven security bulletins, some of them critical, affecting Windows, Office, and Exchange as well as Capicom and BizTalk as part of next week's Patch Tuesday ritual. Microsoft said Thursday that next week it will also provide an update to its Windows Malicious Software Removal Tool. In addition, the company is planning to release one high-priority non-security update on Windows Update as well as six high-priority non-security updates through Microsoft Update. Three security bulletins slated for Patch Tuesday affect Office, while two affect Windows. Exchange is affected by one bulletin as is Microsoft BizTalk business process management server and Capicom, a Microsoft ActiveX control that can be used to enable the digital signing of data with a smart card or software key, the verification of digitally signed data, and the graphical display of certificate information, among other security functions. The patches related to Microsoft Office should prove the most interesting of an otherwise routine Patch Tuesday experience, says Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center. While BizTalk affects relatively few Microsoft customers, it's an important system and those using it will have a keen interest in that patch. Microsoft also says it hasn't discovered any new information pertaining to mid-April reports of an attack exploiting a vulnerability in the Domain Name System Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft has thus far learned that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service. The company had a few weeks ago been seeing new attacks by the Win32/Siveras bot family to exploit the vulnerability. Windows Live Safety Scanner and Windows Live OneCare can be used to detect currently known malware types trying to exploit the vulnerability. The Windows DNS Server's problem has been ongoing and centers on a flaw that leaves the system exposed to buffer overflows and a problem with the system's design that doesn't require users to authenticate before being given permission to make changes to DNS server information. Ullrich says. "Disabling this feature is a fairly solid workaround, although it also disables some of the system's management features." From alerts at infosecnews.org Fri May 4 01:22:22 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Lawmakers act on data security bills Message-ID: http://www.fcw.com/article102630-05-03-07-Web By Mary Mosquera May 3, 2007 Rep. Tom Davis (R-Va.), ranking member on the House Oversight and Government Reform Committee, introduced a bill today that would require agencies to better protect the sensitive data they collect and promptly notify those whose data is lost or stolen. The Federal Agency Data Breach Protection Act directs the Office of Management and Budget to establish practices and standards for informing citizens of lost data and provides a clear definition of the type of sensitive information to which the law would apply. In addition, it gives agency chief information officers authority to ensure that workers comply with data security laws. Secure information is the lifeblood of effective government policy and management, yet federal agencies continue to hemorrhage vital data, Davis said. "It is our duty to ask what is being done to protect the sensitive information of millions of Americans and how we can limit the damage when personal data is lost or stolen." This bill is identical to one Davis introduced last year that was incorporated into the Veterans Identity and Credit Security Act, which passed the House in September 2006. It addresses concerns raised when a Veterans Affairs Department employee reported the theft from his home of a laptop computer that contained personal information on millions of veterans. VA leaders delayed acting on the report for almost two weeks, leaving those veterans at risk of identity theft and other crimes. In Davis most recent annual report card last month on how well agencies protect sensitive information and adhere to the Federal Information Security Management Act of 2002, the government overall garnered a C-, but several agencies, including the Homeland Security Department, received F's. Davis bill would amend FISMA to: * Clarify the authority an agency head could delegate to the CIO. * Require agencies to establish data breach notification procedures in line with OMB policies, procedures and standards. * Authorize agencies to establish polices and procedures for accounting for all federal personal property assigned to departing employees. * Define sensitive personal information. Also today, the Senate Judiciary Committee approved two data security bills. The Notification of Risk to Personal Data Act, which Sen. Dianne Feinstein (D-Calif.) introduced, would protect individuals from identity theft by requiring agencies and businesses to notify consumers in the event of a security breach that exposes their personal data. The committee approved another, more comprehensive data privacy bill, the Personal Data Privacy and Security Act of 2007 sponsored by Committee Chairman Sen. Patrick Leahy (D-Vt.) and Sen. Arlen Specter (R-Pa.), ranking Republican, with notification provisions identical to those in Feinsteins legislation. Last year, Feinsteins data breach notification measure was included as part of a comprehensive data privacy bill that passed the Judiciary Committee but did not get Senate floor action. From alerts at infosecnews.org Fri May 4 01:23:31 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Call for papers - Usenix Workshop On Offensive Technologies (WOOT 07) Message-ID: Forwarded from: Tal Garfinkel Got a good attack paper in the works? In concert with the 2008 Usenix Security Symposium, we are putting on WOOT (Workshop On Offensive Technologies), intended to pull in folks from a widerange of academic and industry communities to explore the state of the art in attack technologies in a high quality, peer reviewed setting. Topics include: * Vulnerability research (software auditing, reverse engineering) * Penetration testing * Exploit techniques and automation * Network-based attacks (routing, DNS, IDS/IPS/firewall evasion) * Reconnaissance (scanning, software, and hardware fingerprinting) * Malware design and implementation (rootkits, viruses, bots, worms) * Denial-of-service attacks * Web and database security * Weaknesses in deployed systems (VoIP, telephony, wireless, games) * Practical cryptanalysis (hardware, DRM, etc.) Submissions are due June 7th, check out the call for papers at: http://www.usenix.org/events/woot07/cfp/ Tal From alerts at infosecnews.org Mon May 7 01:05:42 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Lax security led to TJX breach Message-ID: http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/ By Dan Goodin in San Francisco 4th May 2007 A wireless network that employed less protection than many people use on their home systems appears to be the weak link that led TJX Companies, the US-based retailing empire, to preside over the world's biggest known theft of credit-card numbers. Despite a market capitalization of almost $13bn, it appears the company couldn't afford to secure its Wi-Fi network with anything more robust than the woefully inadequate Wired Equivalent Privacy protocol. (The much more secure Wi-Fi Protected Access has come standard on most routers for four years now.) It also failed to use firewalls or install software patches and disregarded requirements imposed by Visa and MasterCard concerning how card information is stored and transmitted. According to a front-page article in today's Wall Street Journal [1], the nonfeasance allowed hackers to use a simple telescope-shaped antenna and a laptop to intercept data flowing through a Wi-Fi network used at a Marshalls discount clothing store near St. Paul, Minnesota. "It was as easy as breaking into a house through a side window that was wide open," a person familiar with the investigation told the Journal. The hackers, who bore the hallmarks of Romanian gangs and Russian organized crime groups, were able to eavesdrop on employees logging into TJX's central server in Framingham, Massachusetts, where the miscreants eventually were able to set up their own accounts. From then on, they were able to log onto the system remotely, from anywhere in the world. The trespassers brazenly used the network as a communication post, leaving each other encrypted messes so one wouldn't duplicate the work of another. They also may have lifted card information that was being processed over the network, taking advantage of TJX's failure to use encryption when transmitting the data, as required by credit-card company guidelines. TJX has fessed up to losing 45.7m credit and debit card numbers and personal information relating to almost 500,000 people. But according to one person, the thieves may have purloined as many as 200m accounts. (TJX rejects that claim as "speculation.") Stolen card numbers have been used in at least seven US states and at least eight countries, including Mexico, China, Italy, Australia and Japan. In one case, police in Florida charged a single gang with using hacked TJX card data to steal $8m in transactions at Wal-Mart Stores and other outlets. All told, the breach could cost TJX $1bn over five years in costs for consultants, security upgrades, attorney fees and damage-control marketing, analysts from Forrester Research estimate. Significantly, Forrester's estimate doesn't include liabilities that may result from lawsuits, such as one recently filed by associations representing almost 300 Northeastern banks in the US. Plenty of banks have been saddled with costs resulting from the breach. Banking associates are lobbying federal and state lawmakers for legislation that would require companies who suffer security breaches to absorb the costs of issuing new credit cards. [1] http://online.wsj.com/article/SB117824446226991797.html From alerts at infosecnews.org Mon May 7 01:06:51 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Linux Advisory Watch - May 4th 2007 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 4th 2007 Volume 8, Number 18a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for php4, php5, qemu, wordpress, selinux-policy, policycoreutils, bind, kernel, capi4k-utils, Ktorrent, Tomcat, mod_perl, Quagga, postgresql, xscreensaver, unzip, w3c, gcc, gdb, util-linux, busybox, cpio, sendmail, openssh, shadow-utils, gdm, openldap, rdesktop, and net-snmp. The distributors include Debian, Fedora, Gentoo, Red Hat, and Ubuntu. --- Vyatta: Open-Source Router / Firewall / VPN Vyatta software and appliances combine the features, performance and reliability of an enterprise-class router and firewall with the cost savings and flexibility of open source solutions. > > Free Vyatta Community Edition 2 Software & Live Demo Webinars > > http://www.linuxsecurity.com/ads/adclick.php?bannerid=28 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- RFID with Bio-Smart Card in Linux In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. http://www.linuxsecurity.com/content/view/125052/171/ --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New php4 packages fix several vulnerabilities 26th, April, 2007 Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/127952 * Debian: New php5 packages fix several vulnerabilities 29th, April, 2007 Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/127980 * Debian: New qemu packages fix several vulnerabilities 1st, May, 2007 Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems. http://www.linuxsecurity.com/content/view/128002 * Debian: New wordpress packages fix multiple vulnerabilities 1st, May, 2007 Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF. http://www.linuxsecurity.com/content/view/128019 * Debian: New Linux 2.6.18 packages fix several vulnerabilities 2nd, May, 2007 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the http://www.linuxsecurity.com/content/view/128049 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 6 Update: selinux-policy-2.4.6-62.fc6 30th, April, 2007 - Revert patch to stop secadm and sysadm from having audit_control - Allow clamav to create pid files in amavis_var_run - Allow apcupsd to send itselef signals http://www.linuxsecurity.com/content/view/127993 * Fedora Core 6 Update: policycoreutils-1.34.1-8.fc6 30th, April, 2007 policycoreutils contains the policy core utilities that are required for basic operation of a SELinux system. These utilities include load_policy to load policies, setfiles to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. http://www.linuxsecurity.com/content/view/127994 * Fedora Core 6 Update: bind-9.3.4-4.fc6 30th, April, 2007 - race-condition has been discovered in bind's dbus code - some minor issues in bind-chroot-admin script http://www.linuxsecurity.com/content/view/127995 * Fedora Core 6 Update: kernel-2.6.20-1.2948.fc6 1st, May, 2007 The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. http://www.linuxsecurity.com/content/view/128016 * Fedora Core 5 Update: kernel-2.6.20-1.2316.fc5 1st, May, 2007 The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. http://www.linuxsecurity.com/content/view/128017 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: BEAST Denial of Service 27th, April, 2007 A vulnerability has been discovered in BEAST allowing for a Denial of Service. http://www.linuxsecurity.com/content/view/127973 * Gentoo: capi4k-utils Buffer overflow 27th, April, 2007 capi4k-utils is vulnerable to a buffer overflow in the bufprint() function. http://www.linuxsecurity.com/content/view/127974 * Gentoo: Ktorrent Multiple vulnerabilities 1st, May, 2007 Multiple vulnerabilities have been discovered in Ktorrent allowing for the remote execution of arbitrary code and a Denial of Service. A remote attacker could entice a user to download a specially crafted torrent file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running Ktorrent. http://www.linuxsecurity.com/content/view/128032 * Gentoo: FreeType User-assisted execution of arbitrary code 1st, May, 2007 A vulnerability has been discovered in FreeType allowing for user-assisted remote execution of arbitrary code. A remote attacker could entice a user to use a specially crafted BDF font, possibly resulting in a heap-based buffer overflow and the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/128033 * Gentoo: Tomcat Information disclosure 1st, May, 2007 A vulnerability has been discovered in Tomcat that allows for the disclosure of sensitive information.A remote attacker could send a specially crafted URL to the vulnerable Tomcat server, possibly resulting in a directory traversal and read access to arbitrary files with the privileges of the user running Tomcat. Note that this vulnerability can only be exploited when using apache proxy modules like mod_proxy, mod_rewrite or mod_jk. http://www.linuxsecurity.com/content/view/128034 * Gentoo: Apache mod_perl Denial of Service 2nd, May, 2007 The mod_perl Apache module is vulnerable to a Denial of Service when processing regular expressions. A remote attacker could send a specially crafted URL to the vulnerable server, possibly resulting in a massive resource consumption. http://www.linuxsecurity.com/content/view/128037 * Gentoo: Quagga Denial of Service 2nd, May, 2007 A vulnerability has been discovered in Quagga allowing for a Denial of Service. A malicious peer inside a BGP area could send a specially crafted packet to a Quagga instance, possibly resulting in a crash of the Quagga daemon. http://www.linuxsecurity.com/content/view/128039 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated postgresql packages fix vulnerability 26th, April, 2007 A weakness in previous versions of PostgreSQL was found in the security definer functions in which an authenticated but otherwise unprivileged SQL user could use temporary objects to execute arbitrary code with the privileges of the security-definer function. http://www.linuxsecurity.com/content/view/127947 * Mandriva: Updated ktorrent packages fix vulnerability 1st, May, 2007 A directory traversal vulnerability was found in KTorrent prior to 2.1.2, due to an incomplete fix for a prior directory traversal vulnerability that was corrected in version 2.1.2. Previously, KTorrent would only check for the string .., which could permit strings such as ../. http://www.linuxsecurity.com/content/view/128036 * Mandriva: Updated quagga packages fix DoS vulnerability 2nd, May, 2007 The BGP routing daemon in Quagga did not properly validate length values in NLRI attributes which could allow a remote attacker to cause a denial of service via a crafted UPDATE message that triggered an assertion error or out of bounds read. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/128052 * Mandriva: Updated xscreensaver packages fix vulnerability 3rd, May, 2007 A problem with the way xscreensaver verifies user passwords was discovered by Alex Yamauchi. When a system is using remote authentication (i.e. LDAP) for logins, a local attacker able to cause a network outage on the system could cause xscreensaver to crash, which would unlock the screen. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/128055 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: kernel security and bug fix update 30th, April, 2007 Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. Fixes a flaw in the IPv6 socket option handling that allowed a local user to read arbitrary kernel memory. Also flaw in the IPv6 socket option handling that allowed a local user to cause a denial of service. And a flaw in the utrace support that allowed a local user to cause a denial of service. http://www.linuxsecurity.com/content/view/127990 * RedHat: Low: unzip security and bug fix update 1st, May, 2007 Updated unzip packages that fix two security issues and various bugs are now available. A race condition was found in Unzip. Local users could use this flaw to modify permissions of arbitrary files via a hard link attack on a file while it was being decompressed (CVE-2005-2475) http://www.linuxsecurity.com/content/view/128020 * RedHat: Low: w3c-libwww security and bug fix update 1st, May, 2007 Updated w3c-libwww packages that fix a security issue and a bug are now available. Several buffer overflow flaws in w3c-libwww were found. If a client application that uses w3c-libwww connected to a malicious HTTP server, it could trigger an out of bounds memory access, causing the client application to crash (CVE-2005-3183). http://www.linuxsecurity.com/content/view/128021 * RedHat: Moderate: gcc security and bug fix update 1st, May, 2007 Updated gcc packages that fix a security issue and various bugs are now available. Weigert discovered a directory traversal flaw in fastjar. An attacker could create a malicious JAR file which, if unpacked using fastjar, could write to any files the victim had write access to. http://www.linuxsecurity.com/content/view/128022 * RedHat: Low: gdb security and bug fix update 1st, May, 2007 An updated gdb package that fixes a security issue and various bugs is now available. Various buffer overflows and underflows were found in the DWARF expression computation stack in GDB. If a user loaded an executable containing malicious debugging information into GDB, an attacker might be able to execute arbitrary code with the privileges of the user. http://www.linuxsecurity.com/content/view/128023 * RedHat: Low: util-linux security and bug fix update 1st, May, 2007 An updated util-linux package that corrects a security issue and fixes several bugs is now available.A flaw was found in the way the login process handled logins which did not require authentication. Certain processes which conduct their own authentication could allow a remote user to bypass intended access policies which would normally be enforced by the login process. http://www.linuxsecurity.com/content/view/128024 * RedHat: Low: busybox security update 1st, May, 2007 Updated busybox packages that fix a security issue are now available. BusyBox did not use a salt when generating passwords. This made it easier for local users to guess passwords from a stolen password file. http://www.linuxsecurity.com/content/view/128025 * RedHat: Low: cpio security and bug fix update 1st, May, 2007 An updated cpio package that fixes a security issue and various bugs is now available. A buffer overflow was found in cpio on 64-bit platforms. By tricking a user into adding a specially crafted large file to a cpio archive, a local attacker may be able to exploit this flaw to execute arbitrary code with the target user's privileges. (CVE-2005-4268) http://www.linuxsecurity.com/content/view/128026 * RedHat: Low: sendmail security and bug fix update 1st, May, 2007 Updated sendmail packages that fix a security issue and various bugs are now available for Red Hat Enterprise Linux 4.The configuration of Sendmail on Red Hat Enterprise Linux was found to not reject the "localhost.localdomain" domain name for e-mail messages that came from external hosts. This could have allowed remote attackers to disguise spoofed messages http://www.linuxsecurity.com/content/view/128027 * RedHat: Low: openssh security and bug fix update 1st, May, 2007 Updated openssh packages that fix a security issue and various bugs are now available. OpenSSH stores hostnames, IP addresses, and keys in plaintext in the known_hosts file. A local attacker that has already compromised a user's SSH account could use this information to generate a list of additional targets that are likely to have the same password or key. http://www.linuxsecurity.com/content/view/128028 * RedHat: Low: shadow-utils security and bug fix update 1st, May, 2007 Updated shadow-utils packages that fix a security issue and various bugs are now available. A flaw was found in the useradd tool in shadow-utils. A new user's mailbox, when created, could have random permissions for a short period. This could allow a local attacker to read or modify the mailbox. http://www.linuxsecurity.com/content/view/128029 * RedHat: Low: gdm security and bug fix update 1st, May, 2007 An updated gdm package that fixes a security issue and a bug is now available. Marcus Meissner discovered a race condition issue in the way Gdm modifies the permissions on the .ICEauthority file. A local attacker could exploit this flaw to gain privileges. Due to the nature of the flaw, however, a successful exploitation was unlikely. http://www.linuxsecurity.com/content/view/128030 * RedHat: Low: openldap security update 1st, May, 2007 A updated openldap packages that fix a security flaw is now available for Red Hat Enterprise Linux 4. A flaw was found in the way OpenLDAP handled selfwrite access. Users with selfwrite access were able to modify the distinguished name of any user. http://www.linuxsecurity.com/content/view/128031 * RedHat: Important: xscreensaver security update 2nd, May, 2007 An updated xscreensaver package that fixes a security flaw is now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128047 * RedHat: Moderate: postgresql security update 3rd, May, 2007 Updated postgresql packages that fix several security vulnerabilities are now available for the Red Hat Application Stack. A flaw was found in the way PostgreSQL allows authenticated users to execute security-definer functions. It was possible for an unprivileged user to execute arbitrary code with the privileges of the security-definer function. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128061 * SuSE: Linux kernel (SUSE-SA:2007:029) 3rd, May, 2007 A NULL pointer dereference in the IPv6 sockopt handling could potentially be used by local attackers to read arbitrary kernel memory and thereby gain access to private information. http://www.linuxsecurity.com/content/view/128064 * Ubuntu: rdesktop regression 26th, April, 2007 USN-453-1 provided an updated libx11 package to fix a security vulnerability. This triggered an error in rdesktop so that it crashed on startup. This update fixes the problem. http://www.linuxsecurity.com/content/view/127949 * Ubuntu: PHP vulnerabilities 27th, April, 2007 Stefan Esser discovered multiple vulnerabilities in the "Month of PHP bugs". The substr_compare() function did not sufficiently verify its length argument. This might be exploited to read otherwise unaccessible memory, which might lead to information disclosure. (CVE-2007-1375) The shared memory (shmop) functions did not verify resource types, thus they could be called with a wrong resource type that might contain user supplied data. This could be exploited to read and write arbitrary memory addresses of the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1376) http://www.linuxsecurity.com/content/view/127959 * Ubuntu: PostgreSQL vulnerability 27th, April, 2007 PostgreSQL did not handle the "search_path" configuration option in a secure way for functions declared as "SECURITY DEFINER". Previously, an attacker could override functions and operators used by the security definer function to execute arbitrary SQL commands with the privileges of the user who created the security definer function. http://www.linuxsecurity.com/content/view/127967 * Ubuntu: net-snmp vulnerability 2nd, May, 2007 The SNMP service did not correctly handle TCP disconnects. Remote subagents could cause a denial of service if they dropped a connection at a specific time. http://www.linuxsecurity.com/content/view/128048 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From alerts at infosecnews.org Mon May 7 01:07:07 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Firms hit rivals with web attacks Message-ID: http://news.bbc.co.uk/1/hi/technology/6623673.stm By Mark Ward Technology Correspondent BBC News website 4 May 2007 Legitimate businesses are turning to cyber criminals to help them cripple rival websites, say security experts. The rise in industrial sabotage comes as some suggest cyber criminals are turning away from using web-based attack tools in extortion rackets. Experts suspect this is because of the risks involved in mounting such an attack on a web shop or retailer. Instead the tools, usually hijacked home computers, are being used to pump out junk e-mail. Cash call Often these hijacked PCs, known as bots, are used for "Distributed Denial of Service" (DDoS) attacks that attempt to knock a site or server offline by bombarding it with huge amounts of data. Online gambling sites were among the first to be threatened with DDoS attacks if they did not hand over significant sums of cash. In a recent entry on the Symantec Security Response blog, Yazan Gable said the company had seen a "pretty sharp decline" in the number of attacks that try to extort cash. Mr Gable said this was because extortion attacks were no longer profitable because knocking a website offline via DDoS was "loud and risky". Many of those controlling the networks of bot computers have now started using them to send out spam which was just as lucrative and a lot less risky, said Mr Gable. But Paul Sop, chief technology officer at Prolexic which helps victims cope with DDoS attacks, said they were proving as popular as ever. "We've seen more DDoS attacks in the last few months than we have ever seen," he said. The decline could just be part of the arms race between criminals and security firms. "When the gangs feel the pincers coming in they change their strategy," he said. There was no reason to think the decline was because such attacks were no longer profitable. Not least, he said, because only in 20% of cases do attacks stop once a victim has made a payment. "Once they have you hooked they'll keep going," he said, "it can get up to some pretty serious numbers." Mr Sop said the number of extortion-based attacks had declined a little but this had been more than made up for by companies using them to batter rivals. "We are seeing a lot of anti-competitive behaviour," he said. Mr Sop added that many more Asian targets were being hit by DDoS attacks - a region in which Symantec did not historically have a big presence. In Asia, he said, DDoS attacks were proving very popular with unscrupulous firms keen to get ahead of their rivals. "The really frightening thing is you can buy access to a botnet for a small amount of money and you can have you competitor down for a long time," he said. In one case that Prolexic helped with a firm was battered for four months by a rival using a botnet owned by a criminal gang. "It's a great use of funds to destroy your competitor," he said. 5B5B From alerts at infosecnews.org Mon May 7 01:08:16 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Interview with Harlan Carvey, Author of Windows Forensic Analysis Message-ID: http://www.andrewhay.ca/archives/112 By Andrew Hay May 4, 2007 After speaking with Harlan Carvey on several online communities we both frequent he agreed to be interviewed on Windows forensics and his new book: How did you get into forensics? I started in the commercial infosec arena as a consultant doing vulnerability assessments and pen tests. At one point, I started working for a company, and a forensics guy needed some assistance. With something of a security background and a clearance, as well as some technical knowledge, I helped out and began to see the other side of the coin. I began to see the early stages of understanding that Locards Exchange Principle applied to the digital world just as well as the physical world. From there, I had opportunities to not only talk to and ask questions of folks performing forensic investigations, but I started performing my own incident response, and looking for ways to do my job better. From there, I grew into the forensics field. [...] From alerts at infosecnews.org Mon May 7 01:08:35 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Exercise puts cadets on the cyber-defensive Message-ID: http://www.marinecorpstimes.com/news/2007/05/military_academies_cyberdefense_070504w/ By Kelly Kennedy Staff writer May 4, 2007 WEST POINT, N.Y. Last year, huddled in a camouflaged classroom, senior cadets at the U.S. Military Academy here carefully checked each computer for bugs. They secured possible entries to make sure hackers couldnt bust into their online network. They tested and retested to make sure all the parts and pieces worked well together. And then they forgot to change the default password on one of the routers. It only took two minutes before their exchange server was owned, said Army Capt. Joseph Salazar, who was sent from the National Security Agency to monitor West Points team for the annual Cyber Defense Exercise. As a result, the Air Force Academy kicked West Points virtual tail. This year, the Black Knights swore, theyd strike back. Seven years ago, cadets at West Point began working with the NSA to create an exercise that would simulate conditions if the military were required to set up an Internet system in a foreign country just as cyber-soldiers have done in Iraq. The NSA acts as the opposing force, known as the red cell, and spends a week trying to take down virtual networks set up by each of the military academies for the event. Each academy team starts with 50,000 points, then loses points any time its system is down, any unencrypted e-mails are sent out or any missteps are made in following directions about setting up the network. They can also earn points by completing tasks the NSA sends out during the week. The academy with the most points at the end of a week of attacks wins. The cadets dont do any hacking themselves its all defense. And they dont attack or work with the other academies. Instead, NSA gives them a scenario this year, it was to dig into a war-torn developing nation called Meridia. To set up the network which must include e-mail accounts, chat rooms and a database they must use some of their own equipment, as well as some sketchy Meridian equipment. They try to make it relevant something well see in our Army career if we choose this path, said Robert Singley, a cadet serving as deputy commander for West Points team. As much as this is a competition, its a learning experience. This year, things seemed quieter as cadets hovered around computers looking for warning signs of problems. Its a marked difference from last year, Salazar said. The tone and tempo is a lot calmer. But that calm forced an electric hyperawareness. This hurts my head, said Phil Supple, cradling his temples as he gazed at a computer screen. Whats that? asked Tyler Hallmark, who hadnt left the room since noon the day before. Oh wait. Its not an attack its just a recon. In the early stages of the exercise, the NSA sent out hit after hit to find out what system each computer used, whether the cadets had found the glitches hidden in the Meridian gear and whether there were any holes big enough to welcome worms, viruses or bugs. Salazar chuckled in a corner as he looked out over the scene. Its early, so [the NSA] is looking for holes to exploit, he said. Whenever they find vulnerability, they get to ring a bell. Last year, more than bells rang when the Air Force Academys Web site suddenly announced, We love Red Cell! And then the West Point cadets became traitors to their team when Go Navy, Beat Army, appeared on their site. The Red Cell happens to include a crew of Navy guys. The red cell is very, very good, Salazar said. There will be vulnerabilities its near impossible to get them all. In a sign of how seriously this exercise is taken these days, 25 West Point cadets missed classes for the week to spend every second defending their network. I really take pride in this, Singley said. I really want to win. I really love doing this. They sat blurry-eyed and stiff-necked and it was only Monday. But for the previous two weeks, the cadets were busy Googling for systems information, cracking textbooks they hadnt seen since they were plebes, and writing days and days of code. Jeffrey Cox spent the night prior to the games trying to fix a computer that had suddenly stopped working at 9:30 p.m. I created three virtual systems to try to rebuild it, Cox said. I finally had it up 10 minutes before the game began and then the first computer started working again. This is fun? This is a blast, Cox said. We pretty much spend all our time learning something new. Back in Meridia, a cluster of cadets watched as a screen showing the Air Force Academys system went red. If its a lot of red, theyre in a hurt box, Cox said. Were all green right now. Navy was down for a few minutes. All the way down. Air Force just came back up. For two hours, the cadets watched. Nothing. Nothing. More nothing. Weve been kind of on edge, Cox said. I think wed like a little excitement just to know whats going on. We would like a few hits. And then: Hey! Somebody in forensics come look at this! But it was just another unnerving false alarm. Salazar said the games provide the students with training and the NSA with potential future employees. Several students will perform internships on the red team. The game prepares them for what theyll be doing in the real world, Salazar said. In the end, West Point retained their cool and even got a little cocky. They taunted the Red Team with a false document describing a Web server as Linux, then watched as the Red Team tried to attack a Linux system. Much to their surprise, it was actually a Windows server, said Maj. Damon Becknel, a West Point computer science professor. We went the entire exercise this year without a compromise from the Red Team. Each of the other academies had break-ins, including yet another announcement on the Air Force Academy Web site: Red Team owns U. West Point won the event with 53,615 points, while the Coast Guard Academy came in second with 52,105. Air Force placed third with 50,350 points; Navy was fourth with 49,750 points, and the Marines placed fifth with 49,315 points. The Air Force Institute, which participates in the exercise but does not officially compete, had 52,549 points. Its different every year, Salazar said. This year, West Points using their chain of command and staying calm. Ill probably come back next year and things will be different again. From alerts at infosecnews.org Mon May 7 01:08:49 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] TSA hard drive with employee data missing Message-ID: http://washingtontimes.com/national/20070504-110814-4615r.htm By Audrey Hudson THE WASHINGTON TIMES May 5, 2007 The FBI is investigating a data-security breach at the Transportation Security Administration involving the bank records and other personal data of 100,000 employees, including airport screeners and federal air marshals. "This is considered serious," a Homeland Security official said on the condition of anonymity. "We've turned this place upside-down today to find the missing laptop." However, the agency released a statement referring to the missing item as an external hard drive, and said officials on Thursday became aware it was missing from a controlled security area at the headquarters of its Office of Human Capital. The files on the hard drive include the archived records of employees and their Social Security numbers, dates of birth, financial allotments and payroll information. The TSA, which is responsible for securing U.S. airports and airline flights against terrorist hijackings, said last night it "immediately reported the incident to senior Department of Homeland Security and law-enforcement officials and launched an investigation." "TSA is treating this incident as a criminal matter and has asked the FBI to investigate," it said. "The U.S. Secret Service is also assisting in the forensic review of equipment and facilities. TSA is cooperating fully." Yesterday, the agency began notifying all affected employees with instructions on how to protect against identity fraud. A letter from TSA Administrator Kip Hawley said the agency will pay for a credit monitoring service for one year, which includes all three national credit bureau reports, fraud alerts, detection of fraudulent activity and identify theft, and fraud resolution and assistance. "TSA has no evidence that an unauthorized individual is using your personal information, but we bring this incident to your attention so that you can be alert to signs of any possible misuse of your identity," Mr. Hawley states in the letter. "We are notifying you out of an abundance of caution at this early stage of the investigation given the significance of the information contained on the device. We apologize that your information may be subject to unauthorized access, and I deeply regret this incident." The agency said it will take "swift disciplinary action, including dismissal, against individuals found to be in violation of our [data-protection] procedures." From alerts at infosecnews.org Tue May 8 00:18:40 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Masters of Their Domain Message-ID: http://www.foreignpolicy.com/story/cms.php?story_id=3798 By Mikko Hypponen May/June 2007 Online banking fraud is rampant because it's easy. Here's a fix that will mean money in the bank. Computer security is a complex issue, and there is no simple cure-all. But one thing that continues to baffle me is the way we bank online. Think about the Web address of your bank. It probably ends in one of the common top-level domains: ".com" if you're in the United States, or, depending on your home country, in something like ".uk," ".de," ".jp," or ".ru." Which is why Web sites with such names as "bankofamerica-online.com," "lloydstsb-banking.com," "hsbc-login.com," or "paypalaccount.com" are so dangerous. They may look like the real thing, but they're operated by criminals. And these rogue banking sites are popping up every day. Hosted on Web sites with misleading names that read like a real bank's Web address, the domains are registered with fake contact information. These impostors then bombard consumers with "phishing" e-mails, luring them to these sites, where their financial information is stolen. How does this happen? At the moment, anyone willing to pay the fee of $5 or so can register any domain name they want, as long as the name is not already taken. So creating these look-alike pages is fast, easy, and cheap. Why do banks and other financial institutions operate under the public top-level domains, like .com? The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason?something like ".bank," for example. Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: It could be something like $50,000?making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time. The creation of a new domain for a specific industry is not unprecedented: We've already done it for museums, with their restricted ".museum" top-level domain. If we can manage to protect storehouses of precious works of art from the Internet's most shameless thieves, surely we can find a way to protect our money. From alerts at infosecnews.org Tue May 8 00:18:54 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Local researchers offer free security service Message-ID: http://computerworld.co.nz/news.nsf/news/EC25C508910ADEE8CC2572D10014CB81 By Ulrika Hedquist Auckland 8 May, 2007 New Zealand's Honeynet Alliance is offering a free service for webmasters. The local project is part of the global, non-profit Honeynet Project, a research organisation dedicated to improving the security of the internet at no cost to the public. "Webmasters are, generally, at risk of having their websites attacked and compromised, and they usually don't have the means to monitor their page," says Christian Seifert, who runs the local Honeynet Alliance. Seifert, one of four volunteer researchers involved in the project, is a PhD student at Victoria University in Wellington. Once a website is compromised, the attacker might manipulate it to host malicious content, so that when a user visits the site they might be attacked, or spyware might be downloaded to the user's machine without their consent, says Seifert. The free web service, PATROL (Periodic Assessment of TReasured Online Links), allows webmasters to submit their own URL to the Honeynet Project's open-source client honeypot, called Capture. Submitted URLs are monitored periodically by the client honeypot. Reports are generated on a regular basis and published on the New Zealand Honeynet Alliance website, says Seifert. The Honeynet Project also offers a service called SCOUT (Speedy Complete Online URL Test) which is more targeted at end-users, says Seifert. It allows them to submit a URL and get immediate feedback, he says. Christian Seifert"For example, if you get an email with a link that looks suspicious to you, you can submit that URL to our site and we will immediately tell you whether it is malicious or not," he says. The service was launched in mid-April and the Honeynet Project has identified 15 malicious URLs already, says Seifert. Capture, developed at Victoria University, identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and monitoring any state changes on that box, says Seifert. "If a new file appears in the start-up folder we know that that website is malicious," he says. The Honeynet Project's method is not signature-based. "We are looking at the effects of a successful attack and that allows us to detect [attackers] that we don't know anything about yet," he says. "So it is really geared towards the future, looking at future exploits ? zero-day exploits," he says. Capture can be downloaded from the Honeynet website and is distributed under the GNU General Public Licence. "The latest version of the client honeypot allows you look at attacks on various web browsers, not just Internet Explorer, but also Firefox and Opera," he says. It also features kernel level monitoring and is compatible with Vista. Seifert says he is quite excited about the new version of Capture as it brings client honeypot technology into the hands of security people and web administrators. "But we realise that not everybody has the time and resources to install the client honeypot," he says. "That is why we have created the web service." Copyright (c) Fairfax Business Media A Division of John Fairfax Publications Pty Limited From alerts at infosecnews.org Tue May 8 00:19:23 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Interview with Rain Forest Puppy Message-ID: http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/ May 1, 2007 Antonio `s4tan` Parata, software security researcher and member of the ush team interviews Rain Forest Puppy, famous bug hunter, specialized in web application assessment. It?s a pleasure for us to publish the full interview, in this case talk is not cheap. Antonio ?s4tan? Parata (ap): Hi Rain Forest Puppy, many thanks for this interview. You are considered one of the fathers of web security and the inventor of the SQL injection attack. Anyway in the year 2003 you decided to publicly retire from the security field (to get more infos http://www.wiretrip.net/rfp/txt/evolution.txt). Can you briefly sum your decision? Rain Forest Puppy (rfp): My decision to retire from the public eye was based on a lot of reasons; overall, the amount of resources & energy required to release and maintain advisories and tools was just getting to be too large. It wasn?t fun anymore?and why pursue a hobby if you?re not enjoying it? Plus, the security industry was becoming commercialized. Advisories and exploits are now bought and sold; performing security research in the first place can land you in legal waters. The intellectual value of the security research performed has been reduced to a single severity rating, which?if not high enough?causes the entire research to be dismissed. I really enjoy security from the intellectual angle; to me, it?s all just a big mental challenge?a puzzle, if you will. So when the creativity and intellectual aspect of it started to fade away, I decided to go with it. As for being the ?father of web security?, there were many people working on web security prior to me (for example, see Lincoln Stein?s classic WWW Security FAQ). And I didn?t invent SQL injection. I may have been one of the first to publicly explain it in tutorial fashion, but it existed for as long as SQL itself existed; it was just that few people saw the security implications of it. But that may be because SQL wasn?t ubiquitous like it is today, so it had limited impact in limited circles. ap: 4 years elapsed and the web changed radically. Phrack is dead, Owasp testing guide raised, the web is filled with blogs and the web 2.0 buzzword is on everybody lips. How did your thought change in these years and what do you think about nowadays security world, who works in it and researchers? rfp: Well, the good news is that there is an increased awareness for the need for security. That?s a good thing. Even consumers are starting to understand the need for personal firewalls and the need to be vigilant when online. The flip side of that awareness is that people now care when they have security?or more importantly, when they don?t. Combined with the litigious society we?ve become, and now you have the very real threat of someone pursuing legal action against you for informing them they have a security problem. Now that security can be linked to tangible dollar losses, and security regulation violations can have drastic impacts, I?ve witnessed first-hand companies who felt it better to be in the dark and cover up any signs of security issues rather than having those security problems disclosed and thus being forced to deal with it. It?s the Enron approach to security. But, like I said in my Evolution essay (a.k.a. rant), security is now a big-time commercial business. There?s money to be made in having it, improving it, breaking it, exploiting it, etc. That?s probably the biggest change. Although, I suppose I?m part of the problem, having a security-related day job. :) ap: At the moment are you working for a security company or are you an independent consultant? rfp: I work for a security company. In fact, at the beginning of this year, I started working for a security software vendor. Prior to that, I worked at the same small security services company for 7 years, performing pen-tests, web app assessments, source code reviews, etc. ap: What do you think about companies like gleg (http://www.gleg.net/) or iDefence (http://labs.idefense.com/), parties that make part of their profits from the selling of 0day exploits? rfp: Well, I have mixed feelings. Part of it is how you frame it too? saying iDefense and 3Com sell 0day is only half right. Sure, they inform people of those 0day problems. But, they also handle the overhead of dealing with the vendor, coordinating advisories, etc. All that stuff takes time and resources, and can be particularly frustrating if you happen to deal with a vendor who doesn?t understand the security disclosure process (see my previous answer about Enron-style security silliness). So, being someone who likes to find bugs, and wants to do the right thing (i.e. inform the vendor) but doesn?t necessarily like the hassle of dealing with the vendor, iDefense & 3Com seem to be a win-win situation: they deal with the vendor, and you get paid for your research time (and the dwindling of low-hanging fruit and increased complexity means more research/time is required for each bug). Part of my answer to this question ties into the next question? ap: You are the creator of rfpolicy (http://www.wiretrip.net/rfp/policy.html), globally recognized as the policy to follow for the vulnerability disclosure. What do you think about mailing lists that practice full disclosure like FD (http://lists.grok.org.uk/full-disclosure-charter.html)? rfp: In the end, it all comes down to the motive of the researcher: * Trying to make the world a more secure place * Trying to make a buck * Trying to impress their friends/peers Each of those has it?s own response. If you?re truly trying to make the world a safer place, then the only way to do that is to pursue a fix (and that typically means dealing with the vendor/author); if, for some reason, the discussions with the vendor are going horrible and you?ve exhausted all other options, then full disclosure to the public is a last-ditch effort to at least get the warning out. If you?re trying to make a buck, well, sell it to the highest bidder. There?s been a lot of media reporting in the last 6 months about 0day black markets, and iDefense/3Com occasionally hold specials where you get paid extra for certain types of vulns (remote Vista bugs in particular). If you?re trying to impress your friends/peers, then just run straight to the disclosure lists/venues. You?ll have your five minutes of fame until the next bug comes out. Hopefully though, you won?t pursue a security job down the road with a company who has negative feelings towards full disclosure?your efforts to build your ?cred and impress your friends now may backfire later when you look to start doing it professionally. Remember, the Internet archives everything these days? What probably bugs me the most is that a lot of people have the ?trying to make the world a more secure place? facade, even though that?s not really their true intention. I call it the ?MS. America ?World Peace?? phenomenon, after all the pageant contestants who say they want world peace because that?s what they?re supposed to want in this age of political correctness. If a researcher truly wants to make the world a more security place, then they need to attempt to get a solution to their problem, and that usually means making some attempt to work with the vendor. The moral to my long-winded answer: full disclosure is a tool, not a solution. Use it wisely, and where appropriate. If you truly want to be part of the ?security solution?, then offer a (realistic) solution when you have a problem to disclose. Be responsible. We control our own fate: if we run around like Internet Anarchists, then laws and regulations are going to tighten and make things more difficult. If we act responsibly, we may be able to continue with what we?re doing as-is. But you can?t have it both ways. ap: What policy to apply in the case of public site vulnerability research? Should the researcher avoid it completely, apply the rfpolicy or the full-disclosure way is viable too? rfp: Funny, because I was just mulling this over recently. It?s one thing to have a security problem in something you control, such as a device or a piece of software installed locally. There?s the potential for you to enact a workaround or introduce another mitigating control. Public websites are another matter. The only one who can fix the problem is typically the web site. There?s no mitigating strategy users can usually do other than forego use of the site. You think everyone is going to cease to use MySpace because they have an XSS hole? No way. So thinking that it?s better to tell the world about a security problem in a public site than to tell the site owners is being part of the problem, and not the solution. Again, full disclosure is a tool, and is a worst-case/last-ditch scenario after all else fails. ap: You are the author of the libwhisker library (http://www.wiretrip.net/rfp/lw.asp), widely used to create assessment perl scripts. What do you think about nowadays products related to web application assessment? What about some open source software (like parosproxy or nessus) changed to closed-source? rfp: I have to choose my words carefully, because I very recently started working for a security software vendor. :) Having had open source projects, I will say this: it is very hard to bootstrap a development community, and achieve the same level of polish, quality (as in QA), and implementation thoroughness as a commercial product. This isn?t necessarily because commercial software vendors are better coders; the dynamics are just different. Open source coders are usually working on their own donated time. That means contributions are often catch-can and best-effort. Open source (when not sponsored by a commercial entity) are typically limited in resources (with time being the critical one). Commercial companies, on the other hand, don?t necessarily have a constraint on resources and time, because they can be bought. And they are bought with the money used to purchase the software. However, because the software is purchased, they have the additional obligation of making sure it satisfies the user and the user?s experience. That usually means better UIs and usability, full feature sets, and thoroughly implemented features with all the bells and whistles a normal user would expect for that type of product. If anything, I would say the bar is set higher for commercial products, because purchased software has certain additional expectations and obligations to live up to. If you grab a free suite of open source software, and something in it is broken or it doesn?t implement some basic functionality which you deem fundamentally necessary? well, your only recourse is to submit a bug report or feature request. It?s free, and because of that, there?s not necessarily an obligation to satisfy you as a user. But if a commercial software package is broken, or it?s missing something fundamental, you can ask for your money back, or make a request to the vendor to fix it with a reasonable expectation that they will. If they don?t, you have recourse with entities such as the Better Business Bureau (in the US). Given all of that, I have made a few observations on how open source relates to commercial products: * Commercial vendors don?t draw from a different, exclusive pool of uber-developers. Good, smart developers can exist on both sides of the fence; in fact, often times they play both sides. So the concept that commercial vendors magically have better coders that are more capable of solving a problem or being innovative is a fallacy. An open source project can be just as innovative as anything a commercial company pushes out; the difference is that the commercial company can usually push it out farther and wider. * The really good/innovative open source projects often go on to either form a commercial entity, or gain commercial sponsorship. This almost makes open source a research incubator and proving ground for new ideas (which, IMHO, is great). The good ones take off and develop into large entities (Apache, Samba, MySQL, etc.) and the rest live out the remainder of their lives on SourceForge. :) But once an open source company gets commercial backing, there then becomes the requirement to satisfy the conditions of that commercial backing?so the sponsorship usually provides resources in exchange for better meeting the obligations/expectations that come with traditional commercial software. In that sense, sponsored open source sits on the fence between normal open source and commercial software, probably getting the best (and worst) of both worlds. * I made indication of it in my previous answers, but despite open source being free and best-effort, many users still hold it to a commercial product expectation of quality, implementation thoroughness, etc. This is where I think a lot of problems arise. Yes, open source software should be as good (or better) than commercial software, even though it is constrained by resources. But we all know that?s usually not the case?something as simple as a clean UI and better documentation is all it takes to give something a commercial-level appeal/feel. My personal experience with open source is that these are the areas where they most often tend to lack. So, going back to your original question about security tools: the security industry is such a hot topic, that everything is in such a state of flux, that it?s hard to say. Established open source tools have migrated to commercial backing (nmap, Nessus, ParosProxy, etc.). There?s a lot of tools which are the byproducts of commercial research, and/or being used for marketing purposes (all the great Foundstone tools, HTTPrint, etc.) Some of these have no identical/suitable commercial counterpart. And yet there are many commercial tools which don?t have effective open source counterparts (I haven?t seen a good open source static source code analysis tool yet on par with Coverity, Fortify, or Klocwork). There?s no open-source equivalent for what AppScan and WebInspect fully do. In the end, I?ve developed my own personal approach. All I care about is whether the tool works and/or gets the job done. I?ve spent so much wasted time trying to get a screwdriver to do a hammer?s job, and vice versa. I really don?t care if a tool is open source or commercial; I let the job dictate the tool, and not the other way around. Of course, there are certain artificial restrictions on this (like price limitations), but in general, I think there are some things that currently only exist in free & open source tools, and there are some things that currently only exist in commercial tools. So use both wisely and get the best of both worlds. :) ap: What?s your method to keep yourself updated on security news? rfp: There?s just too many sources of information these days to digest. I have a very large RSS feed list I try to keep on top of, and I keep tabs on a few traditional mailing lists. I find that, if something is big enough, it will usually trickle down onto the security mail lists or one of the popular security blogs, which tips me off and I do further research on it from there. So I suppose a good analogy is: rather than waiting to hear about stuff from the horse?s mouth (especially when there are many horses), I wait to see what interesting things the manure handlers heard or found after it passed through the horse. :) (note: I can neither confirm nor deny the intentional comparing of manure to the information content on some of today?s blogs?) ap: Which books have you read lately? Is there any book that has to be recommended anyway? rfp: I currently like ?Developing More-Secure Microsoft ASP.NET 2.0 Applications? by Dominick Baier. Rather than being a ?security 101? approach filled with lots of overhead most seasoned security professional already know, this book is almost like a collection of technical tips and insights into little topics, all with security relevance. I like to think it fills in the remaining small gaps that the seasoned pros might have. Nowadays though I really don?t read books in the traditional manner?there?s just too many coming out. And to make matters worse, they?re expensive and often don?t contain material that satisfy me. So I use O?Reilly?s Safari, which lets me search for specific topics across a whole library, and just download PDFs of the chapters I need. It?s more efficient and cost-effective. Occasionally I?ll check out the bookstore?s selection for books that aren?t hosted by Safari, but Safari has a good selection overall. ap: Is your life style Infosec related even in your spare time or do you have extra IT&C hobbies? rfp: A lot of things have changed since I faded out of the public eye in 2003. At the height of my ?RFP days?, I was a bachelor spending all day doing security work, and then all night doing security research?sometimes not even sleeping. Now I have a family, and I give all my spare time to them; so my security-related pursuits tend to be limited to just work-hours, with the occasional evening or weekend for a special security project. ap: Will the Infosec community have a chance to see you back to the scenes like in the past? rfp: Well, there?s two ways to look at that question. When you consider the qualifier ?like in the past?, then no. Don?t expect wiretrip.net to start spewing out new advisories or tools. But will the Infosec community see me involved in it? Sure. Actually, I never left. I still post to the security venues, I still publish, I still work with vendors to get things fixed, etc. I would say I?m still very active in the security community?but in a way that has nothing to do with the name RFP. ap: Thanks rfp for the interview! rfp: Thanks for the thought-provoking questions! From alerts at infosecnews.org Tue May 8 00:19:39 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Thumb Drives Replace Malware As Top Security Concern, Study Finds Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199300021 By Sharon Gaudin InformationWeek May 7, 2007 02:48 PM A worker calls up a sensitive investor list and downloads it on her thumb drive, slips it into her pocket, and walks out, smiling and waving to her boss and the security officer stationed at the front door. This is just one of the scenarios that security professionals and IT managers are increasingly worried about. According to one recent study, IT managers said portable storage devices, such as thumb drives and MP3 players, have surpassed even malware to become a top concern. The study, which polled 370 IT professionals, showed that 38.4% of IT managers say portable storage devices are their top security concern. That's up from 25.7% in 2006. "It is very easy to download information to them quickly," said Bill Piwonka, VP of product management for Centennial Software, which conducted the survey at this spring's InfoSec security conference in London. "If there isn't a defined acceptable use policy or controls to prevent the download and transfer of sensitive data, managers do not know if and how such data is leaving the building. Also, USB sticks are frequently lost. If sensitive data isn't encrypted on these devices, it would obviously be very easy to obtain." To make matters worse, 80% of respondents admitted that their organizations don't currently have effective measures in place to combat the unauthorized use of portable devices. And 43.2% cited no control at all. Only 8.6% have a total ban on portable devices. Piwonka said in an interview that that danger with portable storage devices lies in not knowing what files have been maliciously or even unintentionally downloaded to them, and how that data is being used. And if it has been lost, who has the information? A worker easily could download corporate information -- sales figures, customer lists, marketing plans -- onto a small storage device, slip it into their bag or even a pocket, and just walk out the door with it. It makes stealing information much easier since it's not a matter of printing anything out or even walking out of the office with a laptop slung over a shoulder. While IT managers fear what users might do with a portable storage device, they also really like them for themselves. The study showed that 65% of IT managers use a USB flash drive on a daily basis. "Portable devices do have a function in the workplace," said Piwonka. "They are an easy way to share, transfer, and store information. Managers need to create an acceptable use policy and share it with their employees to further control the handling of sensitive data." From alerts at infosecnews.org Tue May 8 00:19:53 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Poppy quarter led to spy coin warnings Message-ID: http://www.cbc.ca/canada/edmonton/story/2007/05/07/tech-poppy-quarter.html The Associated Press May 7, 2007 The surprise explanation behind the U.S. government's sensational but false warnings about mysterious Canadian spy coins is the harmless poppy quarter, the world's first colourized coin. The odd-looking coins were so unfamiliar to suspicious U.S. army contractors travelling in Canada that they filed confidential espionage accounts about them. The worried contractors described the coins as "anomalous" and "filled with something manmade that looked like nanotechnology," said once-classified U.S. government reports and e-mails. The 25-cent piece features the red image of a poppy inlaid over a maple leaf. The quarter is identical to the coins pictured and described as suspicious in the contractors' accounts. The supposed nanotechnology actually was a conventional protective coating the Royal Canadian Mint applied to prevent the poppy's red colour from rubbing off. The mint produced nearly 30 million such quarters in 2004 commemorating Canada's 117,000 war dead. "It did not appear to be electronic [analog] in nature or have a power source," wrote one U.S. contractor, who discovered the coin in the cup holder of a rental car. "Under high-power microscope, it appeared to be complex consisting of several layers of clear but different material, with a wire-like mesh suspended on top." The confidential accounts led to a sensational warning from the U.S. Defence Security Service, an agency of the Defence Department, that mysterious coins with radio frequency transmitters were found planted on U.S. contractors with classified security clearances on at least three separate occasions between October 2005 and January 2006 as the contractors travelled through Canada. One contractor believed someone had placed two of the quarters in an outer coat pocket after the contractor had emptied the pocket hours earlier. "Coat pockets were empty that morning and I was keeping all of my coins in a plastic bag in my inner coat pocket," the contractor wrote. Meanwhile, in Canada, senior intelligence officials expressed annoyance with the U.S. spy-coin warnings as they tried to learn more about the oddball claims. "That story about Canadians planting coins in the pockets of defence contractors will not go away," Luc Portelance, now deputy director for the Canadian Security Intelligence Service, wrote in a January e-mail to a subordinate. 'What's the story on this?' "Could someone tell me more? Where do we stand and what's the story on this?" Others in Canada's spy service also were searching for answers. "We would be very interested in any more detail you may have on the validity of the comment related to the use of Canadian coins in this manner," another intelligence official wrote in an e-mail. "If it is accurate, are they talking industrial or state espionage? If the latter, who?" The identity of the e-mail's recipient was censored. Intelligence and technology experts were flabbergasted by the warning when it was first publicized earlier this year. The warning suggested such transmitters could be used surreptitiously to track the movements of people carrying the coins. "I thought the whole thing was preposterous, to think you could tag an individual with a coin and think they wouldn't give it away or spend it," said H. Keith Melton, a leading intelligence historian. The Defence Security Service disavowed its warning about spy coins after an international furore but until now it has never disclosed the details behind the embarrassing episode. The United States said it never substantiated the contractors' claims and performed an internal review to determine how the false information was included in a 29-page published report about espionage concerns. Coins not examined The Defence Security Service never examined the suspicious coins, spokeswoman Cindy McGovern said. "We know where we made the mistake," she said. "The information wasn't properly vetted. While these coins aroused suspicion, there ultimately was nothing there." Numismatist Dennis Pike, of Canadian Coin & Currency near Toronto, quickly matched a grainy image and physical descriptions of the suspect coins in the contractors' confidential accounts to the 25-cent poppy piece. "It's not uncommon at all," Pike said. He added the coin's protective coating glows peculiarly under ultraviolet light. "That may have been a little bit suspicious," he said. (c) The Canadian Press, 2007 From alerts at infosecnews.org Wed May 9 00:01:57 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] NIST puts its security guidelines in one basket Message-ID: http://www.gcn.com/print/26_10/44216-1.html By William Jackson GCN Staff 05/07/07 issue The National Institute of Standards and Technology has released a database to help agencies collect data needed to assess information technology security programs and produce reports for action plans. The Program Review for Information Security Management Assistance database, which can be downloaded at prisma.nist.gov, is part of PRISMA, a tool NIST developed for reviewing the complex information security requirements and posture of federal information security programs. It brings together guidelines from NIST publications, federal standards, best practices and requirements in the Federal Information Security Management Act. PRISMA provides a framework for an independent, in-house review of the maturity of an agency?s information security program. It requires documentation of security policies, procedures and implemented controls. It also requires a review of the agency?s organizational structure, culture and business mission. After the assessment, the PRISMA team identifies problems and develops a weighted list of corrective actions. The PRISMA framework was released in January in NIST Interagency Report 7358. The database, which is in Microsoft Access 2003 and can help generate a report in Microsoft Word, was made available in April. If you are having trouble finding guidelines or standards for your IT security assessment, NIST also has released a ?Guide to NIST Computer Security Documents,? a PDF that indexes the more than 250 publications the NIST Computer Security Division issues. From alerts at infosecnews.org Wed May 9 00:02:22 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] A5/GSM Cracking Project Message-ID: Forwarded from: steve Hi, We are inviting people to design and build a A5/1 cracking machine. We are security enthusiasts. We started in January 2007 and built a GSM Receiver for 700 USD (http://www.thc.org/gsm). The first alpha version of the GSM receiver is available from our webpage. We are now looking for the next challenge: Cracking A5/1 for real. We put up a public wiki at http://wiki.thc.org/cracking_a5 for anyone to edit and to add information. If you are interested please also subscribe to our mailinglist by sending an email to a5-subscribe@lists.segfault.net Spread the word & happy hacking, steve From alerts at infosecnews.org Wed May 9 00:02:51 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Laptop lock down Message-ID: http://australianit.news.com.au/articles/0,7204,21675095%5E15385%5E%5Enbv%5E,00.html By Chris Jenkins The Australian MAY 08, 2007 THE scenario is all-too familiar. A big deal signed off, a few drinks to celebrate. Push on for a bit, then cab it home. A good time had by all. But, oh dear, where's the BlackBerry? If it's not the BlackBerry, it's the laptop. Come back to the car, the window's smashed and the computer is gone. And not only the laptop. Gone too are the contact lists, the sales plan and the intelligence on competitors, all worth far more than a $2000 piece of kit. With more companies giving staff laptops or handhelds to take home, concern over the security of these devices, and the data that resides on them, is growing. Vodafone business product manager Mark Corless says some laptops lack even basic password protection, an oversight brought home very quickly when the hardware goes astray. "That can be a stake in the heart for some customers. There's a very quick realisation of how important that information is," he says. Sometimes, the consequences take on national significance. In 2003, Australian officials were left scrambling when thieves using forged identities stole a laptop from the Department of Transport in Canberra and servers from the Australian Customs service in Sydney. In the US last year, the personal information of more than a million former US servicemen and women was compromised by the theft of a laptop used by an employee of the US Department of Veterans Affairs. In Australia, the theft of companies' mobile computing hardware is fairly common. In last year's AusCERT Computer Crime and Security Survey, 58 per cent of companies surveyed reported having laptops stolen, up from 53 per cent in 2005. Nine per cent of companies said handhelds had been stolen last year, up from 8 per cent in 2005. Forrester ICT consulting director Andrew Milroy says the risks are growing in line with increased usage of mobile devices. At the same time, hardware such as PDAs and smartphones grows ever more capable of storing large amounts of data. "It's difficult to put a number on, but the risk is increasing substantially," Milroy says. "Not many people understand the risks they are taking by putting so much mission-critical information on these devices. "It's a risk that people have been talking about for the past couple of years, but it has become a lot more real lately." After five years of being relatively flat, business interest in mobile applications has tripled in 2007, Vodafone's Corless says. Many industrial-strength applications such as enterprise resource planning and customer relationship management systems from the likes of SAP and Oracle are now commonly available in mobile form. The risk is amplified by the fact that devices and the applications they run are often linked to corporations by high-speed mobile data networks. Forrester predicts overall demand for mobile data services in Australia will grow at 18 to 20 per cent annually over the next five years. In Australia at present, Milroy says, the theft of a laptop or handheld is more likely to be the work of an opportunist. Fortunately, while devices are stolen regularly, it seems there has been little effort dedicated to exploiting the information many of them contain. There is also no real evidence of deliberate industrial espionage, Milroy says. "I can't imagine that you would tell someone to follow a guy around and nick his BlackBerry." Such actions remain a possibility, though, and awareness of the security required for devices used outside the office is gradually increasing, just as awareness of identity theft has cranked up over the past couple of years, Milroy says. Nevertheless, there is still some way to go before organisations realise what they are up against, he says. "It's just going to take a few years before people start taking that risk as seriously as they really should." The reluctance of organisations to talk about their security embarrassments could be masking the true extent of the problem in Australia, IDC senior software analyst Patrik Bihammar suggests. "One problem is that we don't have the same disclosure laws here in Australia as the US does," he says. In California, for example, companies are required by law to notify the public if personal data has been compromised. As with all security problems, awareness is a key issue in the battle to prevent laptops and handhelds from handing over the keys to the castle "Although security is a big issue, I don't think it is paramount in people's minds. They are just thinking about how they can do more and more with these devices in different locations," Milroy says. Dealing with the security of portable devices needs to be part of the overall approach to IT in a company, Milroy says. "Ideally it would all go in line with effective backup and business continuity. It's one of these cultural things that it's going to take people a while to catch up on." Many people don't follow basic backup procedures, such as saving to network drives, on their desktop PCs, so archiving data is even less likely to happen with mobile devices, he says. There are also more concrete approaches. Corless says the BlackBerry is possibly the most secure mobile device at present. After five unsuccessful password attempts, it will automatically wipe all data, he says. Safeguards are built in to prevent the data being wiped accidentally. Because BlackBerries are often used as a mobile extension of the desktop, they tend to carry a lot of critical information. This also means that if they are regularly synced, data-wiped or lost, they can easily be restored to a new handset. The ability to use a wireless data connection to remotely wipe the data on a device has become a popular safeguard, with products available for a range of device classes. Companies need to have policies in place before things go wrong to ensure that appropriate action can be taken, Corless says. For example, it can be a problem for carriers when people ring up and ask to have devices either struck from the network or wiped altogether if the person making the request is not the owner of the device or is not authorised to make the request. For some users, Vodafone creates custom access point names (APNs), which define a group that is allowed to access the network. If a device is not in the group definition, it doesn't get access. "Unless we have enabled you to communicate back to your corporate office, it won't happen," Coreless says. Coca-Cola Amatil and electricity utilities are among the Vodafone customers employing this strategy, he says. Some organisations restrict mobile devices to being thin clients that store no data locally. That way, if they are stolen, all the thief gets is a basic operating system and some hardware. But such a strategy limits the device to online-only use, meaning that if a network is not available, neither is the data. Using data live from the data centre also places greater demands on network performance, which can easily fluctuate while operating in a wireless environment. IDC's Bihammar says data on mobile devices should be encrypted as a matter of course. "Laptop and device encryption and data leakage protection are not as common as they should be," he says. "Data or whole-disk encryption is clearly the first step to make it difficult for criminals to access any data on the device," he says. "Organisations need to have the right policies in place and the right technologies to enforce the polices and lock down intellectual property from leaking out of their organisations. "Whether through loss of mobile devices and physical media or through email, instant messaging and other messaging protocols." As ever, the organisations most at risk of having their data compromised or stolen via portable devices are the ones that lack the resources to enforce security policies. Small and medium businesses are considered at particular risk. For larger companies, compliance, both with external laws and with internal policies, is looming as a larger issue and is forcing organisations to develop appropriate security policies, Milroy says. "Organisations are being forced to be much more transparent. If you are public and you are being scrutinised, you want to be seen to be complying with certain standards, whether they're mandatory or not," he says. Like the growth of internet use in organisations, the arrival of fleets of mobile devices is a tidal change unlikely to be held back by security concerns. For that reason, security is eventually going to have to be built into devices, Milroy says. "If it's not built in, you're not going to be able to sell it." From alerts at infosecnews.org Wed May 9 00:03:09 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Budget: Eye on cyber-terrorism attacks Message-ID: http://www.zdnet.com.au/news/security/soa/Budget-Eye-on-cyber-terrorism-attacks/0,130061744,339276008,00.htm By Munir Kotadia ZDNet Australia 08 May 2007 The federal government has allocated more than AU$12 million over the next four years to expand the Australian Government Computer Emergency Readiness Team (GovCERT) and fight high tech crimes, including "cyber-terrorism". According to federal Attorney-General Philip Ruddock, GovCERT will be enhanced in order to "provide owners and operators of Australia's critical infrastructure with information to help reduce the risks from sophisticated electronic attacks and to provide government with information about the electronic risks to critical infrastructure." The funding -- allocated from this year's federal budget -- will also help ensure information is shared in a quick and effective way by government and critical infrastructure organisations. In addition, a "cyber-exercise program" is in the works to help the country cope with "cyber-terrorism attacks". "It is imperative that we remain one step ahead of emerging e-threats. The measures announced in this year's budget will help create a secure and trusted operating environment that will benefit all Australians," Ruddock said. GovCERT was formed over two years ago and at the time, it was heavily criticised by Graham Ingram, director of the Australian Computer Emergency Response Team (AusCERT), for duplicating his organisation's role and wasting taxpayers' money. Ingram said: "If AusCERT didn't exist, the cost to the government would be estimated at somewhere between AU$5 million and AU$10 million a yearThe wise move is to support AusCERT because the costs of not doing it are enormous". Meanwhile, the Australian Federal Police stands to receive AU$15.6 million over four years from today's budget to combat complex technology-enabled crimes. From alerts at infosecnews.org Wed May 9 00:03:23 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Former expert witness pleads guilty to perjury Message-ID: http://www.fresnobee.com/263/story/45900.html By John Ellis The Fresno Bee 05/05/07 James Earl Edmiston, the man who fooled judges and attorneys alike when he fraudulently passed himself off as a computer forensics expert, pleaded guilty Friday to federal perjury charges. Edmiston could receive up to 10 years in prison and a $500,000 fine when he is sentenced July 13 by U.S. District Judge Lawrence O'Neill, but based on his criminal history and federal sentencing guidelines, the time is likely to be closer to three years, authorities said. Federal agents arrested Edmiston in September after they became suspicious of the 36-year-old Long Beach resident's qualifications. For instance, a sterling resume featured degrees from the California Institute of Technology and the University of California at Los Angeles. Checks, however, found the institutions didn't offer the degrees Edmiston listed on his resume. The end came for Edmiston after he was retained by Fresno attorneys Richard Berman and Eric Schweitzer to work on two child pornography cases. Local U.S. Immigration and Customs Enforcement agents involved in the cases noticed some inaccuracies on his resume, and further checks found alleged multiple false statements Prosecutors say Edmiston committed perjury by making false statements in both cases. By that time, he had been qualified as an expert witness in computers and had submitted documents and offered testimony in court, including Tulare County Superior Court and the Fresno County Superior Court branch in Clovis. Assistant U.S. Attorney David Gappa, who is prosecuting the case against Edmiston, declined to comment Friday. Authorities, however, say that based on information they currently have, no convictions have been jeopardized by Edmiston's actions. Edmiston, who also declined to comment Friday, pleaded guilty to two perjury counts. In exchange, the government dropped the remaining charges, including an additional perjury count and eight counts of making false statements to authorities. According to a plea agreement Edmiston signed Friday, the perjury charges involve two federal child pornography cases, one involving Ron Vaughn Jr., a Fresno County sheriff's sergeant, and another against Fresno resident Marlon Celedon. Berman, who represents Vaughn, had retained and paid Edmiston and said earlier that Edmiston looked to be the best qualified for the work. Schweitzer represented Celedon. Federal officials still are not sure how many cases Edmiston worked on, how many times he has testified in court or how long he has been offering his services as an expert witness. Edmiston's criminal history includes a mid-1990s prison term on a forgery conviction. Copyright 2007 The Fresno Bee From alerts at infosecnews.org Wed May 9 00:03:42 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Taiwan claims upper hand in hackers' war with rival China Message-ID: http://www.nwfdailynews.com/article/4709 By Annie Huang Associated Press Writer May 8th, 2007 TAIPEI, Taiwan (AP) - Taiwan's advanced computer technology helps the military fend off hacker attacks in continuing virtual skirmishes with rival China, a military official said Tuesday. Chinese hacker offensives, mostly carried out by sending e-mails with destructive programs, are a daily threat for the Taiwanese military, said Maj. Gen. Chai Hui-jen, the Ministry of Defense's senior computer security specialist. "We receive massive amounts of e-mails everyday, many attached with Trojan horse ... programs, which are found to have connections to either Beijing or Hong Kong," she told a ministry news conference. However, the island's status as one of the most advanced computer makers in the world helps it cope with the onslaught, she said. Taiwan "is superior in technical skills to the mainland," she said in reference to the country's advantage in electronic warfare. Taiwan and China split in 1949 after a civil war, and computer hacking is part of the low-level conflict that persists between the two sides. Taiwanese officials believe Beijing would try to cripple Taiwanese computer systems as a prelude to a real attack. The mainland has threatened an attack if Taiwan moves to formalize its de facto independence. Taiwan's computer security was called into question last month when Chinese hackers breached a computer used by a Taiwanese military official and obtained a seating chart at a planned military exercise to be attended by President Chen Shui-bian and other senior officials. The Defense Ministry says the breach occurred because an official downloaded the seating chart to his home computer, where the government's normally high computer security standards were not in effect. The ministry has since stepped up its efforts to police the downloading of classified information to personal computers. Chai said military computers are equipped with a special system to isolate them from other computers and are well protected from hackers. "We've closely monitored the hacking activities to ensure the security of our military command systems," she said. Chai acknowledged that in the event of war with Beijing, Taiwan would also try to hack into Chinese computers, but declined to give details. She said Taiwanese law permits the military to draft civilian computer experts if hostilities break out, but expressed the hope that such a move would never be necessary. "We hope (computer) attacks can be reduced so everyone can freely utilize cyberspace," she said. From alerts at infosecnews.org Wed May 9 00:04:01 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] M&S loses personal data on 26,000 employees Message-ID: http://www.theinquirer.net/default.aspx?article=39473 By INQUIRER newsdesk 08 May 2007 FAVE SHOP OF THE chattering classes, Marks and Spencer has become the latest outfit to lose a laptop stuffed with empolyees' details. The shop admitted the computer contained addresses, dates of birth, national insurance and phone numbers of some 26,000 employees. It says the laptop was stolen from a printing firm that had been given the information in order to write to employees about pension changes. M&S offered free credit checks to all staff affected by the possible data breach. The PGP Corporation was quick to point out that had the company used its software to encrypt the data it might have left itself less at risk. "The only silver lining here as is true in most of these cases," said a spokesPGPer, "is that it seems to have been an opportunistic theft rather than a targeted attack." He said companies need to realise that encryption and authorisation controls are essential to protect sensitive customer and employee data, "before legislation in this area drives greater punishment." From alerts at infosecnews.org Wed May 9 00:04:13 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Microsoft Patches 19 Bugs With 7 Bulletins -- All Critical Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199400216 By Sharon Gaudin InformationWeek May 8, 2007 In its monthly Patch Tuesday release, Microsoft today issued seven advisories -- all rated critical -- that patch 19 vulnerabilities that affect Windows, Office and Internet Explorer. Three of the security bulletins handle bugs in Microsoft Office, with one each for Windows, Microsoft Exchange and Internet Explorer. One of the security bulletins also tackles a vulnerability in CAPICOM, which is an ActiveX control, and BizTalk, which is a central Microsoft platform for application integration. Two of the vulnerabilities affect Microsoft's highly-touted Windows Vista operating system, while six of them are bugs in various versions of the company's ubiquitous browser, Internet Explorer. Five of the bugs are in IE7. Seven different vulnerabilities, according to the advisory, could lead to code execution attacks against Word, Excel and Office. "I think we are, in general, pleased because it does take care of a lot of issues, especially the DNS server vulnerability," said Amol Sarwatee, manager of vulnerability research labs at Qualys. "That was a zero-day that was out in the wild being exploited. We were really expecting a patch for it before today's patch Tuesday release." The DNS issue was a zero-day vulnerability in several of Microsoft's server products could enable a hacker to divert the Web traffic of not just a single user but of a company's entire roster of employees. Sarwatee called the DNS bug and the vulnerability in Exchange the most critical out of all the flaws being patched today. Symantec also pointed out the Exchange bug as one of the more critical issues being fixed this month. The remote code execution vulnerability affects the MIME (Multipurpose Internet Mail Extensions) decoding mechanism of Microsoft Exchange Server, affecting versions 2000, 2003 and 2007. According to a security bulletin from Symantec, for the attack on Exchange to be successful, a user must open a malformed attachment. "A successful attack could completely compromise the computer hosting the vulnerable Exchange server and has the potential for impacting a large audience," reported Symantec researchers. From alerts at infosecnews.org Thu May 10 01:30:46 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Vital US institutions left wide open to terror attack Message-ID: http://www.theinquirer.net/default.aspx?article=39483 By Nick Farrell 09 May 2007 WHILE THE US Department of Homeland Security has been making life miserable for those who have the misfortune of being tourists to its country, they seem to have missed a huge software security hole which could bring down their nuclear power stations. The flaw, found in Protocol Handling Vital National Infrastructure Systems which control dams, oil refineries, railroads and nuclear power plants have a vulnerability that could mean that hackers could take them over. Security boffins Neutralbit say that the flaw is remotely exploitable and can be found in SCADA which is short for supervisory control and data acquisition. The hole is in the NETxAutomation NETxEIB OPC Server which is Microsoft software designed to write GUI applications for SCADA. Neutralbit has also published five vulnerabilities having to do with OPC. Apparently NETxAutomation has addressed the flaw by releasing version 3.0.1300 of the NETxEIB OPC Server. The company has also released a patch for NETxEIB OPC Server version 3.0. US-Cert recommends restricting remote access to the server to only trusted hosts by using firewalls or only connecting them to private networks, until a fixed version of the server can be deployed. Either way it is a bit more important than bringing a bottle of water on a plane. L'INQ - http://www.physorg.com/news94025004.html From alerts at infosecnews.org Thu May 10 01:31:31 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Hacking Contests Serve a Great Purpose Message-ID: Forwarded with permission from: Security UPDATE PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: CIPA - Keeping Students Safe on the Net http://list.windowsitpro.com/t?ctl=558AC:57B62BBB09A69279A638DD2CD6295BF1 Administering Windows Vista Security http://list.windowsitpro.com/t?ctl=55897:57B62BBB09A69279A638DD2CD6295BF1 Control of Software Use and Reduce Audit Risk http://list.windowsitpro.com/t?ctl=55896:57B62BBB09A69279A638DD2CD6295BF1 === CONTENTS =================================================== IN FOCUS: Hacking Contests Serve a Great Purpose NEWS AND FEATURES - Month of ActiveX Bugs Bears Dangerous Fruit - Microsoft Launches Forefront Client Security and System Center Essentials 2007 - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: AACS Uproar - FAQ: How to Create a Bootable USB Flash Device - From the Forum: Network Monitoring with EtherApe - Product Evaluations from the Real World - Share Your Security Tips PRODUCTS - Security-Check Your Email on the Network Edge RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: Cyberoam ========================================== CIPA - Keeping Students Safe on the Net Protecting students from the millions of sites that house pornography, adult chat rooms, violence & hacking can provide not just a safe surfing atmosphere to minors in schools and libraries, but also qualify the institutions for federal E-rate funding through CIPA compliance. http://list.windowsitpro.com/t?ctl=558AC:57B62BBB09A69279A638DD2CD6295BF1 === IN FOCUS: Hacking Contests Serve a Great Purpose ============= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You might recall that last month at the CanSecWest security conference, a challenge was offered for anyone to attempt to break into one of two Apple MacBook Pro laptop systems running OS X. Whoever was successful would win the laptop they broke into. As added incentive, TippingPoint (a division of 3Com) offered a $10,000 cash prize for exclusive rights to details of any vulnerability used to break into the OS. Of course someone did find a way to break into one of the two laptops. Dino Dai Zovi working in tandem with Shane Macaulay exploited a vulnerability (discovered by Dai Zovi) that exists in the combination of Apple QuickTime and Java. The exploit gave them the ability to access a command shell on OS X. As it turns out, the vulnerability also affects Windows platforms, which makes the vulnerability even more dangerous because it affects a much wider base of computer users around the world. Last week, Gartner spoke out against public vulnerability research in general as well as hacking contests like the one recently held at CanSecWest. Writing in a research brief for Gartner, research vice presidents Rich Mogull and Greg Young stated that, "Public vulnerability research and 'hacking contests' are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities--which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers." http://list.windowsitpro.com/t?ctl=55898:57B62BBB09A69279A638DD2CD6295BF1 Mogull and Young apparently think that no vulnerability should be known to the public until vendors can first develop a patch. While there is certainly an advantage to that approach, there truly is little if any security offered through that sort of obscurity. It's been shown time and time again that when risks are known by the public, then adequate precautions can be taken either by users or by their solution providers. Most striking to me is the fact that Mogull and Young overlook a glaring problem in picking the CanSecWest contest as the foundation of their rather weak argument. Dai Zovi didn't know of the vulnerability in advance of the contest. He was contacted by Macaulay from the conference and asked if he could find a way into the OS X system so that they could then split the prize package. Macaulay would get the laptop, and Dai Zovi would get the money. Only then did Dai Zovi go to work to try and find a weakness. Dai Zovi later reportedly said that he was more motivated by the challenge itself rather than the $10,000 cash prize. Obviously, without the CanSecWest challenge, the QuickTime flaw might not have come to light until a much later date, and it might have been because of some sort of malicious code that exploited the vulnerability and that was unleashed on the unprepared public. We could have all been completely blindsided, and at great expense. So the way I see it, thanks are due to CanSecWest, TippingPoint, Dai Zovi, and Macaulay. The discovery of this particular vulnerability makes it clear that hacking contests serve a great purpose when they're conducted in a controlled manner with strict guidelines, such as those spelled out by the organizers of CanSecWest as well as TippingPoint. Furthermore, a mere seven days after the QuickTime vulnerability was discovered, Apple released an update (available at the URL below) that fixes the problem, which demonstrates how a well-run challenge and a lot of press coverage gets bugs fixed really fast. http://list.windowsitpro.com/t?ctl=558A3:57B62BBB09A69279A638DD2CD6295BF1 === Calling All Windows IT Pro Innovators! Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the 2007 Windows IT Pro Innovators Contest! Grand-prize winners will receive airfare and a conference pass to Windows and Exchange Connections in Las Vegas, November 5-8, 2007, plus more great prizes and a feature article about the winning solutions in the November 2007 issue of Windows IT Pro. Contest runs through August 1, 2007. To enter, click here: http://list.windowsitpro.com/t?ctl=558A2:57B62BBB09A69279A638DD2CD6295BF1 === SPONSOR: Symantec ========================================== Administering Windows Vista Security Join Paul Thurrott for a deep dive into administering Windows Vista's new security features with an emphasis on the new Group Policy settings that are exposed by this release including USB device blocking and the new Microsoft Desktop Optimization Pack. Paul will also discuss compliance features in Windows Vista, and upcoming security innovations that will be enabled by combining Windows Vista with Windows Server "Longhorn". On-Demand Web Seminar http://list.windowsitpro.com/t?ctl=55897:57B62BBB09A69279A638DD2CD6295BF1 === SECURITY NEWS AND FEATURES ================================= Month of ActiveX Bugs Bears Dangerous Fruit On the heels of the Month of Kernel Bugs, Month of Browser Bugs, Month of Apple Bugs, and Month of PHP Bugs comes the Month of ActiveX Bugs (MoAxB). Launched by someone who uses the name "shinnai," the project has so far revealed at least five serious vulnerabilities that can allow remote code execution. http://list.windowsitpro.com/t?ctl=558A7:57B62BBB09A69279A638DD2CD6295BF1 Microsoft Launches Forefront Client Security and System Center Essentials 2007 At a customer meeting attended by more than 1,000 IT professionals in Los Angeles, Microsoft Senior Vice President Bob Muglia launched two new products to help secure systems and simplify management tasks. http://list.windowsitpro.com/t?ctl=558A4:57B62BBB09A69279A638DD2CD6295BF1 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=5589C:57B62BBB09A69279A638DD2CD6295BF1 === SPONSOR: Macrovision ======================================= Control of Software Use and Reduce Audit Risk Do you have visibility and control over your software license use? Most organizations face a number of serious challenges, including understanding vendor licensing models, cost overruns, missed deadlines, business opportunities, and lost user productivity. Learn to address these challenges, and prepare for audits. Register for the free Web seminar, available now! http://list.windowsitpro.com/t?ctl=55896:57B62BBB09A69279A638DD2CD6295BF1 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: AACS Uproar by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=558AB:57B62BBB09A69279A638DD2CD6295BF1 The encryption key initially used for the Advanced Access Content System (AACS) in HD DVD and Blu-ray disks was cracked, and the key is widely known at this point. Some people are spreading the key information in very funny ways. http://list.windowsitpro.com/t?ctl=558A5:57B62BBB09A69279A638DD2CD6295BF1 FAQ: How to Create a Bootable USB Flash Device by John Savill, http://list.windowsitpro.com/t?ctl=558A9:57B62BBB09A69279A638DD2CD6295BF1 Q: How can I create a bootable USB flash device running Windows Preinstallation Environment (PE) 2.0? Find the answer at http://list.windowsitpro.com/t?ctl=558A6:57B62BBB09A69279A638DD2CD6295BF1 FROM THE FORUM: Network Monitoring with EtherApe A forum participant wants to implement a network traffic monitor to see who's taking up bandwidth. He plans to use EtherApe on a Linux box. He has a switch capable of port mirroring. The Linux desktop is connected to one of the ports, and another port is mirroring the Linux desktop port. Should the desktop have two NICs so that he can log onto the machine and see what's going on in the network? http://list.windowsitpro.com/t?ctl=55895:57B62BBB09A69279A638DD2CD6295BF1 PRODUCT EVALUATIONS FROM THE REAL WORLD Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to whatshot@windowsitpro.com. SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@securityprovip.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@windowsitpro.com Security-Check Your Email on the Network Edge Mirapoint introduced RazorGate, an email security appliance that's designed to reject unwanted messages and enforce centrally managed email policies without relying on IT resources behind the corporate firewall. Email addresses and policy service attributes are loaded into RazorGate's Embedded Policy Engine, so RazorGate can consult its own directory outside the firewall rather than querying the corporate directory through holes in the firewall to determine how to handle messages and to enforce policies. Thus, RazorGate takes load off the firewall, internal network, and corporate directory. The RazorGate appliance starts at $5,250. For more information, go to http://list.windowsitpro.com/t?ctl=558AF:57B62BBB09A69279A638DD2CD6295BF1 === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=558A8:57B62BBB09A69279A638DD2CD6295BF1 Get Ready for Exchange & Office 2007 Roadshow--free! The Microsoft-partnered Get Ready for Exchange & Office 2007 Roadshow is coming to Stockholm! Three independent, respected technical speakers--Jim McBee, Mark Arnold, and Ben Schorr--will deliver tracks on securing, managing, and deploying Exchange and Office 2007 and using Exchange Server 2007 capabilities to improve your messaging environment. Register today for this free day-long event. Your delegate bag will include Microsoft Exchange Server 2007 and Office 2007 Beta 2 Software Kits. Venue: Berns Hotel, Stockholm Date: Monday, 14 May 2007 http://list.windowsitpro.com/t?ctl=558A1:57B62BBB09A69279A638DD2CD6295BF1 Can your business's Exchange high-availability standards guarantee that users can always access email, even during an outage? Maximize your availability strategy by learning new approaches, such as proper management practices, how to improve clustering and log replication, and how to achieve service outage protection. http://list.windowsitpro.com/t?ctl=5589A:57B62BBB09A69279A638DD2CD6295BF1 Join Paul Robichaux as he presents a disaster recovery planning checklist that you can use to help guide your Exchange 2000/2003/2007 disaster recovery planning. Learn what you should do first, last, and in between to solidify your Exchange infrastructure and be assured of a successful disaster recovery operation. Listen to this on-demand Web seminar at your convenience. http://list.windowsitpro.com/t?ctl=55899:57B62BBB09A69279A638DD2CD6295BF1 === FEATURED WHITE PAPER ======================================= You can't prevent nature from throwing floods, hurricanes, and earthquakes at your IT systems. You can't always control what people do to your systems, either. Download this free eBook and learn to protect your business from disasters of all kinds. http://list.windowsitpro.com/t?ctl=5589B:57B62BBB09A69279A638DD2CD6295BF1 === ANNOUNCEMENTS ============================================== Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=5589E:57B62BBB09A69279A638DD2CD6295BF1 Introducing a Unique Exchange and Outlook Resource Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on messaging topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=5589D:57B62BBB09A69279A638DD2CD6295BF1 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=558AA:57B62BBB09A69279A638DD2CD6295BF1 http://list.windowsitpro.com/t?ctl=558AE:57B62BBB09A69279A638DD2CD6295BF1 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=558A0:57B62BBB09A69279A638DD2CD6295BF1 Be sure to add Security_UPDATE@list.windowsitpro.com to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=558AD:57B62BBB09A69279A638DD2CD6295BF1 About your product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=5589F:57B62BBB09A69279A638DD2CD6295BF1 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. From alerts at infosecnews.org Thu May 10 01:31:44 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Forget the Nigerian spam scam; now it's a take-off on Three Kings Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018838 By Gregg Keizer May 07, 2007 Computerworld A twist on the classic Nigerian e-mail scam that steals from the plot of the George Clooney movie Three Kings is hitting in-boxes, Symantec Corp. said Monday. In these e-mails, a U.S. soldier based in Iraq claims that he has found a horde of cash or gold, a plot point central to the 1999 film. The e-mail explains that the total "haul," which is often pegged at $750 million but can vary wildly from spam run to spam run, has been split among the men who found it. The soldier's take: $20 million. Unfortunately, after he was cashiered from the army and returned to Iraq to work as -- tugging at the heartstrings -- a humanitarian worker, he was injured by a roadside bomb and now is on his deathbed. "The doctors have told me point blank that I would die at any moment," the soldier writes in the spam message. All the recipient has to do to collect the millions -- or sometimes only half, with the other going to a charity -- is give up an e-mail address and phone number. "You are now being e-mailed by a soldier, an American soldier who wants to share his new-found wealth," said Kelly Conley, a researcher at Symantec, on the security group's blog. "He is an American, so it's not like you're sending your money to the great unknown of a stranger or foreigner, right? This one is much easier to fall for." In traditional Nigerian schemes -- dubbed that because they typically originate from the West African country -- scammers claim that they need help in moving money to the U.S. The messages promise recipients a share in return for an upfront fee, and therein lies the scam. "All of a sudden the game changes," said Conley. "It's no longer written in poor English, where you deal with a stranger for the purpose of purely obtaining cash for personal gain. Instead it's [an] injured American soldier who wants to share his fortune with you and charity." From alerts at infosecnews.org Thu May 10 01:31:57 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Man faces federal data tampering charge Message-ID: http://www.mlive.com/news/annarbornews/index.ssf?/base/news-22/1178721792316560.xml&coll=2 BY ART AISNER News Staff Reporter May 09, 2007 An Ann Arbor man was federally charged Tuesday with hacking into the computer system of his former employer in Waterford and tampering with sensitive personal data, officials said. Court documents allege that Joseph Patrick Nolan accessed the computer system of Pentastar, which handles flight operations for several large automotive companies in the state, and that he deleted critical employment records about two weeks after he resigned in January. The company told authorities the action caused roughly $34,000 in damages. Also Tuesday, Nolan resigned from his job as a senior infrastructure specialist in the Information Technology Department for the city of Ann Arbor, according to a city official. Nolan was hired by Ann Arbor in February at an annual salary of $75,000. He was expected to return to work Tuesday after a vacation, but he instead resigned, said Tom Crawford, the city's chief financial officer. Nolan declined to discuss the case when he was reached by telephone Tuesday afternoon. Nolan was arraigned in federal court in Detroit on one count of computer intrusion. He was released on $10,000 personal bond. A preliminary hearing was scheduled for May 29. A complaint filed by the FBI charges that Nolan was upset about being released from Pentastar sooner than he had anticipated. The documents allege that Nolan gave a two-week notice Jan. 15 that he was resigning, but two days later, company officials told him not return. Representatives at Pentastar said he would be paid for those final two weeks if he signed a separation agreement by Jan. 26, but he did not sign the document, court documents indicate. Officials with Pentastar told authorities that their firewall system was compromised and an entire computer drive of personal employee information was deleted, records stated. The complaint charges that Nolan was one of only three people who knew the needed passwords to log into the company's computer system at that time. Federal investigators said they traced the intrusion to Nolan's Ann Arbor apartment, which is served by multiple wireless networks. From alerts at infosecnews.org Fri May 11 00:36:30 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] Lloyd's Report Warns of Threats from 'Political Violence' Message-ID: http://www.insurancejournal.com/news/international/2007/05/10/79591.htm May 10, 2007 A new report from Lloyd's and the Economist Intelligence Unit (EIU) has found that global businesses are becoming increasingly concerned about risks from political violence. However, too little has been done to analyze those risks and to "really understand" their impact. One finding from the report "Under Attack: Global business and the threat of political violence," revealed that, "concerns regarding terrorism and political violence are causing businesses to avoid investing in politically sensitive areas or locating offices in large cities." The survey canvassed 154 global business leaders and found that over a third of companies avoid investing in overseas markets for fear of political violence, while 20 percent have relinquished promising business opportunities for the same reason. Lloyd's Chairman Lord Levene indicated that businesses needed to understand their risks better. "There is a large gap between what businesses perceive as a threat and the reality," he noted in a bulletin on the Lloyd's web site (www.lloyds.com). "Many companies are changing their plans based on perceived threats, which is a problem if their information is incorrect." The report is part of Lloyd's 360 Risk Project which aims to generate debate on how businesses can manage risk. One, somewhat surprising conclusion, revealed that some 60 percent of the businesses questioned rely on international media coverage to come to a decision on what risks they face. Levene pointed out that "media coverage tends to focus on radical religious terrorism and rarely touches on the emergence of new risks, such as threats to supply chains, cyber terrorism, home grown terrorism and the threat of chemical, biological, nuclear and radioactive attack." Dr. Paul Kielstra, author of the report and contributor to the EIU, also indicated that businesses place too much emphasis on the wrong information. "As a result, only 37 percent of business leaders feel their companies have a good understanding of the political violence risks they face," he noted. In addition Lloyd's found that despite the multiple threats "over 37 percent of companies surveyed had either no business continuity plan, or one that did not adequately take account of political violence risks." According to Chris Parker, Head of Terrorism at Marsh UK, the insurance marketplace is responding to the threats. Parker said that around $1.2 billion of capacity is now available from the private market for stand-alone terrorism coverage, compared with around $100 million before September 11, 2001. He also said that new products were becoming available, with $100 million capacity, to cover CBNR risks. Lloyd's report will be the subject of a debate on Tuesday, May 15. The panel session, hosted by Lord Levene and chaired by the BBC's John Simpson, will explore the key issues surrounding terrorism and political risk and its impact on the business world. Joining them will be business leaders and risk experts, including Sir Richard Morttram, Permanent Secretary, Intelligence, Security and Resilience; Sir Richard Dearlove, former Head of MI6 and Chairman of Ascot Underwriting; and Peter Clarke, Head of Metropolitan Police's Anti-Terrorism Branch. (c) 2007 by Wells Publishing, Inc. From alerts at infosecnews.org Fri May 11 00:36:51 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:27 2008 Subject: [ISN] The Ultimate Insider: FBI Analyst Steals National Secrets Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199500751 By Sharon Gaudin InformationWeek May 10, 2007 On the morning of Aug. 5, 2005, an FBI intelligence analyst sat at his desk and accessed the agency's main database. He downloaded a classified document, copied it onto a disc and dropped it into a bag beside his desk. Leandro Aragoncillo -- a career Marine who had served under two vice presidents in the White House -- was stealing information in an attempt to foster a political coup in the Philippines, his home country. He knew he had no authorization to take or pass along the information, but, so far, it had been so easy. What Aragoncillo didn't know was that on this particular morning, after nearly four years of espionage, the feds were spying on the spy. Agents were watching him at his desk via video surveillance. At the end of the workday, the man who was set up as the perfect inside threat, took the bag with the disc inside and left the office. Agents tailed him as he drove home and took the bag, with the stolen classified information, inside. A little more than a month later, federal agents would execute search warrants on the houses of Aragoncillo and his U.S.-based conspirator, Michael Ray Aquino, a resident of the Philippines who was in the country on a visa. Both men were arrested that day after agents found more than 736 classified documents between the two homes. The arrests marked the end of what prosecutors called a "criminal conspiracy against the United States that spanned the globe, involved the theft of classified national defense documents" from the White House, the FBI, the Department of Defense and the U.S. State Department. The scheme included a group of conspirators who ranged from the former Marine turned FBI analyst to an ousted Philippine president to a foreign intelligence officer on the lam from double murder charges. It is the first time in modern history that someone has been charged with spying out of the White House. As it stands today, both Aragoncillo and Aquino have pleaded guilty and are awaiting sentencing this summer in U.S. District Court in Newark, N.J. Aragoncillo faces a maximum of 15 to 20 years based on his plea agreement. Aquino faces a max of 10 years, but after he serves his time here, he's expected to be shipped back to the Philippines to face various charges there. It's still unclear what, if anything, will happen to the other conspirators, who are not U.S. residents. It's also unclear what steps the FBI and the White House have taken to shore up their information safeguards and to better vet the people working there. What is clear is that the technology -- text messages, Web-based e-mail accounts and database queries -- that fed their plot also helped the government track them down and build an air-tight case against them. The e-mails sent, the phone calls made and the stolen information that one man actually archived on a set of CDs like a catalogue of wrong-doing all left a digital trail that was their ultimate undoing. "In this particular espionage investigation, the computer forensic work, as it relates to tracking Aragoncillo's information to his co-conspirators, was critical to prosecuting and ultimately obtaining guilty pleas for Aquino and Aragoncillo," said Assistant U.S. Attorney Karl Buch, who prosecuted the case, along with Assistant U.S. Attorney Michael Buchanan. "The information we were able to derive from searches of the e-mail accounts and the home computers provided overwhelming evidence of the conspiracy." Aragoncillo, now 48, was born and raised in Manila, the capitol of the island nation long fraught with turmoil and political battles that have been waged with both words and weapons. He moved to the U.S. in the 1980s and soon joined the U.S. Marine Corps. In 1999, the military awarded Aragoncillo's years of service with a plum assignment. He became a staff assistant to the military advisers in the Office of the Vice President. He began his service under former Vice President Al Gore and remained on and served under Vice President Dick Cheney. Aragoncillo was given Top Secret clearance. According to a sentencing motion, in the summer of 2000 then-President of the Philippines Joseph Estrada visited the U.S. and the Clinton administration hosted him at a State Dinner at the White House. Aragoncillo was in attendance and was introduced to Estrada. He even handed out his business card to members of the Philippine delegation. It was the beginning of a troubled time. That same fall, Estrada was accused of corruption and he was impeached. According to the motion, to steady his newly unstable footing, the Philippine president and his cohorts thought of Aragoncillo and his proximity to what they hoped would be beneficial information about their region. A representative called Aragoncillo and asked him to provide them information. That's all it took. Aragoncillo agreed to do it. In January of 2001, court papers show that Aragoncillo traveled to the Philippines and dined with Estrada at the Malacanang Palace. When he returned, he began pilfering and transmitting documents to Estrada and other co-conspirators. The indictment and the sentencing motion both note that Aragoncillo's years as a spy was made up of clandestine meetings, an alias, code words, and computer misuse. Documents show that he stole classified information from the White House and from the famed Situation Room. He even was brazen enough to send documents he was not authorized to access to his contacts from a White House fax machine. According to court papers, Aragoncillo walked out of the White House on a fairly regular basis with classified documents in a disc in his bag. He stole information about the Philippine economy, confidential U.S. intelligence sources and even terrorist threats against U.S. military personnel stationed in the Philippines. That information well went dry for the conspirators when Aragoncillo's stint at the White House came to a natural end in 2002. He later retired from the Marine Corp. in 2004. However, Aragoncillo wasn't done yet. Over time, Aragoncillo applied for jobs at the CIA, the National Security Agency and the FBI to "maintain regular access to documents and information classified for national security," according to the indictment. In July of 2004, he began his new job as an intelligence analyst with the FBI. In September, he began searching the FBI's Automated Case System, which is the agency's main database, for classified documents relating to the Philippines and its new president Gloria Macapagal Arroyo. The sentencing motion showed that he began accessing, downloading and printing classified documents that belonged to the FBI, the Department of Defense, the CIA and the U.S. State Department. Court papers noted that many of the stolen documents held national defense information. Aragoncillo's first misstep was when his U.S.-based contact, Aquino, was arrested in March of 2005 for overstaying his tourist visa. Aquino has quite a history, himself. A trained intelligence officer in the Philippines, he was in the U.S. avoiding an investigation that implicated him in the kidnapping and murders of a publicist and his driver. The bodies had been burned and were only identifiable by their dental records. Instead of lying low, Aragoncillo actually went to the U.S. Immigration and Customs Enforcement office and vouched for Aquino, identifying himself as an FBI employee. Immigration agents thought it was odd and reported it to the FBI, which soon began to take a look at the queries Aragoncillo had been running. When they saw that he had been running searches and downloading information that had nothing to do with his job, they began to look deeper. The government reported that investigators then found a discarded e-mail on his FBI account that referred to one or two Hotmail accounts, a Yahoo account and an alias. With court orders, the government went to both Hotmail and Yahoo. Once they saw those e-mails, they automatically began collecting the e-mail addresses of his co-conspirators. That led them to IP addresses and then actual physical addresses. Aquino left three years worth of e-mails -- more than 2,000 messages -- in his account. It was a virtual treasure trove of information. At that point, investigators set up real-time monitoring, gathering a mounting pile of evidence against Aragoncillo, Aquino and the other conspirators. In September, while investigators were watching, Aragoncillo downloaded and transmitted a document regarding a political coup in another country. One of the names on the document was Condoleezza Rice. The sentencing motion noted that when Aragoncillo e-mailed out the information on the coup, he wrote, "The attached info could be used a 'guidance', if and when you intend to install a military council and later transition to a 'civilian cabinet.'" Later in a telephone call about the document, Aragoncillo called it a "blueprint on how to" execute a coup. Within a week, the feds descended on Aragoncillo's and Aquino's homes, executing search warrants and arresting both men. Documents showed that Aragoncillo hadn't even deleted many of his e-mail messages and Aquino had neatly stored information on CDs that he kept in his house. Aragoncillo pleaded guilty last spring. Aquino also cut a deal. Charges have not been brought against the other conspirators but the investigation continues. The prosecutor filed a classified brief to the court outlining what the government says is the damage done to the United States in the four years of espionage that touched two governments, several federal agencies and even the White House. From alerts at infosecnews.org Fri May 11 00:37:12 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-19 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-05-03 - 2007-05-10 This week: 81 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: BETA TEST: The Network Software Inspector Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_Inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. -- NEW BLOG ENTRY Last December, Secunia released the Software Inspector, a revolutionary tool that changed the way users all across the globe identified missing security updates. Since then, over 300,000 inspections has been made using the Software Inspector. Secunia has received hundreds of emails with feedback, feature requests, and suggestions, all of which were thoroughly read and taken note of. Because of these, Secunia is able to finetune and improve the Software Inspector so that it can be a better tool for computer users everywhere. Now, Secunia is planning to release the Network Software Inspector (NSI) which basically is an expanded version of the Software Inspector geared for scanning on internal corporate networks. Read More: http://secunia.com/blog/9/ ======================================================================== 2) This Week in Brief: Microsoft Tuesday kicked off this week, with the vendor releasing six security bulletins. The bulletins covered a cumulative security update for Internet Explorer, one for an API COM, one for the Microsoft Exchange Server, and three for various Microsoft Office products, including a fix for the Microsoft Word 0-day vulnerability seen last February. All six bulletins are rated by Secunia as Highly Critical, except for the Word 0-day advisory (SA24122, rated as Extremely Critical), due to the availability of a working exploit. The Microsoft Exchange Server advisory (SA25183) contains four vulnerabilities, which could be used to perform cross-site scripting or Denial of Service attacks, or to execute arbitrary code in a vulnerable system. The CAPICOM ActiveX control vulnerability (SA25185) can also be exploited to execute arbitrary code on a user's system if the user visits a malicious web site. Three vulnerabilities in Microsoft Excel (SA25150) can be exploited to compromise a user's system. The errors are in the way that Excel handles malformed BIFF records, set font values, and filter records. An error in the way that Microsoft Office (SA25178) parses drawing objects can be exploited via a malicious Office file that contains a specially crafted drawing object. Successful exploitation allows an attacker to execute arbitrary code on the system. The Internet Explorer advisory (SA23769) contains details on six IE vulnerabilities, which can all be exploited to execute arbitrary code on a system. Successful exploitation is possible by tricking the user into viewing a specially crafted web page. Three vulnerabilities in Microsoft Word, including the 0-day bug made public in February, are also included in this month's releases (SA24122). Successful exploitation of these vulnerabilities is possible by tricking the user into handling a specially crafted Word file. All Windows users are advised to updated their systems accordingly. For more information on this month's Microsoft updates: http://secunia.com/advisories/24122/ http://secunia.com/advisories/23769/ http://secunia.com/advisories/25178/ http://secunia.com/advisories/25185/ http://secunia.com/advisories/25183/ http://secunia.com/advisories/24122/ -- PHP released its next minor versions this week, making 5.2.2 and 4.4.7 available. These versions fix multiple vulnerabilities, most of which were discussed during the Month of PHP bugs. Most of these bugs are exploitable to execute arbitrary code, and some issues can be triggered remotely under certain circumstances; thus Secunia rates its PHP advisory as Highly Critical. All PHP users are advised to update their systems accordingly. For more information, please refer to: http://secunia.com/advisories/25123/ -- A "Highly Critical" buffer overflow vulnerability in various McAfee products can be exploited to give an attacker control over a system. An error in the SecurityCenter Subscription Manager ActiveX control can be exploited by passing a certain argument to the "IsOldAppInstalled()" method. The vulnerability affects SecurityCenter versions prior to 7.2.147 and 6.0.25. The vendor has released patches, which are available via automatic updates for McAfee customers. For more information: http://secunia.com/advisories/25173/ -- Seven vulnerabilities in Trend Micro Serverprotect have been reported, which can be exploited to compromise a vulnerable system from a local network. These vulnerabilities are caused by boundary errors within specific functions, files, and libraries of Serverprotect, and can be exploited to allow an attacker to execute arbitrary code. Trend Micro Serverprotect users are advised to install the patches for version 5.58. For more information: http://secunia.com/advisories/25186/ -- Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_Inspector/ -- VIRUS ALERTS: During the past week Secunia collected 172 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA25123] PHP Multiple Vulnerabilities 2. [SA25183] Microsoft Exchange Multiple Vulnerabilities 3. [SA23769] Internet Explorer Multiple Vulnerabilities 4. [SA25093] AXIS Camera Control "SaveBMP()" Method Buffer Overflow 5. [SA25109] Cisco PIX and ASA Denial of Service and Security Bypass 6. [SA25089] Winamp MP4 File Handling Memory Corruption Vulnerability 7. [SA25135] HP Tru64 UNIX "ps" Command Information Disclosure 8. [SA25121] Solaris Xorg X Render Extension Denial of Service 9. [SA25144] Pre Classified Listings PHP "category" SQL Injection 10. [SA25132] rPath update for lftp ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA25218] RIM TeamOn Import Object ActiveX Control Buffer Overflow Vulnerability [SA25209] BarCodeWiz Barcode ActiveX Control Buffer Overflow Vulnerability [SA25203] SmartCode VNC Manager VNC Viewer ActiveX Control Buffer Overflow [SA25185] CAPICOM CAPICOM.Certificates ActiveX Control Vulnerability [SA25183] Microsoft Exchange Multiple Vulnerabilities [SA25180] TAL Bar Code ActiveX Control Buffer Overflow Vulnerability [SA25178] Microsoft Office Drawing Object Code Execution Vulnerability [SA25174] PHPtree "s_dir" File Inclusion Vulnerability [SA25173] McAfee SecurityCenter Subscription Manager ActiveX Control Buffer Overflow [SA25156] HTTP File Upload ActiveX Control Buffer Overflow Vulnerability [SA25150] Microsoft Excel Three Code Execution Vulnerabilities [SA25143] Office Viewer ActiveX Control Buffer Overflow Vulnerabilities [SA25212] Nokia Intellisync Mobile Suite Multiple Vulnerabilities [SA25172] Symantec Products NAVOpts.dll ActiveX Control Security Bypass Vulnerability [SA25158] Burak Yilmaz Blog "id" SQL Injection Vulnerability [SA25186] Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities [SA25148] IBM DB2 Universal Database Unspecified Code Execution Vulnerability [SA25211] Adobe RoboHelp Cross-Site Scripting Vulnerability [SA25152] Panda AntiVirus Zoo Denial of Service Vulnerability [SA25160] Novell SecureLogin Two Unspecified Vulnerabilities UNIX/Linux: [SA25224] AForum "CommonAbsDir" and "header" File Inclusion [SA25210] phpMyPortal "GLOBALS[CHEMINMODULES]" File Inclusion [SA25189] Mandriva update for clamav [SA25187] Red Hat update for php [SA25164] Berylium "beryliumroot" File Inclusion Vulnerability [SA25147] phpChess Community Edition Multiple File Inclusion [SA25226] SUSE update for kernel [SA25182] Mandriva update for vim [SA25167] Gentoo update for gimp [SA25166] Gentoo update for lighttpd [SA25159] Red Hat update for vim [SA25151] Slackware update for php [SA25145] PHP Coupon Script "bus" SQL Injection [SA25142] Gentoo update for ipsec-tools [SA25217] Mandriva update for python [SA25208] Ubuntu update for moinmoin [SA25205] OTRS Cross-Site Scripting and Cross-Site Request Forgery [SA25196] Gentoo update for mysql [SA25157] Debian update for ldap-account-manager [SA25149] RSAuction Suspended Account Security Bypass [SA25133] Avaya Products file Integer Underflow Vulnerability [SA25184] Red Hat update for postgresql [SA25134] Asterisk IAX2 Channel Driver Information Disclosure [SA25216] Avaya CMS / IR X.Org X11 Multiple Vulnerabilities [SA25197] HP Tru64 UNIX "dop" Command Privilege Escalation [SA25195] Gentoo update for libXfont and tightvnc [SA25163] Linux Kernel Multiple Vulnerabilities [SA25135] HP Tru64 UNIX "ps" Command Information Disclosure [SA25132] rPath update for lftp [SA25198] Ubuntu update for elinks [SA25169] ELinks "add_filename_to_string()" Privilege Escalation [SA25162] Sun Solaris "acl()" Local Denial of Service [SA25161] rPath update for cpio Other: [SA25199] Cisco IOS FTP Server Multiple Vulnerabilities [SA25137] avast! Zoo Denial of Service Vulnerability [SA25138] Bradford Campus Manager Information Disclosure Cross Platform: [SA25214] CGX "pathCGX" File Inclusion Vulnerability [SA25179] Tropicalm Crowell Resource "RESPATH" File Inclusion [SA25177] PMECMS "pathMod" File Inclusion Vulnerabilities [SA25176] DynamicPAD "HomeDir" File Inclusion Vulnerabilities [SA25175] PHP TopTree BBS "right_file" File Inclusion Vulnerability [SA25170] Wikivi5 "sous_rep" File Inclusion Vulnerability [SA25146] Open Translation Engine "ote_home" File Inclusion [SA25223] SimpleNews "news_id" SQL Injection Vulnerability [SA25222] TutorialCMS Multiple SQL Injection Vulnerabilities [SA25219] IBM WebSphere Application Server Java Message Service Unspecified Vulnerability [SA25207] SurgeMail webmail Unspecified Security Bypass [SA25171] wfquotes Module for XOOPS "c" SQL Injection [SA25165] Nuked-Klan "X-Forwarded-For" SQL Injection Vulnerability [SA25155] XOOPS Flashgames Module "lid" SQL Injection [SA25154] RunCMS "executed_queries" SQL Injection [SA25153] Advanced Guestbook Multiple Vulnerabilities [SA25144] Pre Classified Listings PHP "category" SQL Injection [SA25141] Censura "vendorid" SQL Injection Vulnerability [SA25200] SquirrelMail Cross-Site Scripting and Request Forgery Vulnerabilities [SA25190] Python "PyLocale_strxfrm()" Off-By-One Information Disclosure [SA25181] WikkaWiki Information Disclosure and Cross-Site Scripting [SA25168] OpenLD Search Cross-Site Scripting Vulnerability [SA25140] Avira AntiVir Zoo Denial of Service Vulnerability [SA25139] Simple Machines Forum Session Fixation Vulnerability [SA25188] MySQL IF Query Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA25218] RIM TeamOn Import Object ActiveX Control Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-09 Will Dormann has reported a vulnerability in RIM's TeamOn Import Object ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25218/ -- [SA25209] BarCodeWiz Barcode ActiveX Control Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-09 shinnai has discovered a vulnerability in BarCodeWiz Barcode ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25209/ -- [SA25203] SmartCode VNC Manager VNC Viewer ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-08 shinnai has discovered a vulnerability in SmartCode VNC Manager, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25203/ -- [SA25185] CAPICOM CAPICOM.Certificates ActiveX Control Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-08 A vulnerability has been reported in CAPICOM (Cryptographic API Component Object Model), which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25185/ -- [SA25183] Microsoft Exchange Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2007-05-08 Some vulnerabilities have been reported in Microsoft Exchange, which can be exploited by malicious people to conduct script insertion attacks, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25183/ -- [SA25180] TAL Bar Code ActiveX Control Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-08 Michal Bucko has discovered a vulnerability in TAL Bar Code ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25180/ -- [SA25178] Microsoft Office Drawing Object Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-08 A vulnerability has been reported in Microsoft Office, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25178/ -- [SA25174] PHPtree "s_dir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-08 ThE TiGeR has reported a vulnerability in PHPtree, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25174/ -- [SA25173] McAfee SecurityCenter Subscription Manager ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-09 A vulnerability has been reported in various McAfee products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25173/ -- [SA25156] HTTP File Upload ActiveX Control Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-07 shinnai has discovered a vulnerability in HTTP File Upload ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25156/ -- [SA25150] Microsoft Excel Three Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-08 Three vulnerabilities have been reported in Microsoft Excel, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25150/ -- [SA25143] Office Viewer ActiveX Control Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-07 shinnai has discovered some vulnerabilities in Office Viewer OCX, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25143/ -- [SA25212] Nokia Intellisync Mobile Suite Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS Released: 2007-05-09 Johannes Greil has reported some vulnerabilities in Nokia's Intellisync Mobile Suite, which can be exploited by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, manipulate certain data, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25212/ -- [SA25172] Symantec Products NAVOpts.dll ActiveX Control Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-05-10 A vulnerability has been reported in various Symantec products, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25172/ -- [SA25158] Burak Yilmaz Blog "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-08 RMx has reported a vulnerability in Burak Yilmaz Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25158/ -- [SA25186] Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2007-05-08 Some vulnerabilities have been reported in Trend Micro ServerProtect, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25186/ -- [SA25148] IBM DB2 Universal Database Unspecified Code Execution Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2007-05-09 A vulnerability has been reported in IBM DB2, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25148/ -- [SA25211] Adobe RoboHelp Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-09 A vulnerability has been reported in RoboHelp, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25211/ -- [SA25152] Panda AntiVirus Zoo Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-08 Jean-Sebastien Guay-Leroux has reported a vulnerability in Panda AntiVirus, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25152/ -- [SA25160] Novell SecureLogin Two Unspecified Vulnerabilities Critical: Less critical Where: From local network Impact: Unknown, Privilege escalation Released: 2007-05-07 Two vulnerabilities have been reported in Novell SecureLogin, where one has an unknown impact and the other can potentially be exploited to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25160/ UNIX/Linux:-- [SA25224] AForum "CommonAbsDir" and "header" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-10 Some vulnerabilities have been reported in AForum, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25224/ -- [SA25210] phpMyPortal "GLOBALS[CHEMINMODULES]" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-10 Mahmood_ali has discovered a vulnerability in phpMyPortal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25210/ -- [SA25189] Mandriva update for clamav Critical: Highly critical Where: From remote Impact: Unknown, DoS, System access Released: 2007-05-09 Mandriva has issued an update for clamav. This fixes some vulnerabilities, where one has an unknown impact and the others can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25189/ -- [SA25187] Red Hat update for php Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, System access Released: 2007-05-09 Red Hat has issued an update for php. This fixes some vulnerabilities, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions and potentially by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25187/ -- [SA25164] Berylium "beryliumroot" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-08 ThE TiGeR has reported a vulnerability in Berylium, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25164/ -- [SA25147] phpChess Community Edition Multiple File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-04 GolD_M has discovered some vulnerabilities in phpChess Community Edition, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25147/ -- [SA25226] SUSE update for kernel Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, Unknown Released: 2007-05-10 SUSE has issued an update for the kernel. This fixes some vulnerabilities, where one has an unknown impact and others can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges, and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/25226/ -- [SA25182] Mandriva update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2007-05-10 Mandriva has issued an update for vim. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25182/ -- [SA25167] Gentoo update for gimp Critical: Moderately critical Where: From remote Impact: System access Released: 2007-05-08 Gentoo has issued an update for gimp. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25167/ -- [SA25166] Gentoo update for lighttpd Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-08 Gentoo has issued an update for lighttpd. This fixes some vulnerabilities, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25166/ -- [SA25159] Red Hat update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2007-05-09 Red Hat has issued an update for vim. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25159/ -- [SA25151] Slackware update for php Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2007-05-08 Slackware has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain data, disclose potentially sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or to compromise a vulnerable system, and by malicious people to disclose potentially sensitive information, conduct cross-site scripting attacks, or cause a DoS. Full Advisory: http://secunia.com/advisories/25151/ -- [SA25145] PHP Coupon Script "bus" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-05-04 Cyber-Security has reported a vulnerability in PHP Coupon Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25145/ -- [SA25142] Gentoo update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2007-05-08 Gentoo has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25142/ -- [SA25217] Mandriva update for python Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2007-05-09 Mandriva has issued an update for python. This fixes a security issue, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25217/ -- [SA25208] Ubuntu update for moinmoin Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-08 Ubuntu has issued an update for moinmoin. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25208/ -- [SA25205] OTRS Cross-Site Scripting and Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-08 ciri has reported some vulnerabilities in OTRS (Open Ticket Request System), which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/25205/ -- [SA25196] Gentoo update for mysql Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-09 Gentoo has issued an update for mysql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25196/ -- [SA25157] Debian update for ldap-account-manager Critical: Less critical Where: From remote Impact: Cross Site Scripting, Privilege escalation Released: 2007-05-08 Debian has issued an update for ldap-account-manager. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform actions with escalated privileges and by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/25157/ -- [SA25149] RSAuction Suspended Account Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-05-09 switzer has reported a vulnerability in RSAuction, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25149/ -- [SA25133] Avaya Products file Integer Underflow Vulnerability Critical: Less critical Where: From remote Impact: DoS, System access Released: 2007-05-07 Avaya has acknowledged a vulnerability in various Avaya products, which can potentially be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25133/ -- [SA25184] Red Hat update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2007-05-09 Red Hat has issued an update for postgresql. This fixes a security issue, which can potentially be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25184/ -- [SA25134] Asterisk IAX2 Channel Driver Information Disclosure Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2007-05-07 A vulnerability has been reported in Asterisk, which can be exploited by malicious users to disclose potential sensitive information. Full Advisory: http://secunia.com/advisories/25134/ -- [SA25216] Avaya CMS / IR X.Org X11 Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2007-05-10 Avaya has acknowledged some vulnerabilities in Avaya CMS and IR, which can be exploited by malicious, local users to disclose sensitive information, cause a DoS (Denial of Service), and gain escalated privileges. Full Advisory: http://secunia.com/advisories/25216/ -- [SA25197] HP Tru64 UNIX "dop" Command Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-05-09 A vulnerability has been reported in HP Tru64 UNIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25197/ -- [SA25195] Gentoo update for libXfont and tightvnc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-05-09 Gentoo has issued an update for libXfont and tightvnc. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25195/ -- [SA25163] Linux Kernel Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2007-05-08 Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25163/ -- [SA25135] HP Tru64 UNIX "ps" Command Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2007-05-04 A security issue has been reported in HP Tru64, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/25135/ -- [SA25132] rPath update for lftp Critical: Not critical Where: From remote Impact: System access Released: 2007-05-04 rPath has issued an update for lftp. This fixes a weakness, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25132/ -- [SA25198] Ubuntu update for elinks Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-05-08 Ubuntu has issued an update for elinks. This fixes a weakness, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25198/ -- [SA25169] ELinks "add_filename_to_string()" Privilege Escalation Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2007-05-08 Arnaud Giersch has reported a weakness in ELinks, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25169/ -- [SA25162] Sun Solaris "acl()" Local Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2007-05-08 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25162/ -- [SA25161] rPath update for cpio Critical: Not critical Where: Local system Impact: DoS Released: 2007-05-08 rPath has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25161/ Other:-- [SA25199] Cisco IOS FTP Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2007-05-10 Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious users and malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25199/ -- [SA25137] avast! Zoo Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-08 Jean-Sebastien Guay-Leroux has reported a vulnerability in avast!, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25137/ -- [SA25138] Bradford Campus Manager Information Disclosure Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2007-05-08 John Martinelli has reported a vulnerability in Bradford Campus Manager, which can be exploited by malicious people to gain unprivileged access to restricted data. Full Advisory: http://secunia.com/advisories/25138/ Cross Platform:-- [SA25214] CGX "pathCGX" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-09 GolD_M has reported some vulnerabilities in CGX, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25214/ -- [SA25179] Tropicalm Crowell Resource "RESPATH" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-08 kezzap66345 has discovered a vulnerability in Tropicalm Crowell Resource, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25179/ -- [SA25177] PMECMS "pathMod" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-07 Some vulnerabilities have been reported in PMECMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25177/ -- [SA25176] DynamicPAD "HomeDir" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-08 ThE TiGeR has discovered two vulnerabilities in DynamicPAD, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25176/ -- [SA25175] PHP TopTree BBS "right_file" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-07 kezzap66345 has reported a vulnerability in PHP TopTree BBS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25175/ -- [SA25170] Wikivi5 "sous_rep" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-07 GolD_M has reported a vulnerability in Wikivi5, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25170/ -- [SA25146] Open Translation Engine "ote_home" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-04 GolD_M has discovered a vulnerability in Open Translation Engine, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25146/ -- [SA25223] SimpleNews "news_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-10 Silentz has discovered a vulnerability in SimpleNews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25223/ -- [SA25222] TutorialCMS Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-10 Silentz has discovered some vulnerabilities in TutorialCMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25222/ -- [SA25219] IBM WebSphere Application Server Java Message Service Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2007-05-09 A vulnerability has been reported in IBM WebSphere Application Server, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25219/ -- [SA25207] SurgeMail webmail Unspecified Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-05-10 A vulnerability has been reported in SurgeMail, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25207/ -- [SA25171] wfquotes Module for XOOPS "c" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-07 A vulnerability has been reported in the wfquotes module for XOOPS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25171/ -- [SA25165] Nuked-Klan "X-Forwarded-For" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-07 DarkFig has discovered a vulnerability in Nuked-Klan, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25165/ -- [SA25155] XOOPS Flashgames Module "lid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-07 A vulnerability has been reported in the Flashgames module for XOOPS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25155/ -- [SA25154] RunCMS "executed_queries" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2007-05-07 rgod has discovered a vulnerability in RunCMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25154/ -- [SA25153] Advanced Guestbook Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2007-05-09 Jesper Jurcenoks has discovered some vulnerabilities in Advanced Guestbook, which can be exploited by malicious people to disclose sensitive information or to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25153/ -- [SA25144] Pre Classified Listings PHP "category" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-04 Cyber-Security has reported a vulnerability in Pre Classified Listings PHP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25144/ -- [SA25141] Censura "vendorid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-04 Cyber-Security has reported a vulnerability in Censura, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25141/ -- [SA25200] SquirrelMail Cross-Site Scripting and Request Forgery Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-10 Some vulnerabilities have been reported in SquirrelMail, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/25200/ -- [SA25190] Python "PyLocale_strxfrm()" Off-By-One Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2007-05-09 Piotr Engelking has reported a security issue in Python, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25190/ -- [SA25181] WikkaWiki Information Disclosure and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2007-05-08 Some vulnerabilities have been reported in WikkaWiki, which can be exploited by malicious people to disclose potentially sensitive information and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25181/ -- [SA25168] OpenLD Search Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-09 A vulnerability has been reported in OpenLD, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25168/ -- [SA25140] Avira AntiVir Zoo Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-10 Jean-Sebastien Guay-Leroux has reported a vulnerability in Avira AntiVir, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25140/ -- [SA25139] Simple Machines Forum Session Fixation Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2007-05-07 David Vieira-Kurz has discovered a vulnerability in Simple Machines Forum, which can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/25139/ -- [SA25188] MySQL IF Query Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2007-05-10 Neil Kettle has reported a vulnerability in MySQL, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25188/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From alerts at infosecnews.org Fri May 11 00:37:29 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] One-at-a-time hacker grabs 22,000 IDs from Univ. of Missouri Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018982 By Gregg Keizer May 09, 2007 Computerworld A hacker grabbed the Social Security numbers of more than 22,300 current and former students at the University of Missouri, the school said yesterday. It was the institution's second data break-in of the year. According to university officials, the attack was launched from IP addresses in China and Australia and used a Web form for tracking the status of queries to the school's IT help desk. The hacker accessed the names and Social Security numbers of school employees during 2004 who were also current or onetime students; those records had been compiled for a report, but were overlooked rather than deleted. IT staffers noticed unusual activity that began around 5:30 a.m. CDT last Thursday, then tied a large number of database query errors to the problem on Friday. Logs showed that the attacks ended at 9:34 a.m. Friday. That day, technicians disabled the account used to access the database from one IP address in Chinaand another in Australia. The FBI was alerted on Monday. "The hacker was able to reach the information by making thousands of queries over a span of hours, allowing the identities to be exposed one at a time," the university reported. A Web page and toll-free telephone line have been set up to take questions from students, the school said. Officials are also contacting as many of the affected people as possible. Yesterday, the toll-free line was overwhelmed, a school spokeswoman said today, and some callers heard a recording that said the desk was closed. That problem has been solved by boosting the number of staffers answering the phones. Computerworld confirmed that the hot line was working today, with wait times of approximately three minutes. This is the second incident at the University of Missouri in recent months. In February, the school acknowledged that a server attack in January might have exposed the identities of 1,220 researchers on its four campuses. The spokeswoman declined to comment on whether there could be any connection between the two events. In its message to potential identity theft victims, the university said that it "takes this matter very seriously" and noted that it wasn't the only organization to be attacked. "All companies or organizations using the Internet to serve their customers face this challenge." Last year, reported the Columbia Missourian, then-university President Elson Floyd ordered that employee Social Security numbers information be deleted from online databases. Universities are a frequent target of identity thieves, according to the data breach chronology compiled by the Privacy Rights Clearinghouse. Since Jan. 1, 27 colleges or universities have been victimized by attackers. The list includes well-known institutions such as the University of Notre Dame, Ohio State University, Purdue University and Rutgers. Several, in fact, have been hit multiple times: Notre Dame, the University of Idaho and the University of New Mexico each suffered two attacks in the first four months of 2007. From alerts at infosecnews.org Fri May 11 00:37:44 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Cybercrime update: Is organized crime moving into cybersphere? Message-ID: http://www.networkworld.com/news/2007/050907-fbi-organized-crime-cybercrime.html By Bob Brown NetworkWorld.com 05/09/07 As if FBI special agent Tim OBrien and his cybercrime fighting comrades dont already have their hands full with bot herders, virus writers and other loosely-aligned crooks, now people are wondering when more traditional organized crime will grab a piece of the action. Following his presentation at CIO Forum, OBrien was asked by one technology pro about whether the real-life Tony Sopranos of the organized crime world have caught the cybercrime bug. I dont think traditional organized crime in this country is involved in the cybersphere yet, but thats certainly a possibility, he says. A lot of its benign crimeit goes under the radar and most people dont know anything about it. Its not murder, its not racketeering, its stuff thats not going to make a headline. The chances of making a tremendous amount of money off that without getting caught are much higher than going out and murdering your enemies. More common are loosely organized criminals from other parts of the world where job prospects arent so good. These various specialists some expert at developing malware, others at distributing it via a botnet and others with the ability to sell stolen data -- scheme to infiltrate computers and networks and commit fraud, says OBrien, who refers to the malware used to perpetrate such crimes as crimeware. ?America is the target. We have the assets and systems here and we have a lot of people who are looking to profit off that, OBrien says. He and a handful of other FBI agents from New York City joined 300-plus CIOs at the CIO Forum event aboard the Norwegian Dawn cruise ship in hopes of getting the tech executives to open up about their security concerns and to encourage their participation in information sharing programs such as InfraGard. Citing recent statistics from surveys conducted by the FBI and vendors such as Symantec, OBrien says the findings are scary: More companies are being targeted; malware writers are pumping out their programs faster than ever; and all indications are that intruders increasingly are looking to turn a profit. Half of what people are reporting are just trojans, not worms or viruses so much, OBrien says. That indicates the actual mindset of whats going on out there, that people are looking to place something on the system to prepare a beachhead for later exploitation. Compromised routers (access to Cisco systems that can be used for denial-of-service attacks can be had for $2) and host computers have become commodities, constantly swapped online by cybercrooks for stolen credit card and Social Security numbers, OBrien says. And the stakes are only getting higher. New self-defending malware is even being created that purges protections such as anti-rootkit software and that squelches other malware so that compromised systems cant be shared by other thieves, OBrien says. Some malware is smart enough to recognize if its in a VMware or other virtualized environment and can unload itself so it cant be debugged, he says. Other malware can avoid detection by changing its signature via a new filename and increasingly modular malware can be distributed across a network to avoid a single point of failure. Other trends are increased exploitation of Web applications, though good old e-mail attachments are still being used as well, OBrien says. The FBI is finding it tougher to track botnets these days, as they increasingly are being connected over encrypted channels rather than via channels such as IRC. Theyre also being distributed via peer-to-peer technologies, making botnets more resilient, he says. The FBI and other law enforcement bodies have been able to tap into some of the interaction among cybercriminals on IRC and other chat systems, though the bad guys are even getting smarter on that front by starting to use encryption. Help us help you OBrien wound up his presentation with a plea for IT executives to work with the FBI to nail cybercriminals, including those who operate outside the United States. Compared to when I started doing computer crimes four or five years ago the bureau today is very well positioned to run an investigation that involves botnets and foreign nexus. We have agents in over 50 embassies now around the world from countries as diverse as the United Kingdom and Yemen[Our agents] work with foreign law enforcement. IT executives can help the FBI crack cases by reporting incidents as soon as possible and by sharing network and other logs, as well as IP addresses involved, OBrien says. All contents copyright 1995-2007 Network World, Inc. From alerts at infosecnews.org Mon May 14 03:23:01 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Military Matters: Brave new war Message-ID: http://www.upi.com/Security_Terrorism/Analysis/2007/05/11/military_matters_brave_new_war/7023/ By WILLIAM S. LIND May 11, 2007 WASHINGTON, May. 11 (UPI) -- While the White House and the Pentagon continue their long vacation in Cloud Cuckoo Land, in the real world the literature on Fourth Generation war continues to grow. An important addition is John Robb's new book, "Brave New War: The Next Stage of Terrorism and the End of Globalization. [1]" As the title implies, this book dares to question the inevitability of the globalist future decreed by the internationalist elites, a one-world superstate where life is reduced to an administered satisfying of "wants." Robb perceives, rightly, that the "Brave New War" of the Fourth Generation will put an end to the Brave New World. Following a useful and well-written introduction to Fourth Generation war, or 4GW, "Brave New War" offers four observations of strategic importance. The first is that the "global guerillas" of 4GW will use "systems disruption" to inflict massive damage on states at little cost to themselves. Modern states depend on the functioning of numerous overlaid networks -- fuel pipelines, electric grids, etc. -- which have critical linkages that are subject to attack. Robb writes: "To global guerillas, the point of greatest emphasis is the systempunkt. It is a point in the system ... that will collapse the target system if it is destroyed. Within an infrastructure system, this collapse takes the form of disrupted flows that result in financial loss or supply shortages. Within a market, the result is a destabilization of the psychology of the marketplace that will introduce severe inefficiencies and chaos. "Our problem is that the global guerillas we see in the long tail of this global insurgency are quickly learning how to detect and attack systempunkts." Here, I think John Robb's U.S. Air Force background may mislead him to an extent. Air forces have long believed that the bombing of critical nodes in an enemy's military, communications or economic systems can win wars; American air raids on German ball-bearing plants in World War II are a famous example. In reality, it seldom works because the enemy's rerouting, redundancy and repair capabilities enable him to work around the destruction. Robb is right that such destruction can increase costs, but wartime psychology can absorb higher costs. War trumps peacetime balance sheets. Robb's second strategic observation I think is wholly correct: 4GW forces gain enormous strength from operating on an open-source basis. Anyone can play, a shared vision replaces top-down control, and methods evolve rapidly through lateral communication. A great description of the dynamics of OSW, or Open Source Warfare, is a bazaar. People are trading, haggling, copying and sharing. To an outsider it can look chaotic. It's so different from the quiet intensity and strict order of the cathedral-like Pentagon. This dynamic may be why Arab groups were some of the first guerilla movements to pick up on this new method and apply it to warfare. The combination of post-modern Open Source Warfare and pre-modern, non-state primary loyalties leads to the third observation, that 4GW turns globalization against itself. My conclusion is that globalization is quickly layering new skill sets on ancient mindsets. Warriors, in our current context of global guerillas, are not merely lazy and monosyllabic primitives. They are wired, educated and globally mobile. They build complex supply chains, benefit from global money flows, travel globally, innovate with technology and attack shrewdly. Finally, Robb correctly finds the antidote to 4GW not in Soviet-style state structures such as the Department of Homeland Security, but in decentralization. What Robb calls "dynamic decentralized resilience" means that, in concrete terms, security is again to be found close to home. Local police departments, local sources of energy such as roof-top solar arrays -- I would add local farms that use sustainable agricultural practices -- are the key to dealing with system perturbations. To the extent we depend on large, globalist, centralized networks we are insecure. Robb foresees that as state structures fail. Members of the middle class will take matters into their own hands by forming suburban collectives to share the costs of security -- as they do now with education -- and shore up delivery of critical services. These "armored suburbs" will deploy and maintain backup generators and communications links; they will be patrolled by civilian police auxiliaries that have received corporate training and boost their own state-of-the-art emergency response systems. If this all sounds a bit like what happened as the Roman Empire fell, it should. The empire in this case is not America or even the West, but the state system and the force that produced the state, the modern age. Modernity shot itself in the head in 1914. How much longer ought we expect the body to live? -- (William S. Lind is director for the Center for Cultural Conservatism for the Free Congress Foundation. The views expressed do not necessarily reflect those of United Press International.) ? Copyright 2007 United Press International, Inc. All Rights Reserved. [1] http://www.amazon.com/exec/obidos/ASIN/0471780790/c4iorg and http://www.shopinfosecnews.org From alerts at infosecnews.org Mon May 14 03:23:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Balsillie: BlackBerry Shutdown Will Never Happen Again Message-ID: http://www.eweek.com/article2/0,1895,2128963,00.asp By Wayne Rash May 11, 2007 ORLANDO, Fla. ? In a rare one-on-one interview with eWEEK, Research in Motion co-CEO Jim Balsillie said that the event that shut down e-mail for BlackBerrys in the United States for hours last month was due to "a process thing," and that steps had been taken to ensure that it could never happen again. Balsillie said that the improbable combination of events, which included the failure of a minor software upgrade to a caching subsystem, the failure of the failover system and the subsequent overloading of a second system has been fixed. "It was a process error that we had that's been fixed. It shouldn't have happened, and it won't happen again," Balsillie said. "It wasn't a corruption of any form of the infrastructure, and that's very important." "We're clearly putting a lot more fault tolerance into the system, a lot more capacity. We're having domain failover architectures; we're having business continuity solutions experts, so from that component piece of the infrastructure, that's not going to happen again." Explaining that the problem that caused the blackout was totally avoidable, Balsillie said that the company is broadening, strengthening and "fault tolerating" the system. "It's a global and public safety imperative," he said, adding that there is no constraint on budget or resources for this work. Balsillie did note, however, that it's the responsibility of an enterprise to make sure they have continuity plans for times when important communications paths, including the BlackBerry e-mail, are out of order. He pointed out that RIM was working with customers immediately upon learning of the blackout. "We had literally hundreds of our top customers on open bridges with ongoing collaboration and communications. So those that were affected had ongoing communications," he said about RIM's support efforts. Balsillie said that the critical public safety portions of RIMs customer base were brought back on line immediately. "Then the consumer portion was brought back, also quickly, but subsequently," he said. The question of a failover data center had been discussed after the blackout, especially by government managers who were concerned about losing a vital communications link. Balsillie said that now there is a failover center, but he will not disclose its location. He said that the same process problem that caused the blackout also delayed the failover, but he said that RIM was still able to get critical users back on line almost immediately. "There is another hub going in the U.S. across the fault line," Balsillie added. "There are also architecture failovers and dual homing plans for key secret service, government and security forces," Balsillie said. "We can view this as a mistake or we can view it as an inoculation. It's unambiguously solved." Balsillie noted that the U.S. government is RIM's biggest customer, which is one reason he's taking the issue of the blackout so seriously. He said that BlackBerry devices are used across the whole range of government organizations from intelligence agencies to the military to law enforcement. "It's part of a broad, broad system of capability. It's shifting to mission critical in every sense of the word," he said. On other topics, Balsillie said that he thinks that telephony integration is the "coolest" thing he's seen at the RIM symposium. "It was considered in many respects unsolvable, but it's so obvious and so powerful," he said, "it's not unlike when we did e-mail. People said why would I want e-mail on my belt, but it changed everything. Once the telephony is synchronized, it totally changes the collaboration world and once that's interrelated with your other workflow and messaging, it changes everything." Balsillie also hailed the popularity of navigation for the BlackBerry, noting that when people are mobile, knowing where they are can be very important. "After messaging and talking, it's the most horizontal application. By definition, mobile people have location needs," he said. From alerts at infosecnews.org Mon May 14 03:23:52 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Linux Advisory Watch - May 11th 2007 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 11th 2007 Volume 8, Number 19a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for ldap-account-manager, pptpd, vim, evolution-data-server, X11, Lighttpd, GIMP, IPsec, MySQL, ImageMagick, xscreenserver, bind, clamav, python, postgsql, php, freeradius, elinks, and MoinMoin. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. --- Vyatta: Open-Source Router / Firewall / VPN Vyatta software and appliances combine the features, performance and reliability of an enterprise-class router and firewall with the cost savings and flexibility of open source solutions. > > Free Vyatta Community Edition 2 Software & Live Demo Webinars > > http://www.linuxsecurity.com/ads/adclick.php?bannerid=28 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- RFID with Bio-Smart Card in Linux In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. http://www.linuxsecurity.com/content/view/125052/171/ --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New ldap-account-manager packages fix multiple vulnerabilities 7th, May, 2007 Two vulnerabilities have been identified in the version of ldap-account-manager shipped with Debian 3.1 (sarge). An untrusted PATH vulnerability could allow a local attacker to execute arbitrary code with elevated privileges by providing a malicious rm executable and specifying a PATH environment variable referencing this executable. http://www.linuxsecurity.com/content/view/128085 * Debian: New pptpd packages fix denial of service 8th, May, 2007 It was discovered that the PoPToP Point to Point Tunneling Server contains a programming error, which allows the tear-down of a PPTP connection through a malformed GRE packet, resulting in denial of service. http://www.linuxsecurity.com/content/view/128122 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 6 Update: vim-7.0.235-1.fc6 7th, May, 2007 This update fixes several issues where opening a malicious file with vim can run an arbitrary command via modeline http://www.linuxsecurity.com/content/view/128099 * Fedora Core 5 Update: evolution-data-server-1.6.3-4.fc5 7th, May, 2007 This update fixes a security vulnerability in APOP authentication. This only affects POP mail accounts. http://www.linuxsecurity.com/content/view/128100 * Fedora Core 6 Update: evolution-data-server-1.8.3-6.fc6 7th, May, 2007 This update fixes a security vulnerability in APOP authentication. This only affects POP mail accounts. http://www.linuxsecurity.com/content/view/128102 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: X.Org X11 library Multiple integer overflows 5th, May, 2007 The X.Org X11 library contains multiple integer overflows, which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/128077 * Gentoo: Lighttpd Two Denials of Service 7th, May, 2007 Two vulnerabilities have been discovered in Lighttpd, each allowing for a Denial of Service.Robert Jakabosky discovered an infinite loop triggered by a connection abort when Lighttpd processes carriage return and line feed sequences. Marcus Rueckert discovered a NULL pointer dereference when a server running Lighttpd tries to access a file with a mtime of 0. http://www.linuxsecurity.com/content/view/128088 * Gentoo: GIMP Buffer overflow 7th, May, 2007 GIMP is vulnerable to a buffer overflow which may lead to the execution of arbitrary code.Marsu discovered that the "set_color_table()" function in the SUNRAS plugin is vulnerable to a stack-based buffer overflow. http://www.linuxsecurity.com/content/view/128089 * Gentoo: IPsec-Tools Denial of Service 8th, May, 2007 IPsec-Tools contains a vulnerability that allows a remote attacker to crash the IPsec tunnel. A remote attacker could send a specially crafted IPsec message to one of the two peers during the beginning of phase 1, resulting in the termination of the IPsec exchange. http://www.linuxsecurity.com/content/view/128111 * Gentoo: LibXfont, TightVNC Multiple vulnerabilities 8th, May, 2007 Multiple vulnerabilities have been reported in libXfont and TightVNC, allowing for the execution of arbitrary code with root privileges. The libXfont code is prone to several integer overflows, in functions ProcXCMiscGetXIDList(), bdfReadCharacters() and FontFileInitTable(). TightVNC contains a local copy of this code and is also affected. http://www.linuxsecurity.com/content/view/128118 * Gentoo: MySQL Two Denial of Service vulnerabilities 8th, May, 2007 Two Denial of Service vulnerabilities have been discovered in MySQL. Mu-b discovered a NULL pointer dereference in item_cmpfunc.cc when processing certain types of SQL requests. Sec Consult also discovered another NULL pointer dereference when sorting certain types of queries on the database metadata. http://www.linuxsecurity.com/content/view/128119 * Gentoo: PostgreSQL Privilege escalation 10th, May, 2007 An error involving insecure search_path settings in the SECURITY DEFINER functions has been reported in PostgreSQL. This error contains a vulnerability that could result in SQL privilege escalation. http://www.linuxsecurity.com/content/view/128148 * Gentoo: ImageMagick Multiple buffer overflows 10th, May, 2007 iDefense Labs has discovered multiple integer overflows in ImageMagick in the functions ReadDCMImage() and ReadXWDImage(), that are used to process DCM and XWD files. It can allow for the execution of arbitrary code. http://www.linuxsecurity.com/content/view/128149 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated xscreensaver packages fix vulnerability 3rd, May, 2007 A problem with the way xscreensaver verifies user passwords was discovered by Alex Yamauchi. When a system is using remote authentication (i.e. LDAP) for logins, a local attacker able to cause a network outage on the system could cause xscreensaver to crash, which would unlock the screen. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/128055 * Mandriva: Updated bind packages fix vulnerability 9th, May, 2007 A vulnerability in ISC BIND 9.4.0, when recursion is enabled, could allow a remote attacker to cause a denial of service (daemon exit) via a certain sequence of queries. BIND 9.4.1, which corrects this issue, is provided with this update. http://www.linuxsecurity.com/content/view/128132 * Mandriva: Updated clamav packages fix vulnerabilities 8th, May, 2007 iDefense discovered a stack-based overflow in ClamAV when processing negative values in .cab files. As well, multiple file descriptor leaks were also reported and fixed in chmunpack.c, pdf.c, and dblock.c. This update provides ClamAV 0.90.2 which corrects these problems and provides new functionality. http://www.linuxsecurity.com/content/view/128123 * Mandriva: Updated python packages fix vulnerabilities 8th, May, 2007 An off-by-one error was discovered in the PyLocale_strxfrm function in Python 2.4 and 2.5 that could allow context-dependent attackers the ability to read portions of memory via special manipulations that trigger a buffer over-read due to missing null termination. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/128124 * Mandriva: Updated bind packages fix vulnerability 9th, May, 2007 A vulnerability in vim 7.0's modeline processing capabilities was discovered where a user with modelines enabled could open a text file containing a carefully crafted modeline, executing arbitrary commands as the user running vim.Updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/128138 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: postgresql security update 3rd, May, 2007 Updated postgresql packages that fix several security vulnerabilities are now available for the Red Hat Application Stack. A flaw was found in the way PostgreSQL allows authenticated users to execute security-definer functions. It was possible for an unprivileged user to execute arbitrary code with the privileges of the security-definer function. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128061 * RedHat: Moderate: postgresql security update 8th, May, 2007 Updated postgresql packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. A flaw was found in the way PostgreSQL allows authenticated users to execute security-definer functions. It was possible for an unprivileged user to execute arbitrary code with the privileges of the security-definer function. http://www.linuxsecurity.com/content/view/128116 * RedHat: Important: php security update 8th, May, 2007 Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5.A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128117 * RedHat: Moderate: vim security update 9th, May, 2007 Updated vim packages that fix a security issue are now available for Red Hat Enterprise Linux 5.An arbitrary command execution flaw was found in the way VIM processes modelines. If a user with modelines enabled opened a text file containing a carefully crafted modeline, arbitrary commands could be executed as the user running VIM. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128128 * RedHat: Important: php security update 9th, May, 2007 Updated PHP packages that fix two security issues are now available for Red Hat Enterprise Linux 4.A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. http://www.linuxsecurity.com/content/view/128129 * RedHat: Important: php security update 10th, May, 2007 Updated PHP packages that fix several security issues are now available for Red Hat Application Stack.This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128144 * RedHat: Moderate: freeradius security update 10th, May, 2007 Updated freeradius packages that fix a memory leak flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. A remote attacker could send a specially crafted authentication request which could cause FreeRADIUS to leak a small amount of memory. If enough of these requests are sent, the FreeRADIUS daemon would consume a vast quantity of system memory leading to a possible denial of service. http://www.linuxsecurity.com/content/view/128146 +---------------------------------+ | Distribution: Slasware | ----------------------------// +---------------------------------+ * Slackware: php 8th, May, 2007 New php packages are available for Slackware 10.2, 11.0, and -current to improve the stability and security of PHP. Quite a few bugs were fixed please see http://www.php.net for a detailed list. http://www.linuxsecurity.com/content/view/128106 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Linux kernel (SUSE-SA:2007:029) 3rd, May, 2007 A NULL pointer dereference in the IPv6 sockopt handling could potentially be used by local attackers to read arbitrary kernel memory and thereby gain access to private information. http://www.linuxsecurity.com/content/view/128064 * SuSE: Linux kernel (SUSE-SA:2007:030) 10th, May, 2007 This kernel update is for SUSE Linux 9.3 which fixes the some security problems. The ftdi_sio driver allowed local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued. This requires this driver to be loaded, which only happens if such a device is plugged in. http://www.linuxsecurity.com/content/view/128140 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: elinks vulnerability 7th, May, 2007 Arnaud Giersch discovered that elinks incorrectly attempted to load gettext catalogs from a relative path. If a user were tricked into running elinks from a specific directory, a local attacker could execute code with user privileges. http://www.linuxsecurity.com/content/view/128086 * Ubuntu: MoinMoin vulnerabilities 8th, May, 2007 A flaw was discovered in MoinMoin's error reporting when using the AttachFile action. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user's authentication information for the domain where MoinMoin was hosted. http://www.linuxsecurity.com/content/view/128107 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From alerts at infosecnews.org Mon May 14 03:24:10 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Highland Hospital Security Breach Message-ID: http://www.13wham.com/news/local/story.aspx?content_id=d70aed97-d001-4e3f-990d-50f9d8e32769 May 11, 2007 Rochester, N.Y. - Highland Hospital is warning patients of a security breach. A hospital spokesperson said a computer containing patient information was stolen from a business office last month. Over 13,000 people are affected. Two laptops were stolen but only one of them had patient information on it. The computer were sold on eBay and the one containing the personal information has been recovered. The other laptop which did not contain personal information has not been recovered. Hospital officials say there is no evidence that theives got any personal information. The hospital is changing its security procedures in response to the incident. Highland has established an information line [1] for concerned patients. [1] http://www.highlandhospital.org/alert From alerts at infosecnews.org Mon May 14 03:24:27 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Penn College Students Win Award for Computer-Security Video Message-ID: http://www.pct.edu/pctoday/article_5823.shtml Pennsylvania College of Technology May 11, 2007 Five Pennsylvania College of Technology students will share a $400 third prize for their entry in the 2007 Computer Security Awareness Video Contest sponsored by the EDUCAUSE/Internet2 Computer and Network Security Task Force to raise awareness of and increase computer security at colleges and universities. The team of Maurizio Bertone, of Greenwich, Conn.; Joshua S. Bucknor, of Lock Haven; Christopher R. Herbein, of Birdsboro; Guy Hershberger, of Union City; and Joseph S. Iacona, of Pittston, created a two-minute video, ?A Short Film About Data Protection,? that describes several steps the average user can take to keep personal computer files safe. Bucknor is enrolled in information technology: web and applications development; Bertone, Herbein, Hershberger and Iacona are information technology: network specialist majors. The bronze award-winning video was produced as part of the Fundamentals of Information Security class, taught by Lisa R. Bock, an information technology instructor in the college?s School of Business and Computer Technologies. ?The students were very focused in their efforts,? she said. ?Aside from spending hours on editing, they utilized a 'green screen' provided by Inbox360 (a Williamsport e-marketing firm) in order to provide an entertaining and educational security video.? The team benefited from in-house tips on video production from James R. Dougherty, digital media developer in the college's Instructional Technology & Distance Learning Office, who spoke to about 100 information technology students during a school-sponsored event in February. ?Given that this is the first time we had our information technology students enter a national educational video contest quite like this, I must compliment Ms. Bock for her creativity in assignment planning and, of course, our students for their dedication, hard work and innovative application of information security course content,? remarked Edward A. Henninger, dean of the school. The task force, along with the National Cyber Security Alliance and Research Channel, is making the videos available for campuses? use in student orientation this summer and fall. The contest sought videos that explain computer-security problems and specific actions that college and university students can take to safeguard their computers or personal information. The contest had two categories: two-minute-or-less training or instructional videos and 30-second public-service announcements. The winning videos, as well as those receiving honorable mention, can be viewed on the Web [1]. In all, there were 56 submissions from 24 colleges and universities. For more about majors in the School of Business and Computer Technologies ? including the information technology: security specialist bachelor?s degree [2] ? call (570) 327-4512, send e-mail or visit online. Content ? 1995-present Pennsylvania College of Technology [1] http://www.researchchannel.org/securityvideo2007/ [2] http://www.pct.edu/catalog/majors/bss.shtml From alerts at infosecnews.org Mon May 14 03:24:45 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] HISD contractor accused of computer thefts Message-ID: http://www.khou.com/news/local/houstonmetro/stories/khou070511_tj_computerthefts.5e2c149b.html By Jeff McShan 11 News May 11, 2007 A man HISD hired to fix its computers was in jail Friday accused instead of stealing them. It didn?t take police long to make the arrest. In fact, within 48 hours of receiving reports of stolen computer servers from several HISD schools the HISD Police Department arrested a former employee. Clifford Weaver, 33, was released from his position as a Netsync Network Solutions contractor back in February, but according to police he continued to use his old HISD identification badge. Police say it helped him to gain access to seven schools, which include Allen Elementary on Victoria Street. The seven schools located all across the city had just purchased the computer servers, which were valued at approximately $3,000 dollars apiece. Investigators learned he would pretend to be a legitimate service man. It is unknown at this time if the servers were located and are not damaged so they can be returned to the schools. At last check Weaver was still in jail pending a $10,000 bond. From alerts at infosecnews.org Mon May 14 03:24:59 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Engineer guilty in plot to give data to China Message-ID: http://washingtontimes.com/national/20070510-115455-7838r.htm By Bill Gertz THE WASHINGTON TIMES May 11, 2007 A Chinese-born engineer was convicted in federal court in California yesterday of being an unregistered Chinese agent who conspired to supply defense technology to Beijing. Chi Mak, 66, was found guilty of helping provide China unclassified but export-controlled information, including data on a submarine electronic system and a quiet electronic propulsion system planned for future warships. Mak was found guilty of conspiracy to violate export regulations and for failing to register as a Chinese agent, after several days of deliberations. The trial lasted six weeks. "We were confident from the start, and we're very happy with the verdict," Assistant U.S. Attorney Greg Staples said. Sentencing was set for Sept. 10, and Mak faces up to 35 years in prison. Mak at first showed no emotion when the verdict was read but then appeared to fight tears as defense attorney Marilyn Bednarski teared up and rubbed his back. Prosecutors dropped charges accusing Mak of exporting. They said Mak's brother Tai Mak was the courier in the spy ring and will face those charges in a later trial. The trial was the first in what U.S. officials say will be several cases involving a family spy ring that also included both Mak brothers' wives and Tai Mak's son Billy Mak. A second trial is set for June 5. Chi and Tai Mak were born in Guangdong, China; Chi Mak is a naturalized U.S. citizen. Prosecutors may try to use yesterday's verdict to reach plea bargains with other family members. Chi Mak was an electrical engineer at Power Paragon, a defense contractor for the Navy. Power Paragon is a subsidiary of L-3/SPD Technologies/Power Systems Group. Among the projects on which Mak worked were the Navy's Quiet Electric Drive, which officials said is a high-technology system that will allow huge ship engines to run as quiet as a Lexus at idle. Assistant U.S. Attorney Craig Missakian said in closing arguments Monday that Mak was "spying for China" and sought to provide China's military with "a window into the engine room of a submarine." Mak denied he was a spy for China and said under defense questioning in the trial that he had done nothing wrong by supplying his brother Tai Mak with the defense technology documents, which prosecutors say Tai Mak had encoded on computer disks before traveling to China to give them to Pu Pei-liang, a researcher at the Chinese Center for Asia Pacific Studies at Zhongshan University, which has links to China's military. Investigators arrested Tai Mak and his wife at Los Angeles International Airport in October 2005 with the documents in their luggage that were labeled "proprietary" and "restricted" for export. Chi Mak and his wife were arrested at their home. U.S. officials close to the case said the spying operation showed China's sophistication at gathering defense technology to further Beijing's rapid military buildup. The trial provided a rare look into the shadowy world of Chinese technology collection efforts in the United States. During the trial, an FBI agent testified that a distant relative of Chi Mak, Gu Wei Hao, had tried to recruit him for work as a messenger. The FBI identified Mr. Gu as a Chinese government official who had tried to obtain information on the space shuttle from a Boeing engineer named Greg Chung. Letters from Mr. Gu also were found in a search of Mak's home, and one of the letters told Mr. Chung to pass information through Mak because he was a relative. "This channel is much safer than others," Mr. Gu wrote. ?This article is based in part on wire service reports. Copyright ? 2007 News World Communications, Inc. All rights reserved. From alerts at infosecnews.org Tue May 15 00:39:00 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Cisco says FTP feature in IOS is a hacker backdoor Message-ID: http://www.networkworld.com/news/2007/051107-cisco-ftp-ios-hacker-backdoor.html By Phil Hochmuth Network World 05/11/07 Cisco says a flaw in the FTP server utility in its IOS router/switch software could be used as a backdoor by attackers. IOS FTP, which comes disabled by default in IOS, is used to upload IOS software images and other software to routers and switches remotely. However, Cisco says attackers could exploit a vulnerability in the FTP server to gain access to the file system of an IOS-based router or switch and affect configuration settings. Unauthorized users could retrieve the device's startup-config file from the filesystem, Cisco says. This file may contain information that could allow the attacker to gain escalated privileges. Cisco is offering customers software fixes with the FTP server removed from IOS. In the meantime, Cisco says users should shut down IOS FTP if they are running the server on an affected system. (The command to do this is no ftp-server enable.) The company says users can upload software to IOS devices through other methods, such as the Secure Copy feature in the software. Users can also set up access control lists to restrict FTP access to a router or switch, Cisco adds. The affected IOS versions are: 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4. Ciscos IOS XR is not vulnerable, and non-IOS Cisco devices are also safe. Cisco says it will remove the FTP feature in IOS because of this, and other past issues with the code. The company says it may add a secure FTP server to IOS in the future. (c) Copyright 2007 Network World Inc. From alerts at infosecnews.org Tue May 15 00:39:15 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] A cyber-riot Message-ID: http://www.economist.com/world/europe/displaystory.cfm?story_id=9163598 The Economist print edition May 10th 2007 Estonia has faced down Russian rioters. But its websites are still under attack FOR a small, high-tech country such as Estonia, the internet is vital. But for the past two weeks Estonia's state websites (and some private ones) have been hit by ?denial of service? attacks, in which a target site is bombarded with so many bogus requests for information that it crashes. The internet warfare broke out on April 27th, amid a furious row between Estonia and Russia over the removal of a Soviet war monument from the centre of the capital, Tallinn, to a military cemetery (pictured below). The move sparked rioting and looting by several thousand protesters from Estonia's large population of ethnic Russians, who tend to see the statue as a cherished memorial to wartime sacrifice. Estonians mostly see it rather as a symbol of a hated foreign occupation. The unrest, Estonia says, was orchestrated by Russia, which termed the relocation ?blasphemy? and called for the government's resignation. In Moscow, a Kremlin-run youth movement sealed off and attacked Estonia's embassy, prompting protests from America, NATO and the European Union. Perhaps taken aback by the belated but firm Western support for Estonia, Russia has backpedalled. Following a deal brokered by Germany, Estonia's ambassador left for a ?holiday? and the blockade ended as abruptly as it began. But the internet attacks have continued. Some have involved defacing Estonian websites, replacing the pages with Russian propaganda or bogus apologies. Most have concentrated on shutting them down. The attacks are intensifying. The number on May 9th?the day when Russia and its allies commemorate Hitler's defeat in Europe?was the biggest yet, says Hillar Aarelaid, who runs Estonia's cyber-warfare defences. At least six sites were all but inaccessible, including those of the foreign and justice ministries. Such stunts happen at the murkier end of internet commerce: for instance, to extort money from an online casino. But no country has experienced anything on this scale. The alarm is sounding well beyond Estonia. NATO has been paying special attention. ?If a member state's communications centre is attacked with a missile, you call it an act of war. So what do you call it if the same installation is disabled with a cyber-attack?? asks a senior official in Brussels. Estonia's defence ministry goes further: a spokesman compares the attacks to those launched against America on September 11th 2001. Two of NATO's top specialists in internet warfare, plus an American colleague, have hurried to Tallinn to observe the onslaught. But international law is of little help, complains Rein Lang, Estonia's justice minister. The crudest attacks come with the culprit's electronic fingerprints. The Estonians say that some of the earliest salvoes came from computers linked to the Russian government. But most of them come from many thousands of ordinary computers, all over the world. Some of these are run by private citizens angry with Estonia. Anonymously posted instructions on how to launch denial-of-service attacks have been sprouting on Russian-language internet sites. Many others come from ?botnets??chains of computers that have been hijacked by viruses to take part in such raids without their owners knowing. Such botnets can be created, or simply rented from cyber-criminals. To remain open to local users, Estonia has had to cut access to its sites from abroad. That is potentially more damaging to the country's economy than the limited Russian sanctions announced so far, such as cutting passenger rail services between Tallinn and St Petersburg. It certainly hampers Estonia's efforts to counter Russian propaganda that portrays the country as a fascist hellhole. ?We are back to the stone age, telling the world what is going on with phone and fax,? says an Estonian internet expert. Mikko Hypp?nen of F-Secure, a Finnish internet security company that has been monitoring the attacks, says the best defence is to have strong networks of servers in many countries. That is not yet NATO's job. But it may be soon. From alerts at infosecnews.org Tue May 15 00:39:32 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Should vendors close all security holes? Message-ID: http://www.infoworld.com/article/07/05/11/20OPsecadvise_1.html By Roger A. Grimes May 11, 2007 In last weeks column, I argued that vendors should close all known security holes. A reader wrote me with a somewhat interesting argument that Im still slightly debating, although my overall conclusion stands: Vendors should close all known security holes, whether publicly discussed or not. The idea behind this is that any existing security vulnerability should be closed to strengthen the product and protect consumers. Sounds great, right? The reader wrote to say that his company often sits on security bugs until they are publicly announced or until at least one customer complaint is made. Before you start disagreeing with this policy, hear out the rest of his argument. Our company spends significantly to root out security issues," says the reader. "We train all our programmers in secure coding, and we follow the basic tenets of secure programming design and management. When bugs are reported, we fix them. Any significant security bug that is likely to be high risk or widely used is also immediately fixed. But if we internally find a low- or medium-risk security bug, we often sit on the bug until it is reported publicly. We still research the bug and come up with tentative solutions, but we dont patch the problem. He continues, We have five main arguments for waiting to close a noncritical, internally found, security bug. First, in the grand scheme of things, wed rather spend our resources on high-risk bugs, whether publicly known or unknown. Every medium- or low-risk security bug in the pipeline essentially slows down the whole process. We have a fixed number of resources. We dont have an unlimited budget like Microsoft. [Note: Even Microsoft doesnt have an unlimited budget for security fixes. -- Roger] Second, we give next priority to any publicly known bug. We get evaluated on the bugs known by the public and how fast we close them. You even tout your beloved Secunia.com, and they publicize how fast vendors patch known vulnerabilities. People are checking out that site, and others, to see how well our product stacks up to the competition. Senior management certainly cares how the media portrays us. And nobody, not even senior management, knows about the internally found bugs. Wed be crazy to concentrate on anything else. Third, the additional bugs that external hackers find are commonly found by examining the patches we apply to our software. Look at our vulnerability statistics. Most of our hits center around two main features. Both features came to the attention of hackers after we had released patches for them fixing internally found problems. In both cases we located the vulnerable code and patched. Within a month, three more related holes were found by the hacker community. OK, so we didnt do a great job in ferreting out all the errors in the features. After the last round of fixes, we investigated each feature with a more comprehensive analysis and code review. We even hired an external penetration testing team. We found many more holes and patched them. Then in the next six months, we got hacked again in the same features. Theres lots of blame going around, along with better solutions, but it doesnt change the fact if we had kept the original exploits unpatched, we would have avoided three additional, publicly discussed exploits. Fourth, every disclosed bug increases the pace of battle against the hackers. Its like the anti-virus war. Anti-virus vendors detect each new virus and the virus writers make better viruses. Its possible that if anti-virus software had never been created, we wouldnt be dealing with the level of worm and bot sophistication that we face today. If we patch a hole faster than it needed to be patched, it just makes the hackers look harder, faster than they otherwise would. We are at the losing end of every hacker wannabe in the world, and every fix we have to make slows down our product and costs money. Why do we want to encourage a better war? If we shut up, when the hacker finally discovers the bug, the war proceeds slower, and our customers are on the winning side. Fifth, when a bug isnt announced, most hackers dont exploit it. The vast majority of our customers remain protected, because even if a nonpublicly known bug really is known, its only known by a small group of hackers. Damage is very limited. Youve said the same thing in one of your previous columns that I frequently share with coworkers. Once the bug is publicly known, our products come under attack by thousands of hackers and dozens of worms. Most of our customers are protected as soon as they apply our patches, but for some reason many of our customers never patch, or at least dont patch until they call us with their system owned and the damage done. Industry pundits such as yourself often say that it benefits customers more when a company closes all known security holes, but in my 25 years in the industry, I havent seen that to be true. In fact Ive seen the exact opposite. And before you reply, I havent seen an official study that says otherwise. Until you can provide me with a research paper, everything you say in reply is just your opinion. With all this said, once the hole is publicly announced, or becomes high-risk, we close it. And we close it fast because we already knew about it, coded a solution, and tested it. On first reading, I thought that there were so many factual mistakes in this reader's argument that I didnt know where to begin. But as I re-read it, I realized he did make some cognitive points. As Stephen Northcutt of SANS taught me, Eat the watermelon and spit out the seeds. There is a little truth in every argument. Roger A. Grimes is contributing editor of the InfoWorld Test Center. From alerts at infosecnews.org Tue May 15 00:39:51 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] VA buys 25K secure thumb drives Message-ID: http://www.fcw.com/article102707-05-14-07-Web By Mary Mosquera May 14, 2007 The Veterans Affairs Department awarded a contract to Kanguru Solutions of Millis, Mass., for 25,000 encrypted USB flash drives to help ensure the security of VAs sensitive data. Kanguru will deliver the drives by the end of this month. The flash drives will help VA comply with a June Office of Management and Budget mandate to secure mobile data in the wake of the theft last year of a laptop containing the personal information of millions of veterans. Employees must use the approved thumb drives when they take sensitive data outside the network. The KanguruMicro Drive AES has 256-bit encryption and meets the National Institute of Standards and Technologys Federal Information Processing Standard 140-2 for encrypting data. The drives come in capacities ranging from 256M to 8G. From alerts at infosecnews.org Tue May 15 00:40:07 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Third of UK firms vulnerable to hackers Message-ID: http://www.vnunet.com/vnunet/news/2189798/third-uk-firms-vulnerable By Robert Jaques vnunet.com 14 May 2007 Almost a third of UK organisations have unpatched critical vulnerabilities compromising their IT security, new research warned today. However, the NTA Monitor 2007 Annual Security Report also revealed that the number of vulnerable firms has fallen compared to 2006, when some 61 per cent were open to attack. The report analyses data gathered from vulnerability tests conducted by NTA on UK companies in a wide range of industry sectors, including charities, education, finance, government, IT, law and retail. Although the number of tests exposing vulnerabilities that may enable external users to gain unauthorised system access or disrupt service availability has almost halved, the picture is not bright for everyone. While improvements in overall security have been achieved by most industry sectors, publishing and finance have seen an increase in the average number of vulnerabilities found per test. For financial institutions, the average number of risks increased by 16 per cent year on year, while publishing saw an increase of 28 per cent. Roy Hills, technical director at NTA Monitor, said: "There are a variety of ways of causing denial-of-service attacks, one of which occurs when a server is bombarded with more information than it can handle, resulting in legitimate users being unable to access or use the network. "Other security flaws that our testing discovered could permit hackers to gain entry to corporate networks and change user passwords or delete files, which could wreak corporate havoc." Of the 10 most commonly occurring critical vulnerabilities, seven were found in last year's report, indicating that these same issues continue to take their toll. All of the top 10 high risk flaws are associated with services being made available to internet users, demonstrating that with increased functionality comes the threat of reduced security. NTA Monitor recommends that companies: * Stay up to date on the latest vulnerabilities and apply patches and updates as soon as they become available * Allocate sufficient management time, focus and control to ensure that preventative actions are carried out on an ongoing basis * Involve and educate staff on internet security issues * Have a clear and up to date security policy, and publicise and update it regularly From alerts at infosecnews.org Wed May 16 00:24:59 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Gone in 120 seconds: cracking Wi-Fi security Message-ID: http://www.theregister.co.uk/2007/05/15/wep_crack_interview/ By Federico Biancuzzi 15th May 2007 Interview - WEP is dead - and here's the proof. Cracking the Wi-Fi security protocol WEP is a probability game. The number of packets required to successfully decrypt the key depends on various factors, luck included. When WEP was compromised in 2001, the attack needed more than five million packets to succeed. During the summer of 2004, a hacker named KoreK published a new WEP attack (called chopper) that reduced by an order of magnitude the number of packets requested, letting people crack keys with hundreds of thousands of packets, instead of millions. Last month, three researchers, Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann developed a faster attack (based on a cryptanalysis of RC4 by Andreas Klein), that works with ARP packets and just needs 85,000 packets to crack the key with a 95 per cent probablity. This means getting the key in less than two minutes. Here's an interview with the three researchers. All three are studying at Darmstadt University of Technology, Germany. Tews, 24, is a Bachelor student; Pyshkin, 27, and Weinman, 29, are PhD students in Professor Johannes Buchmann's research group. How did you develop the attack? Ralf-Philipp Weinmann: Andrei, Erik, and I share a room. We've basically seen Andreas Klein's RC4 attack in late 2005 when he presented a talk here in Darmstadt at local workshop (Kryptotag). We didn't realise the potential of the attack until early 2007 when I realised that apparently nobody outside of Germany was aware of the attack since the preprint was only available in German until then. Erik and I then bounced ideas back and forth about the applicability of the attack against WEP and quickly realised that it was more than an order of magnitude faster than any previous key recovery attack. Erik wrote some code, Andrei improved it. Simultaneously, we became aware that an improved version of Andreas Klein's paper had been submitted to the Workshop on Coding and Cryptography, this time in English. First attempts against a demo network showed that the code indeed did work as expected on our side. We began writing the paper and put it on the IACR ePrint server. Simultaneously, Erik released the code for people to verify our results. What type of speedup does your attack provide over previous attacks? Erik Tews: The old attack needed between 500,000 to 2 million packets to "work usually". We (Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann) showed that our attack has a success probability of 50 per cent with 40,000 packets and success probability of 95 per cent with 85,000 packets. So perhaps the speedup is a factor of 15 or so in the number of packets required. CPU-Time of our attack is about three seconds on a consumer laptop. I think the CPU-Time of the original attack was longer, but could vary very much. We found out that a rate of about 764 data packets per second can be reached using ARP injection. So to make it a little bit easier for the reader we can say that 60 seconds are enough to collect 40,000 packets and crack the key with a 50 per cent success rate. If the rate of packets is lower, then we need longer. How does your attack work? Erik Tews: Step 1: Find the enemy (this is the test-network you created in your lab, to verify our results). You can use kismet or airodump to find it. Step 2: Generate some traffic. To generate some traffic, use aireplay-ng in ARP injection mode. Aireplay will listen to the network until it has found an encrypted ARP packet. By reinjecting this packet again and again, you will generate a lot of traffic, and you will know that most of the traffic was ARP-traffic. For an ARP-Packet, you know the first 16 Bytes of the clertext and so the first 16 bytes of the cipherstream. Step 3: Write this traffic to disk using airodump-ng or so. This will create a tcpdump-like capture file with the traffic. Step 4: Launch our algorithm. You need the aircrack-ptw (by the way, aircrack-ptw has been integrated in the 0.9-dev version of aircrack-ng, which is currently in svn, but not released). From a theoretical point of view, our algorithm is based on the following ideas. Andreas Klein, a German researcher, showed that there is a correlation in RC4 between Keybytes 1 to i-1, the keystream and the keybyte i. If the keybytes 1 to i-1 and the keystream are known, it is possible to guess the next unknown keybyte with a probability of about 1.36/256 which is a little bit higher than 1/256. We where able to show that it is also possible to guess the sum of keybytes i to i+k with a probability of more thatn 1.24/256. In a WEP environment, the first three bytes of a packet key are always known and are called IV. Our tool tries to guess the sum of the next 1, 2, 3, ... to 13 keybytes for every packet. If enough packets have been captured, the most guessed value for a sum is usually the right one. If not, the correct value is most times one of the most guessed ones. Aircrack-ptw try to find the key, using this idea described above. If you have about 40,000 to 85,000 packets, your success probability is somewhere between 50 per cent and 95 per cent. What can affect the speed of your attack? Erik Tews: There are some keys we call strong keys. A key is a strong key if it has at least one strong keybyte. A strong keybyte is a keybyte which fulfills a special equation or condition. (Equation (10) in section 6.2 in our paper) If a key has just 1-3 or perhaps 1-4 of these strong keybytes, our attack will still work, but perhaps take some more packets. The probability that a randomly chosen key has more strong keybytes is below one per cent. Even if a key has the maximum of 12 strong keybytes, our attack can be modified so that it will still work, just need some more cpu-time or packets. This is currently not implemented in our tool, but we know how to fix that and we are going to implement it soon. With our modification, we will perhaps need three to five minutes with an optimal packet rate for a key with 12 strong bytes (this is a guess, hasn't been exactly tested yet). What about the keys with a bigger size than 104 bit? Erik Tews: There are some vendors which implemented a 232/256 bit WEP. I think these keysizes are very uncommon. Currently, only 40/64 and 104/128 bit keys have been implemented. There are currently some other attacks, which allow us to recover more than the first 16 bytes of the keystream. Combining our attack with these attacks would even allow us to break WEP512. This has not yet been implemented, but could be added in future. How does your attack performance scale with increasing WEP key size? Erik Tews: We did only benchmark the 104 bit version of WEP. If just a 40 bit key is used, we know the attack is faster, but we didn't do exact benchmarks. Perhaps it can be done in 30 seconds if the packet rate is high. Do 256 bits stop you from using just ARP packets to succeed? Erik Tews: For an ARP-Response, the first 16 bytes are constant. What follows are IP and MAC-Adresses. These values are not globally fixed, but if the same request is sent again and again, these values will be always the same because the response is the same again and again. There is another attack called chopchop which should be able to find out what these unknown values are. On the other hand, these values could perhaps be guessed too. Using such a technique, it should be possible to attack WEP256 too. This is currently not implemented in aircrack-ptw, but could be added easily. Can't it be stopped by filtering and/or rate limiting ARP packets? Erik Tews: If you ratelimit ARP packets, it will just slow down the attack. We think the attack can be modified to work with other traffic than ARP. ARP was just the easiest method to implement and it works very well in a real world environment, because everybody uses ARP. Can it work in a passive way? Erik Tews: I will now go a little bit into detail. What we need to perform the attack are a lot of packets where we know the IV (this is transmitted in plaintext) and we need to know a certain part of the keystream. If you know the plaintext of the packet, you can get it by just xoring the plaintext with the ciphertext in the packet. For an ARP request or response, the first 16 bytes of the plaintext are known, which gives you the first 16 bytes of the keystream. If X = X[0] || ... || X[k] is a keystream, and you are going to attack an i BYTE long WEP key, you should know the keystream from X[2] to X[i +1]. It is still sufficient if you've got a method to guess the keystream correct with a high probability, the attack still works if some keystreams where guessed incorrectly. So if somebody writes some code which guesses the plaintext/keystream of usual ip-traffic right, or guesses more parts of the keystream in most of the cases, it would work with longer keys or in a passive way. Would using WEPplus be better? Erik Tews: No. WEPplus was originally designed to defend against the so-called FMS attack, an attack on RC4 which was published in 2001. The FMS attack works a little bit differently to our attack. For FMS the IV needs to fulfill a special condition, which is for a 104 bit WEP environment: first byte must be 16 (decimal) and the second one must be 255 (decimal). The third byte doesn't matter. This is sometimes called the "resolved property". WEPplus skips all IVs that match that condition. This makes the original FMS attack impossible. There are some modified versions of the FMS attack which even work if these IVs are skipped. Our attack is different to the FMS attack. Or attack doesn't care about this "resolved property", so filtering out all these IVs shouldn't change anything. This make WEPplus as attackable as normal WEP. Your paper states that Linux avoids weak IV and doing so slows your success rate by less than five per cent. Erik Tews: What we were trying to say was the following. In an old attack on WEP, some "weak IVs" where used. Our attack does not profit from these "weak IVs", so skipping them won't protect you. There is almost no slowdown. If you look at the plot, both lines, the one with the randomly chosen IVs and the IVs chosen by the Linux generator, are nearly identical. Additionally, the Linux generator doesn't choose IVs randomly and skips the weak IVs, it generates the IVs using a counter. This results in minor differences, but there is nearly no slowdown if the Linux IV generator is used. In all previous pages, we assumed that IVs are randomly chosen. We tried to show that this attack even works if IVs are not randomly chosen. If we have hardware that can't be upgraded to support WPA, what is the best way to configure it? Erik Tews: We think that WEP is DEAD now, there isn't much left to fix. If your hardware cannot speak WPA and you need wireless security, you should replace your hardare (which costs money) or alternatively configure any kind of VPN. WPA still uses RC4. Is there any type of attack that could take advantage of your speedup to successfully crack WPA? Ralf-Philipp Weinmann: Before anybody jumps to conclusions: although TKIP is also based on RC4, keys change per packet (!) for this protocol. From my current understanding one would have to be able to efficiently guess a large part if not all of the per-packet keys with a high probability for multiple packets to invert the key hash and obtain the temporal key [there is work by Havard Raddum on this subject]. Furthermore, the Michael integrity protection, together with the strictly monotonous counter IV in the header, will successfully foil re-injection attacks. While WEP can be seen as an glaring example of how _not_ to design a crypto system, the design of TKIP is sound and was done by actual cryptographers. This doesn't mean it's infallible, but it's a lot better. TLS and SSH also use RC4 but aren't affected by Klein's attack either. Klein's attack needs multiple key streams encrypted generated by "similar" keys. By similar I mean that keys share a common prefix or suffix. This, however, isn't the case with these protocols. Both use a hash function (yes, they actually use two, MD5 and SHA1) to generate the session key under which the data is encrypted under. Again, to successfully attack these protocols, you'd need an attack on RC4 that recovered the key for single key stream. Please note however that RC4 should not be used in future designs. RC4 is a weak algorithm. Distinguishers exist that allow any contiguous RC4 output stream to be distinguished from random [see Golic's work]. Although these attacks are not practical, remember the old proverb: attacks only get better. ? Federico Biancuzzi is freelancer who writes for SecurityFocus, ONLamp, LinuxDevCenter, and NewsForge. From alerts at infosecnews.org Wed May 16 00:25:15 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Australia vulnerable to cyber terror Message-ID: http://www.smh.com.au/news/security/australia-vulnerable-to-cyber-terror/2007/05/15/1178995118994.html By Asher Moses May 15, 2007 The computer systems powering Australia's essential services, such as electricity, gas, water, sewerage, transport and communications utilities, are outdated and not secured against cyber terrorist attacks, the Federal Government has warned. Security analysts in the United States said simplistic attacks originating from the internet could shut down the electric grid, interrupt the transport network and compromise drinking water systems. The Department of Communications, Information Technology and the Arts (DCITA) said the failure of critical infrastructure as a result of a cyber attack could have "severe consequences for the wider Australian community". The threat is so serious that the Government is holding free workshops for critical infrastructure practitioners and executives next month designed to teach them about emerging threats and how to treat them. Speakers at the workshops will include staff from the National Cyber Security Division of the US Department of Homeland Security. Providers of critical infrastructure are being invited to register for the June workshops on the DCITA website - they will be held in Sydney, Melbourne, Brisbane, Adelaide and Perth between June 4 and 14. In a document that will be handed out to attendees, obtained by smh.com.au, the Government says control systems that form the "central nervous system" of essential services "are now increasingly connected to corporate IT networks and the Internet, making them vulnerable to potential harm from malicious cyber attacks and accidents". "Many are legacy systems that lack sufficient IT security for today's threat environment. "There are known cases of IC [industrial control] systems, owned and operated by critical infrastructure operators, being disrupted through Internet based attacks." The document also warns CEOs and executives of their legal responsibility to mitigate risks to essential services. A spokeswoman for the Communications Minister, Helen Coonan, said: "This program is a practical example of Government working closely with industry to make Australian critical infrastructure more secure." Last week's federal budget earmarked $73.6 million over the next four years to improve the nation's capacity to manage cyber attacks. The Attorney-General, Philip Ruddock, said part of this spending would go towards expanding the Australian Government Computer Emergency Readiness Team (GovCERT) to "provide owners and operators of Australia's critical infrastructure with information to help reduce the risks from sophisticated electronic attacks and to provide government with information about the electronic risks to critical infrastructure". In February last year, Australia was part of an international exercise, Operation Cyber Storm, to test government response to cyber emergencies. Ten federal government departments tasked with emergency management - including the Australian Defence Force and the Australian Security Intelligence Organisation - took part in a one-day desktop simulation in Canberra, and had to respond to a fake hacking attack on the transport sector. The exercise did not include the private sector, which controls most of the nation's critical computer networks including power, water and telecommunications. A report on Cyber Storm was completed in March last year but results were used for internal government evaluation purposes only and were not release to the public. A second cyber terrorism war game, Cyber Storm II, is scheduled to begin in March next year. Next month's workshops will incorporate information gleaned from April's 2007 International SCADA Cyber Security Advanced Training Workshop, held at the Idaho National Laboratories (INL). A cybersecurity strategist for INL, Aaron Turner, last month testified to the US House Committee on Homeland Security (Subcommittee on Emerging Threats, Cybersecurity and Science & Technology) about his research on US critical infrastructure security and technology risks, which also applies to Australia. During his testimony, Mr Turner said "the use of technology [such as the internet] in our nation's infrastructure has improved the efficiency of infrastructure operations without corresponding improvements in the ability to secure these newly connected systems". Mr Turner added that INL had modelled scenarios where "simplistic attacks originating from the internet" could degrade electric grid capacity, impact petroleum refinery processes, interrupt transportation networks and compromise drinking water systems. "It should also be noted that the inter-connected nature of our infrastructure increases the potential for a high-impact correction," Mr Turner said. From alerts at infosecnews.org Wed May 16 00:25:31 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Lawmakers propose more money cybercrime battle Message-ID: http://www.fcw.com/article102721-05-15-07-Web By Wade-Hahn Chan May 15, 2007 Legislation introduced May 14 by a bipartisan group of lawmakers would pump $10 million a year into federal law enforcement efforts to crack down on cybercrime. The spending surge, which would last until 2011, would help give the U.S. Secret Service, the FBI and the attorney general's staff the training and computer forensics tools they need to investigate online scams, identity theft and other cybercrimes. The Cyber-Security Enhancement Act of 2007 also would expand sentencing guidelines for cybercrime as a means to create, in the words of the bill, ?an effective deterrent to computer crime and the theft or misuse of personally identifiable information." Cybercriminals could also face stiffer penalties. The bill would eliminate interstate or foreign communication requirements for certain offenses, make conspiracy to commit cybercrime prosecutable and criminalize botnet attacks. Botnets are networks of computers compromised by hidden software, Trojan horse viruses or back doors that enable criminals to run fraud or spam schemes or launch attacks from multiple computers on the network. ?As [criminals] adapt to?new opportunities to defraud consumers, we must develop better ways to track down the perpetrators and put them away,? said Rep. Adam Schiff (D-Calif.) in a statement. A bipartisan group led by Schiff and Rep. Steve Chabot (R-Ohio) introduced the legislation on Monday. Industry representatives reacted positively to the bill. ?For too long, cybercriminals have taken advantage of legal blind spots and an under-resourced law enforcement community to brazenly threaten online confidence and security,? said Robert Holleyman, president and chief executive officer of the Business Software Alliance, in a press release. He said offenders are forming organized criminal enterprises and law enforcement would need updated and improved tools to fight back. From alerts at infosecnews.org Wed May 16 00:25:46 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Beware P2P Networks With A Tunnel To Confidential Data, Study Warns Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199600527 By Larry Greenemeier InformationWeek May 15, 2007 Peer-to-peer networks could be more than a nuisance in the workplace, they might also be providing cyberthieves with a tunnel into your most confidential data. So says a new study of corporate data leaks released Tuesday by Dartmouth business school researchers. "Many of the biggest breaches in recent years were inadvertent disclosures," says Eric Johnson, professor of operations management at Dartmouth's Tuck School of Business and director of the school's Glassmeyer/McNamee Center for Digital Strategies. Johnson co-authored the study along with Scott Dynes, a senior research fellow at Dartmouth's Institute for Security Technology Studies. One of the major problems, they found, was that users were insufficiently protecting their files and data from peer-to-peer networks. "Like most people I talked to, I underestimated the scope of the problem," Johnson told InformationWeek. "The kinds of leaks coming out of these organizations would make their hair stand on end, in terms of both the amount and type of information leaked." The Dartmouth study notes that there are an estimated 10 million users sharing music, video, software, and photos over peer-to-peer networks, up from about 4 million in 2003. This doesn't even include BitTorrent, a popular peer-to-peer application for video files that's difficult to monitor. Meanwhile, efforts by ISPs, corporations, and copyright holders to limit peer-to-peer through technology (such as site blocking, traffic filtering, and content poisoning) or through the courts (the most notable being the Recording Industry Association of America prosecution of individual users and file sharing firms) have prompted peer-to-peer developers to create decentralized, encrypted, anonymous networks that can find their way through corporate and residential firewalls. "These networks are almost impossible to track, are designed to accommodate large numbers of clients, and are capable of transferring vast amounts of data," the study says. And now the bad news. Criminals are actively searching peer-to-peer networks for any personal information they can use to commit identity theft. There are several ways for confidential data to find its way to a peer network, including instances where users accidentally share folders containing such data, users store music and other data in the same folder that is shared, or users download malware that exposes their file directories to the network. A lot of identity theft victims "don't realize that their son was on LimeWire last night sharing their financial information," Johnson says. "Much of this software has interface designs that are confusing and even deceptive in a way that gets people to share, without knowing it, their whole hard drive." Identity theft has become a bleak fact of life for many people. Many would-be identity thieves simply troll the Internet looking for sensitive information mistakenly posted to Web sites. Johnson and his colleagues have tracked this behavior by ordering credit cards and phone cards and then publicly disclosing account information via the Web. "We leaked a live Visa card so we could watch what the thieves were doing with the information," he says, adding that he found that cyberthieves were using the stolen accounts in conjunction with PayPal and other online payment services to try to cover their tracks. Johnson and his colleagues found lots of supposedly confidential information floating freely out on the Web, including job performance reviews and a bank's spreadsheet containing 23,000 business accounts including their contact names and addresses, account numbers, company positions, and relationship managers at the bank. He even found the results of a "confidential" security audit that a company had commissioned. Whoops. One of the most effective ways to prevent business information from being leaked through peer-to-peer networks is to understand how these services are used. "Security people say they've blocked ports inside their firewalls so that users can't connect into peer-to-peer networks," Johnson says. "That's fine until those employees take their laptops home at night or go to a Starbucks and connect to a peer-to-peer network." There are ways of tracking whether corporate data has been leaked onto peer-to-peer networks. Security pros can set up their own accounts on the most popular peer-to-peer networks, which include Gnutella, FastTrack, and eDonkey, and search to see if any information being offered resembles their proprietary data or intellectual property. "Create a digital footprint for your company," Johnson says. Keep track of all searchable keywords that would lead a Web surfer to your company, including firm names, abbreviations, ticker symbols, brand names, subsidiaries, etc., and use those terms to search the peer-to-peer networks. The idea for the Dartmouth study came from Homeland Security Department-sponsored work Johnson and his colleagues had been doing in studying international cyberattacks on U.S.-based targets. As the Internet increasingly becomes a part of the country's critical infrastructure, like telephone networks or power grids, Homeland Security wants businesses to protect themselves from cyberthreats. From alerts at infosecnews.org Wed May 16 00:26:00 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Survey Assesses Impact of Data Security Breach Message-ID: http://www.ddj.com/dept/security/199501952 By Jonathan Erickson May 15, 2007 DDJ: With us today is Robert Scott, managing partner at Scott & Scott, a law and technology services firm that focuses on privacy and network security. Rob, along with the Ponemon Institute, an independent privacy and information management research firm, you recently conducted a survey that examined the business impact of security breaches. What did you learn? RS: We learned two things that were really surprising. First, despite the frequency of data breach events businesses are still unprepared. They do not have proper security policies in place, they are not taking advantage of encryption technology to protect data, and they are not consulting with legal counsel before responding to an event which could leave them vulnerable to legal liabilities. Second, we learned that businesses believed that data subjects typically suffered little or no actual monetary harm as a result. However, these businesses are required to notify all subjects of a breach regardless of the perceived threat -- a process that can be very damaging to a business's financial health and reputation. If notification requirements are not providing tangible consumer benefits such as preventing possible future economic harm, then it may be time to reevaluate the requirements. DDJ: Can you briefly tell us about the survey. Who were the respondents, for instance? RS: There were a total of 702 respondents including various C-level executives, chief information officers, and a range of IT security professionals in mostly large businesses. The respondent businesses spanned all industries including financial institutions, insurance, retail, professional services, the technology sector, and so on. DDJ: What practical lessons can be learned from the survey results? RS: I can't overstate the importance of encryption technology on all devices containing confidential information. It is the single most effective way to prevent the business risks associated with a data security breach. If information is encrypted not only does it render the data unreadable, but your company may be exempt from costly and damaging notification requirements. DDJ: Is there a web site that readers can go to for more information on these topics? RS: A copy of the survey report is available on our web site at www.scottandscottllp.com From alerts at infosecnews.org Thu May 17 01:38:59 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Cisco routers caused major outage in Japan: report Message-ID: http://www.networkworld.com/news/2007/051607-cisco-routers-major-outage-japan.html By Jim Duffy Network World 05/16/07 Cisco routers were the source of a major outage May 15 in an NTT network in Japan, according to an investment firm bulletin. Between 2,000 and 4,000 Cisco routers went down for about 7 hours in the NTT East network after a switchover to backup routes triggered the routers to rewrite routing tables, according to a bulletin from CIBC World Markets. The outage disconnected millions of broadband Internet users across most of eastern Japan. Cisco says it could not say which specific router models were involved. "Cisco is working closely with NTT East to identify the specific cause of the outage and help prevent future occurrences,? a Cisco spokesman said in an e-mailed reply. ?At this time, Cisco and NTT have not determined the specific cause of the problem." NTT East and NTT West, both group companies of Japanese telecom giant Nippon Telegraph and Telephone (NTT), are in the process of finalizing their decisions on a core router upgrade, according to the report. The routing table rewrite overflowed the routing tables and caused the routers? forwarding process to fail, the CIBC report states. ?Clearly, this failure doesn't reflect well on (Cisco) and at the very least highlights the need for two vendors,? states CIBC analyst Ittai Kidron in the report. Kidron states that NTT West is evaluating Juniper core routers while East evaluates the Cisco platforms. ?That said, we don't expect the failure at NTT East to influence its decision with respect to its choice of core router vendor,? Kidron states in the bulletin. ?In fact, as router capacity was partly responsible for the failure, it is possible the outage could accelerate NTT's transition to Cisco's newer core router, the CRS-1.? NTT was one of the initial testers of the CRS-1 when the product was launched three years ago. ?We don't believe the decisions would change based on this event,? Kidron concluded. ?Juniper still remains a leading contender at NTT West and Cisco at NTT East.? All contents copyright 1995-2007 Network World, Inc. From alerts at infosecnews.org Thu May 17 01:39:50 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Internet Crime: Kobik Searches and Finds Message-ID: http://emagazine.credit-suisse.com/app/article/index.cfm?fuseaction=OpenArticle&aoid=186816 By Franziska Vonaesch Editor 14.05.2007 The National Coordination Unit for Combating Internet Crime (Kobik) has been online since January 1, 2003. Kobik acts as a center of competence for the public, official bodies and internet service providers on legal, technical and crime-related issues. Practice shows just how competent it is. The Federal Office of Police, Department IMC, Section OSINT/Kobik Monitoring. Even its name reads like a code. Its unobtrusive premises are located in a residential zone near the Wankdorf Stadium in Berne. Those who want to come inside need a special pass. Here - behind closed doors - investigators scan the murky waters of the internet. They're on the lookout for all kinds of criminal offences. For example, the distribution of hardcore pornography and violent images, white-collar crime of various kinds, extremist or racist statements, copyright infringements, illegal arms trading and - since April 1, 2007 - spam. White-Collar Crime is on the Rise In 2006 Kobik received 7,345 tip-offs from the public. 40 percent of the contents are hardcore pornography including child pornography, 24 percent spam, 9 percent pornography in general, 4 percent white-collar crime, 2 percent copyright infringement and 1 percent racial discrimination. The steady rise in white-collar crime is striking - the figures double every year. "White-collar crime on the internet" is a very broad term that covers a multitude of offences: "phishing", money laundering, fraudulent escrow services (internet fiduciary services), misuse of credit card data, illegal data acquisition and countless other types of fraud. All the criminals behind these offences work in the same way: They spy on internet users in order to line their own pockets. This is a serious problem for banks and other financial institutions in Switzerland. Software Looks for Clues Nine members of staff at Kobik are responsible for uncovering criminal activity of this kind. They work in three separate areas: Monitoring, Clearing and Analysis. They are supported by all those who use the appropriate form to provide information about suspicious internet content. "Every tip that we receive appears immediately on the screens of the five Monitoring staff," explains Roger Kffer, Head of Monitoring. Initially the reports are processed by a special program. The software saves the reported data and automatically finds out which computers are being targeted via a particular address - and, most importantly, who is registered as responsible for the computer. "We only follow up cases that have a link with Switzerland." This means either that the "suspicious" computer is located in Switzerland or that the address is registered in the name of a Swiss citizen. Reports that point to foreign providers are passed on selectively to the countries in question. Spam: When Victims Become Offenders Around 20 percent of all messages received are spam. There is a new spam analyzer for tip-offs of this kind under kobik.ch. This tool identifies the relevant internet provider at the press of a button. If the provider is Swiss - Cablecom for example - the victim can report the case to Cablecom. Providers are obliged by law to prevent unsolicited mass advertising. "This analysis tool gives users the opportunity to defend themselves and shows them where they can get help," summarizes Kffer. But users aren't just victims - often they are offenders without even knowing it. The user's computer can be hijacked and infected with viruses or Trojan horses. Each time that the PC is switched on, it automatically transmits spam messages - you could almost say "by remote control." A network of these infected PCs is known as a "botnet." Chat Forums Deliver Tip-Offs The name "Coordination Unit" doesn't really do Kobik justice. "A key part of our day-to-day work is generating cases." "Generating" in this context means actively searching the internet for criminal activity. The topic is clearly prescribed by the body that governs Kobik's activities: child pornography. It's immediately clear that network and research specialists are at work here. "We know exactly what we're looking for and where to find it." However, the investigators don't have an entirely free hand. Monitoring is only permitted in the public sphere - password-protected areas are off limits. Entrapment is also forbidden - as is investigation under false pretenses. The monitoring of chat forums therefore requires a great deal of time and sensitivity. "We know and observe that a great deal of illegal activity goes on in chatrooms and therefore work closely together with the chatroom operators. Bluewin, for example, has more than 300 volunteers who monitor chatrooms intensively." Any suspicious activity is then reported to Kobik. Patrolling the Data Highway But where do most incidents occur? "Mainly in peer-to-peer (P2P) networks." "Gnutella," "Fast Track" and "eDonkey" for example are well-known P2P networks. Countless images and other items of information - including child pornography - are passed along these sections of the data highway. "Here we pick up between 30 and 40 cases per month." Kffer demonstrates how quickly and irrevocably a blow can be landed - even though there are several million surfers on the net at this moment. He enters his query based on its relevance to Switzerland. He keeps the search term secret - this is inside information. The list of hits is long and misleading at first glance, because not every hit points to an offender. Figuring out who is an offender and who is not is a key part of the work. Experience helps. Suspicious activity. Now what? After all the tip-offs and suspicions with a link to Switzerland have been secured in a form that can be used in court, the dossiers are passed to Kobik's Clearing unit. These three employees check the reports to determine their relevance under criminal law and then pass the suspicious cases on to the responsible prosecuting authorities in the cantons. Over the past year Kobik has examined 280 suspicious cases, 79 percent of which were taken further by the police. That's around 221 arrests over the year. In other words, Kobik's nine employees uncover one offender every second day - "clerical work" that's really worthwhile. Related Links: www.kobik.ch From alerts at infosecnews.org Thu May 17 01:40:47 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] How Banks Could Help Minimize Phishing Message-ID: Forwarded with permission from: Security UPDATE PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: Hosted Security for Small and Medium-Sized Businesses http://list.windowsitpro.com/t?ctl=565E8:57B62BBB09A692791757267EB3FEAFE0 Protecting Organizations from Spyware: Free Whitepaper http://list.windowsitpro.com/t?ctl=565EA:57B62BBB09A692791757267EB3FEAFE0 Managing Risk Through Security http://list.windowsitpro.com/t?ctl=565E7:57B62BBB09A692791757267EB3FEAFE0 === CONTENTS =================================================== IN FOCUS: How Banks Could Help Minimize Phishing NEWS AND FEATURES - Strange Twist of Logic: Use Our Technology or Else! - Microsoft Retires MBSA 1.2, Suggests Shavlik Tools for Legacy Support - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Windows Server 2003 Needs at Least One Service Pack - FAQ: View File Ownership in PowerShell - Product Evaluations from the Real World - Share Your Security Tips PRODUCTS - Memory Stick Security RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: St. Bernard Software ============================== Hosted Security for Small and Medium-Sized Businesses Is effective security out of reach for your small or medium-sized business? Imagine having a team of IT experts who only focus on security as part of your staff. Download this free must-have white paper today and find out how you can eliminate your company's security risks. http://list.windowsitpro.com/t?ctl=565E8:57B62BBB09A692791757267EB3FEAFE0 === IN FOCUS: How Banks Could Help Minimize Phishing =========== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net One of the fastest growing and biggest problems in the security world today is phishing. Criminals who yearn to take advantage of the trend are swarming like mosquitoes on a warm and muggy summer evening--and they need to be swatted out of existence, fast. Today it's easy for a crook to set up a Web site with nearly any domain name they want. They take advantage of the situation by registering domains very similar to legitimate commercial domains. Banks and their customers are the biggest targets. In fact, data from the Anti-Phishing Working Group shows that since May 2006, 20,000 new phishing scams have been reported every month. The data also shows that the overwhelming majority of those scams targeted customers of various financial institutions. Phishing scams fool so many people that a mega-million-dollar antiphishing industry has popped up to produce products and services to help protect people. The tools provide decent proactive defense, but they aren't foolproof, and many people don't use them. Is there another way to help protect the public against the bank phishing plague? Recently, F-Secure's Mikko Hypponen wrote a brief article for "Foreign Policy" magazine (at the URL below) that proposes an idea that's so obvious I find it really difficult to figure out why no one has acted on it before. http://list.windowsitpro.com/t?ctl=565F3:57B62BBB09A692791757267EB3FEAFE0 The idea was originally sent to him by a reader of F-Secure's blog back in October 2006 (see the URL below). The idea is simple: The Internet Corporation for Assigned Names and Numbers (ICANN) could establish a new top-level domain (TLD) called something like .bank and allow only legitimate, verified financial institutions to register a name in that level. http://list.windowsitpro.com/t?ctl=565ED:57B62BBB09A692791757267EB3FEAFE0 Hypponen expands on the idea by suggesting that as an added precaution against scammers--who would undoubtedly attempt to falsify information in an effort to register a name in that TLD--banks and other financial institutions could be charged a hefty fee for new registrations. Hypponen suggests something like $50,000 per domain. I think that other requirements centered around verification of credentials could be put in place too; these could be kept secret from the public so that scammers aren't sure exactly what they are. If a .bank TLD were available and had enough publicity, people would quickly become aware that their financial institutions should be using this TLD and could avoid bank Web sites that didn't use it. This would help put a serious damper on phishing scams. Of course, a .bank TLD wouldn't stop phishing entirely. Several techniques could still be used to fool or take advantage of unsuspecting bank customers; for example, DNS poisoning, man-in-the- middle attacks, cross-site scripting, browser-based URL spoofing, and Trojan horses and keyloggers. So security tools and user education would still be important. Nevertheless, a new TLD would help. As for creating the TLD, if I understand correctly, it's not up to ICANN to start the process. Instead, some independent entity must request its creation. So, for example, banks (and other financial institutions) could unite towards that effort, establish an entity that would handle applications for domain name registration requests (and the related services), and formally petition ICANN to create the new TLD. ICANN would then review the proposal and decide whether to proceed with delegating the new TLD to the DNS root zone. I hope this happens. It seems like an idea whose time has come and an easy way for banks to help secure their customer interactions. === Calling All Windows IT Pro Innovators! Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the 2007 Windows IT Pro Innovators Contest! Grand-prize winners will receive airfare and a conference pass to Windows and Exchange Connections in Las Vegas, November 5-8, 2007, plus more great prizes and a feature article about the winning solutions in the November 2007 issue of Windows IT Pro. Contest runs through August 1, 2007. To enter, click here: http://list.windowsitpro.com/t?ctl=565F4:57B62BBB09A692791757267EB3FEAFE0 === SPONSOR: Websense ========================================== Protecting Organizations from Spyware: Free Whitepaper Combat phishing and pharming with complete protection against complex Internet threats by filtering at multiple points on the gateway, network, and endpoints. http://list.windowsitpro.com/t?ctl=565EA:57B62BBB09A692791757267EB3FEAFE0 === SECURITY NEWS AND FEATURES ================================= Strange Twist of Logic: Use Our Technology or Else! The Digital Millennium Copyright Act (DMCA) has been used against countless numbers of individuals and companies, forcing them to stop infringing on intellectual property rights. Now, in a strange twist of logic, the DMCA is being wielded as a club in an attempt to force the use of intellectual property. http://list.windowsitpro.com/t?ctl=565F7:57B62BBB09A692791757267EB3FEAFE0 Microsoft Retires MBSA 1.2, Suggests Shavlik Tools for Legacy Support Microsoft ended support for its Baseline Security Analyzer and recommends that customers who need to scan legacy products use Shavlik NetChk Limited, which produces output that can be opened and read by MBSA 2.0.1. http://list.windowsitpro.com/t?ctl=565F5:57B62BBB09A692791757267EB3FEAFE0 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=565EE:57B62BBB09A692791757267EB3FEAFE0 === SPONSOR: Neverfail ========================================= Managing Risk Through Security Every business faces risk. Have you properly assessed your company's risk and put a focus on business continuity? Attend this free Web seminar and learn how you can ensure seamless recovery of your key systems and keep your users continuously connected. On-demand Web seminar. http://list.windowsitpro.com/t?ctl=565E7:57B62BBB09A692791757267EB3FEAFE0 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: Windows Server 2003 Needs at Least One Service Pack by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=565FC:57B62BBB09A692791757267EB3FEAFE0 If you're running Windows Server 2003 without at least SP1, you can no longer install security updates. http://list.windowsitpro.com/t?ctl=565F8:57B62BBB09A692791757267EB3FEAFE0 FAQ: View File Ownership in PowerShell by John Savill, http://list.windowsitpro.com/t?ctl=565FA:57B62BBB09A692791757267EB3FEAFE0 Q: How can I view the owner for a file from PowerShell? Find the answer at http://list.windowsitpro.com/t?ctl=565F6:57B62BBB09A692791757267EB3FEAFE0 PRODUCT EVALUATIONS FROM THE REAL WORLD Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to whatshot@windowsitpro.com. SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@securityprovip.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@windowsitpro.com Memory Stick Security Gemalto North America announced Protiva Secure Digital Companion (SDC), a USB flash memory device that generates one-time passwords (OTPs) for authentication, generates digital certificates for authentication or for signing and encrypting documents, and encrypts data stored on the device. When used with Gemalto's Protiva system, SDC can provide OTP strong authentication based on a standard developed by the Open Authentication Initiative (OATH). Protiva SDC also can be used with Citrix Access Suite for strong authentication and secure VPN access and is compatible with Windows 2000/XP/Server 2003. For more information, go to http://list.windowsitpro.com/t?ctl=56600:57B62BBB09A692791757267EB3FEAFE0 === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=565F9:57B62BBB09A692791757267EB3FEAFE0 Are your malware definitions completely up-to-date? If they are, then you're halfway home to total malware protection. Windows Vista might be the most secure Microsoft OS ever released, but malware is constantly evolving, and sometimes out-of-the-box security just isn't enough. In this exclusive podcast, Windows IT Pro Editorial and Strategy Director Karen Forster interviews Microsoft Product Manager Josue Fontanez about Forefront Client Security, Microsoft's unified malware protection package. http://list.windowsitpro.com/t?ctl=565E9:57B62BBB09A692791757267EB3FEAFE0 Gain control over the growing amount of file data in your enterprise. Learn how File Area Networks (FANs) can help you centralize file consolidation, migration, replication, and failover. Download this eBook and start streamlining your file management projects today! http://list.windowsitpro.com/t?ctl=565EB:57B62BBB09A692791757267EB3FEAFE0 Is your company addressing the risks of email without diluting its benefits? Download this guide today and find out what you can do to realize dramatic, quantifiable ROI and move your company quickly from analyzing options and seeking budget approval to solving the problem with a solution that will pay for itself many times over. http://list.windowsitpro.com/t?ctl=565EC:57B62BBB09A692791757267EB3FEAFE0 Discover the New Releases with Microsoft and Industry Experts at IT Pro Connections--Amsterdam IT Pro Connections offers the deepest and most relevant education for Microsoft IT professionals, especially in this time of important new products and technologies. Now is the time for you to quickly come up to speed. Get prepared for the newest technologies and products through the real-world experience of our expert presenters. "Insider" details help you make sense of new technologies, apply them to your environment, and master them faster and more effectively. Immerse yourself in the latest Microsoft technologies: Windows PowerShell, Exchange Server 2007, Windows Vista, Windows Server "Longhorn," Sharepoint Server and Communications Server, System Center Family (Operations Manager and Configuration Manager), Windows XP, Forefront, and more--with experts from Microsoft and world-renowned subject matter experts! 19-20 June 2007 Post-Conference Workshops 21 June 2007 Amsterdam, The Netherlands Amsterdam RAI http://list.windowsitpro.com/t?ctl=565E5:57B62BBB09A692791757267EB3FEAFE0 http://list.windowsitpro.com/t?ctl=565FE:57B62BBB09A692791757267EB3FEAFE0 === FEATURED WHITE PAPER ======================================= Are you familiar with the new government regulations affecting email? Learn about the dozens of issues surrounding the security of email in business today and make sure that your company is in compliance. Download your copy of this must-have white paper today! http://list.windowsitpro.com/t?ctl=565E6:57B62BBB09A692791757267EB3FEAFE0 === ANNOUNCEMENTS ============================================== Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=565F0:57B62BBB09A692791757267EB3FEAFE0 Introducing a Unique Exchange and Outlook Resource Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on messaging topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=565EF:57B62BBB09A692791757267EB3FEAFE0 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=565FB:57B62BBB09A692791757267EB3FEAFE0 http://list.windowsitpro.com/t?ctl=565FF:57B62BBB09A692791757267EB3FEAFE0 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=565F2:57B62BBB09A692791757267EB3FEAFE0 Be sure to add Security_UPDATE@list.windowsitpro.com to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=565FD:57B62BBB09A692791757267EB3FEAFE0 About your product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=565F1:57B62BBB09A692791757267EB3FEAFE0 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. From alerts at infosecnews.org Thu May 17 01:41:03 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] DISA's Wi-Fi Flying Squirrel Message-ID: http://blogs.govexec.com/techinsider/archives/2007/05/disas_wifi_flying_squirrel.html By Allan Holmes May 15, 2007 The following item was posted by Bob Brewin. The Defense Information Systems Agency has started to deploy throughout the Defense Department a Wi-Fi network monitoring tool dubbed Flying Squirrel, according to an internal agency briefing obtained by Tech Insider. The name Flying Squirrel, Im told, has nothing to do with DISA whose headquarters on Courthouse Road in Arlington, Va., is pretty much in a squirrel-free zone or with the actual device itself, but rather its just a moniker that caught the fancy of an unnamed developer at the Naval Research Lab, which created the monitoring tool. DISA, on the other hand, calls the system a Wireless Discovery Tool. The Flying Squirrel provides the most basic defense of any Wi-Fi network against intruders who may monitor radio activity around a DOD facility or base, Im told by an industry source well versed in its development. Flying Squirrels software, the development of which was overseen by the U.S. Strategic Commands Enterprisewide Information Assurance and Computer Network Defense Solutions Steering Group, sniffs for users on a Wi-Fi network and, once it finds one, captures the users unique identifying address and geolocation. Network personnel then check the address to determine if the user is an authorized or unauthorized user on the wireless network. My source told me security personnel load Flying Squirrel on a notebook computer equipped with a Wi-Fi card or chip and then drive around the perimeter of a DOD base to locate Wi-Fi networks and users. The software, this source said, owes a lot to open source Wi-Fi sniffing tools such as NetStumbler or Kismet, but has a somewhat snazzier interface and the all important U.S. Strategic Command steering groups stamp of approval. The Marines were the first organization to use Flying Squirrel two years ago, Im told, and the software caught the attention of a contractor from Smartronix, who backed its DOD-wide. (Smartronix had not returned a call by deadline.) DISA, the Strategic Command steering group and Smartronix now are working on the Wireless Mapping System, which security personnel, using Flying Squirrel, will use to pinpoint on a digital map the locations of Wi-Fi users. The mapping application, Im told, continues the furry-critter marmot naming scheme, operating under the codename of Woodchuck. From alerts at infosecnews.org Thu May 17 01:41:19 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Security Games Message-ID: http://www.gcn.com/print/26_10/44215-1.html By Trudy Walsh GCN Staff 05/07/07 issue When Jackie Hoover tells her security classes that they have to be commercially certified in the next five years, their eyes get really big and not in a good way, she said. The new policy, DOD Directive 8570.1, mandates that all Defense Department information assurance technicians and managers thats about 110,000 military, civilian and contractor employees be certified to meet DOD requirements within five years. The directive has shocked everybody Ive worked with, said Hoover, director of the Technical Education College next to Peterson Air Force Base in Colorado Springs, Colo. The college offers technology classes to personnel at the Air Force Space Command and other Air Force bases. You have to get these commercial certifications or you may lose your job, she said. And theyre not easy tests. Hoover teaches Security+, one of a series of classes that count toward the requirement. With so many students to teach so quickly as many as 300 students in the last quarter Hoover looked for an easy-to-use training tool that would reinforce what students learn in the classroom. She discovered Cyberciege, an online simulation game that lets students role-play aspects of network management. Students can hire and fire employees and using virtual money buy and configure computers, servers, operating systems and network devices. Our main goal is to get people ready for deployment to places like Iraq, Hoover said. They have to set up networks securely there but dont have contractor help like they do here. Our school is the last place to reinforce what theyve learned before they go. Cyberciege was developed by the Center for Information Systems Security Studies and Research at the Naval Postgraduate School in Monterey, Calif., working with Rivermind, a game development company. Students say its a lot more entertaining and informative than they thought it would be, said Mike Thompson, a research associate at the Naval Postgraduate School. Network security can be pretty mundane stuff. We spice it up. For example, one game scenario includes what happens when a person with pinkeye gets an iris scan. We knew about information assurance, said Cynthia Irvine, a professor at the Naval Postgraduate School. Rivermind knew about graphics and games. The school wanted to develop a resource management game, Irvine said. The question was how they could infuse the dry routine of information assurance with the drama of game playing. We had to give players an emotional investment in what was happening, she said. They had to be invested in the success of the virtual company and keep the virtual users of the enterprise happy and productive. We think this game can help organizations meet training and awareness requirements better than yet another set of dreary PowerPoint slides. Cyberciege shows them why you cant just leave your passwords posted underneath your drawer, Irvine said. Cyberciege comes with a motley cast of characters. Theres Typical User, who just wants to do the job; Angry User, who is looking for ways to harm the enterprise; and Vandal, whos motivated by boredom, desire for attention or just plain technical curiosity. Unlike in the real world, where mind reading is reserved for psychics and magicians, Cyberciege players can query characters thoughts. I sure would like more convenient Internet access, one character might think. Players can then help the characters meet their goals. Written in C++, Cyberciege uses Riverminds 3-D graphics engine and Java. It will run on machines with Windows 2000 through Vista with 64M of RAM, Thompson said. Cyberciege is available at no cost to federal agencies by contacting cyberciege@ nps.edu. From alerts at infosecnews.org Thu May 17 01:41:33 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks Message-ID: http://www.smh.com.au/news/Technology/Estonia-urges-firm-EU-NATO-response-to-new-form-of-warfarecyberattacks/2007/05/16/1178995207414.html The Sydney Morning Herald May 16, 2007 Estonia has urged its allies in the European Union and NATO to take firm action against a new mode of warfare that has been unleashed on the Baltic state in a bitter row with Russia over a Soviet war memorial: cyber-attacks. "Taking into account what has been going on in Estonian cyber-space, both the EU and NATO clearly need to take a much stronger approach and cooperate closely to develop practical ways of combatting cyber-attacks," Estonian Defence Minister Jaak Aaviksoo told AFP Tuesday. "Considering the scale of damage and the way these cyber-attacks have been organised, we can compare them to terrorist activities," Aaviksoo said a day after raising the new mode of warfare at talks with his fellow EU defence ministers in Brussels. Estonian institutional websites have been under regular cyber-attack since the end of last month, when a row blew up with Russia over the removal from central Tallinn of a memorial to Soviet Red Army soldiers. Officials in Estonia, including Prime Minister Andrus Ansip, have claimed that some of the cyber-attacks, which forced the authorities in the Baltic state to temporarily shut down websites, came from Russian government computers, including in the office of President Vladimir Putin. "The cyber-attacks against government websites have come in waves: they start and end, and then start again after a few days' break," said Hillar Aarelaid, head of the Computer Emergency Response Team (CERT), which was set up last year to tackle "security incidents" in Estonia's .ee Internet domain. "Last Friday, we hoped it was all over but the new massive attack against one of the biggest banks on Tuesday showed we were too optimistic. "Cyber-attacks also have been launched against banks, newspapers, schools and many other institutions," Aarelaid told AFP. Estonia's second-biggest bank, Swedish-owned SEB Eesti Uhispank, was forced Tuesday to block access from abroad to its online banking service after it came under "massive cyber-attack", a spokesman for the bank, Silver Vohu, said. Hansapank, the biggest bank in Estonia, came under attack last week. The first wave of cyber-attacks against official websites fizzled out after Estonian Foreign Minister Urmas Paet publicly declared that many of the attacks had originated from Russian government computers. The new wave of attacks was coming from "around the world," Aarelaid said. "Even computers as far away as Vietnam have been involved in cyber-attacks against Estonia. The attackers try to restrict access to Estonian websites and in some cases have tried to change the information on the website they have attacked," Aarelaid said. The attacks might originate in computers around the world, but they still have Russian roots, he said. "The net has been full of Russian language instructions on how to inflict damage on Estonian cyber-space," Aarelaid said. Cyber-attacks are such a new phenomenon that there are no universal rules available on how to strike back at them. "We haven't yet defined what can be considered to be a cyber-attack, or what are the rights of member states and the obligations of EU and NATO in the event such attacks are launched," Aaviksoo said. "The EU and NATO need to work out a common legal basis to deal with cyber attacks. For example, we have to agree on how to tackle different levels of criminal cyber-activities, depending on whether what we are dealing with is vandalism, cyber-terror or cyber-war," he said. Aarelaid agreed: "The unprecedented cyber-attacks against Estonia have clearly indicated we need much stronger regulations in this area. "You could compare this with what our great-grandparents faced when cars first started to appear on the streets. Eventually, there were so many of them that new, strict rules needed to be implemented." The cyber-attacks against Estonia were launched after the authorities here moved a monument to Soviet soldiers who fought fascism in World War II, from the city block where it stood in central Tallinn to a military cemetery in a quiet neighbourhood of the capital. Russians see the monument as a sacred memorial to the millions of Soviet soldiers who died in the war, while to Estonians it is a reminder of 50 years of Soviet occupation. The removal of the monument drew the ire of Moscow and triggered riots in Tallinn by members of Estonia's ethnic Russian minority that makes up around one-quarter of the Baltic republic's population of 1.34 million. It also set off the cyber-attacks, which have drawn condemnation from the European Union, individual EU member states, the United States and NATO. NATO defence ministers will discuss cyber defence at a meeting in Brussels in June. (c) 2006 AFP From alerts at infosecnews.org Thu May 17 01:41:49 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Book Review: Security Metrics: Replacing Fear, Uncertainty, and Doubt Message-ID: http://books.slashdot.org/books/07/05/16/1344256.shtml http://www.amazon.com/exec/obidos/ASIN/0321349989/c4iorg http://www.shopinfosecnews.org Security Metrics: Replacing Fear, Uncertainty, and Doubt Author: Andrew Jaquith Pages: 336 Publisher: Addison-Wesley Rating: 10 Reviewer: Ben Rothke ISBN: 0321349989 Summary: Authoritative text on information security metrics One could write a book on how FUD sells security products. One of the most memorable incidents was in 1992 when John McAfee created widespread panic about the impending Michelangelo virus. The media was all over him as he was selling solutions for the five million PCs worldwide he said would be affected. The end result is that the Michelangelo virus was a non-event. Nonetheless, it was far from the last time that FUD was used to sell security. The allure of FUD is that companies can spend huge amounts of money fighting nebulous digital adversaries and feel good about it. They can then put all of that fancy hardware in dedicated racks in their data center, impressing the auditors with the flashing lights giving off an aroma of security and compliance. And that is the chaos that security metrics comes to solve. Security metrics, if done right, can help transform a company from a nebulous perspective on security to an effective one based on formal security risk metrics. Security Metrics is a fabulous book that should be in the hands of every security professional. The book demonstrates that companies must establish metrics based on their unique requirements, as opposed to simply basing their requirements on imprecise industry polls, best-practices and other ill-defined methods. So why don't companies do that in the first place? If security metrics can provide even a quarter of the benefits that Jaquith states, companies should run to implement them. Real security metrics require an organization to open up their security hood and dig deep into the engine that runs their security infrastructure. It necessitates understanding the internal requirements, unique organizational risks, myriad strengths and weaknesses, and much more. Very few companies are willing to dedicate the time and resources for that, and would rather build their security infrastructure on thick layers of FUD. History has shown that the security appliance of the month almost always beats a formal risk and needs assessment. Chapter 1 lays out the problem with approaches that most companies take to risk management. The main problem is that traditional risk management is far too dependant on identification and fixing, as opposed to quantification and triage based on value. Quantifying and valuing risk is much more difficult than simply identifying, since the software tools used do not have an organization context or knowledge of the specific business domain. Chapter 2 sets out the foundation of security metrics. The goal of these metrics are to provide a framework in which organizations can quantify the likelihood of danger, estimate the extent of possible damage, understand the performance of their security organizations and weigh the costs of security safeguards against their expected effectiveness. The time has come for security metrics since information security is one of the few management disciplines that have yet to submit itself to serious analytical scrutiny. The various chapters provide many different metrics that can be immediately used in most organizations to address that. The author defines various criteria for what makes a good metric. One of his pet peeves is the use of the traffic light as a metaphor for compliance. Jaquith feels that traffic lights are not metrics at all, since they don't contain a unit of measure or are a numerical scale. He suggests using traffic lights colors sparingly, and only to supplement numerical data or draw attention to outliers. He astutely notes that if your data contains more precision than three simple gradations, why dilute their value by obscuring them with a traffic light. The chapter concludes on what makes a bad metric, defined as any metric that relies too much on the judgment of a person. These metrics can't be relied on since the results can't be guaranteed to be the same from person to person. Also, security frameworks such as ISO-17799 should not be used for metrics. The book also tackles the sacred cow of risk management, namely ALE (annualized loss expectancy), and how it is significantly misused and misunderstood in the industry. The book states that in developing metrics, there must be formal collaboration between the business units and the security staff. This collaboration serves to increase awareness and acceptance of security. In addition, it ensures that security requirements are incorporated into the lifecycle early on. This is needed as business units generally have no clue as to what the needed security requirements are. Chapter 5 is a short course on analysis techniques and statistics. The author quotes George Colony who stated that "any idiot can tell you what something is. It is much harder to say what that thing means". With that, the book details a number of techniques for analyzing security data (average, median, time series, etc.) and how each one should be used. Chapter 6 is about visualization and notes that most information security professionals have no real idea how to show security, both literally and figuratively. Part of the problem is that security is proliferated with esoteric terminology and concepts, and the lack of understanding risk management amongst the masses. Part of the reason for this difficulty in sharing the security message with management is that many security practitioners lack simple metaphors for communicating priorities. This is compounded by the fact that the message is often focused exclusively on technical security issues, as opposed to the underlying business issues, which is was management is concerned with. The chapter is invaluable as it weans one off the malevolent pie chart and traffic light PowerPoint presentation. Marcus Ranum notes that people seem to want to treat computer security like its rocket science or black magic. In fact, computer security is nothing but attention to detail and good design. FUD is all about emphasizing the black magic aspect of hackers and other rogue threats. Metrics are all about the attention to detail that FUD lives to obfuscate. Security Metrics: Replacing Fear, Uncertainty, and Doubt is one of the more important security books of the last few years. Jaquith turns much of the common security wisdom on its head, and the world will be a better place for it. Security metrics are a necessity whose time has come and this invaluable book shows how it can be done. -=- Ben Rothke, CISSP is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know. From alerts at infosecnews.org Fri May 18 01:30:03 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Critical Flaws Found in Java Development Kit Message-ID: http://www.eweek.com/article2/0,1895,2132409,00.asp By Brian Prince May 17, 2007 Two vulnerabilities open to remote exploitation by hackers have been found in Java Development Kit, one of which could be used to take over a compromised system. JDK (Java Development Kit) is a software development tool made by Sun Microsystems specifically for Java users. The vulnerabilities were rated "critical" by FrSIRT (French Security Incident Response Team), a security research organization based in France. One flaw is caused by an integer overflow error in the image parser when processing ICC profiles embedded within JPEG images, according to FrSIRT researchers. Security experts at Secunia outlined the dangers of the flaw in a separate advisory. "This can be exploited to crash the JVM and potentially allow the execution of arbitrary code by e.g. tricking an application using the JDK to process a malicious image file," Secunia security experts stated. The second vulnerability is caused by an error in the BMP image parser when processing malformed files on Unix/Linux systems, which could be exploited by attackers to cause a denial of service. Both flaws affect Sun JDK version 1.x. Users can find an answer to both vulnerabilities by upgrading to JDK versions 1.5.0_11-b03 or 1.6.0_01-b06. From alerts at infosecnews.org Fri May 18 01:30:24 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Secunia Weekly Summary - Issue: 2007-20 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2007-05-10 - 2007-05-17 This week: 68 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. -- NEW BLOG ENTRY Since its release in December of last year, the free, online Secunia Software Inspector has conducted over 350,000 inspections. These inspections have identified 4.9 million popular applications, and out of those, 1.4 million applications were found to be lacking critical security patches from the vendors. While most people are aware of the need to update their anti-virus patterns and to raise their firewall shields, it appears that too many users either don't know that their systems are vulnerable to significant issues or that they simply don't want to spend the necessary time scouring for vulnerability information and the relevant vendor patches to properly address the issues. This fact is further highlighted if we dig deeper into the figures behind the fact that 28% of all detected applications by the Software Inspector are vulnerable... Read More: http://secunia.com/blog/11/ ======================================================================== 2) This Week in Brief: Secunia Research has discovered two vulnerabilities in Centennial Discovery, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code with SYSTEM privileges. The same vulnerabilities also affect: - Symantec Discovery 6.x - Numara Asset Manager 8.x References: http://secunia.com/advisories/24090/ http://secunia.com/advisories/24281/ http://secunia.com/advisories/24329/ -- Will Dorman has reported a vulnerability in Norton Personal Firewall, which can be exploited by malicious people to compromise a user's system. Successful exploitation allows execution of arbitrary code. Product updates to correct the problem are available through LiveUpdate. Reference: http://secunia.com/advisories/25290/ -- VIRUS ALERTS: During the past week Secunia collected 178 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA24535] Internet Explorer 7 navcancl.htm Cross-Site Scripting Vulnerability 2. [SA23769] Internet Explorer Multiple Vulnerabilities 3. [SA25188] MySQL IF Query Denial of Service Vulnerability 4. [SA25199] Cisco IOS FTP Server Multiple Vulnerabilities 5. [SA25244] ClamAV OLE2 Parser Denial of Service 6. [SA25172] Symantec Products NAVOpts.dll ActiveX Control Security Bypass Vulnerability 7. [SA25226] SUSE update for kernel 8. [SA25183] Microsoft Exchange Multiple Vulnerabilities 9. [SA25202] CA Products Buffer Overflow and Privilege Escalation Vulnerabilities 10. [SA25224] AForum "CommonAbsDir" and "header" File Inclusion ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA25290] Norton Personal Firewall ISAlertDataCOM ActiveX Control Buffer Overflow [SA25258] PrecisionID Data Matrix ActiveX Barcode Control Buffer Overflow [SA25253] PrecisionID Linear Barcode ActiveX Control Buffer Overflow [SA25248] TinyIdentD Long Query Request Buffer Overflow Vulnerability [SA25245] Notepad++ Ruby Source File Buffer Overflow Vulnerability [SA25231] IDAutomation Linear Barcode ActiveX Control Buffer Overflow [SA25286] Caucho Resin Multiple Information Disclosure Vulnerabilities [SA25277] WinImage FAT Image Long Pathname Buffer Overflow Vulnerabilities [SA25265] W1L3D4 Philboard "forumid" SQL Injection Vulnerability [SA25252] yEnc32 NTX Decoding Filename Buffer Overflow Vulnerability [SA25247] EfesTECH Haber "id" SQL Injection [SA25282] Eudora SMTP Server Reply Processing Buffer Overflow Vulnerability [SA25275] HP Systems Insight Manager Session Fixation Vulnerability [SA25300] CA BrightStor ARCserve Backup Two Denial of Service Vulnerabilities UNIX/Linux: [SA25274] NagiosQL "functions/prepend_adm.php" File Inclusion [SA25260] MonAlbum "admin_configuration.php" PHP Code Injection [SA25255] Trustix Updates for Multiple Packages [SA25254] YAAP "root_path" File Inclusion Vulnerability [SA25288] Red Hat update for kernel [SA25239] SUSE Updates for Multiple Packages [SA25270] Debian update for samba [SA25259] Gentoo update for samba [SA25257] Red Hat update for samba [SA25256] Mandriva update for samba [SA25251] Ubuntu update for samba [SA25246] Slackware update for samba [SA25241] rPath update for samba and samba-swat [SA25232] Samba Multiple Vulnerabilities [SA25293] Debian update for quagga [SA25281] Ayava Products Gnu GCC fastjar Directory Traversal [SA25280] Red Hat update for tomcat [SA25273] Slackware update for libpng [SA25268] rPath update for libpng [SA25264] Red Hat update for bluez-utils [SA25263] Debian update for qt4-x11 [SA25236] Debian update for squirrelmail [SA25238] Gentoo update for postgresql [SA25291] Adobe Version Cue Installation Disables Firewall Security Issue [SA25267] rPath update for shadow Other: [SA25302] 3Com TippingPoint IPS HTTP Unicode Encoding Detection Bypass [SA25285] Cisco Products HTTP Unicode Encoding Detection Bypass [SA25266] T-Com Speedport Login Brute Force Weakness Cross Platform: [SA25303] Glossword "sys[path_addon]" File Inclusion Vulnerability [SA25295] Sun JDK ICC and BMP Parser Vulnerabilities [SA25283] BEA JRockit Multiple Vulnerabilities [SA25272] Geeklog Media Gallery Module "_MG_CONF[path_html]" File Inclusion [SA25271] Linksnet Newsfeed "dirpath_linksnet_newsfeed" File Inclusion [SA25297] FAQEngine "questionref" SQL Injection Vulnerability [SA25296] SimpNews "newsnr" SQL Injection Vulnerability [SA25294] Little cms ICC Profile Parsing Buffer Overflow Vulnerability [SA25284] BEA Products Multiple Vulnerabilities [SA25279] SonicBB SQL Injection and Cross-Site Scripting [SA25262] PinkCrow Designs Gallery "src" Directory Traversal [SA25261] R2K Gallery "lang2" Local File Inclusion [SA25250] CommuniGate Pro WebMail Script Insertion Vulnerability [SA25243] H-Sphere SiteStudio "template" Information Disclosure [SA25240] Connect Daily Unspecified Security Issue [SA25237] iFdate Administrative Section Security Bypass [SA25235] libexif EXIF Information Handling Vulnerability [SA25234] Thyme "eid" SQL Injection Vulnerability [SA25306] PHP SOAP Extension HTTP Authentication Weak Nonce [SA25299] xajax Unspecified Cross-Site Scripting Vulnerability [SA25298] Xoops Resmanager Module "id_reserv" SQL Injection [SA25292] libpng tRNS Chunk Denial of Service [SA25249] EQdkp "show" Cross-Site Scripting [SA25244] ClamAV OLE2 Parser Denial of Service [SA25242] TeamSpeak Server Privilege Escalation and Cross-Site Scripting [SA25301] MySQL Two Privilege Escalation Security Issues ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA25290] Norton Personal Firewall ISAlertDataCOM ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-17 Will Dorman has reported a vulnerability in Norton Personal Firewall, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25290/ -- [SA25258] PrecisionID Data Matrix ActiveX Barcode Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-14 shinnai has discovered a vulnerability in PrecisionID Data Matrix ActiveX Barcode Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25258/ -- [SA25253] PrecisionID Linear Barcode ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-16 shinnai has discovered a vulnerability in PrecisionID Linear Barcode ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25253/ -- [SA25248] TinyIdentD Long Query Request Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-15 Maarten Boone has discovered a vulnerability in TinyIdentD, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25248/ -- [SA25245] Notepad++ Ruby Source File Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-14 vade79 has discovered a vulnerability in Notepad++, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25245/ -- [SA25231] IDAutomation Linear Barcode ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-14 shinnai has discovered a vulnerability in IDAutomation Linear Barcode ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25231/ -- [SA25286] Caucho Resin Multiple Information Disclosure Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-05-15 Derek Abdine has reported some vulnerabilities in Caucho Resin, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/25286/ -- [SA25277] WinImage FAT Image Long Pathname Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2007-05-17 Tan Chew Keong has reported two vulnerabilities in WinImage, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25277/ -- [SA25265] W1L3D4 Philboard "forumid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-14 gsy and kerem125 have discovered a vulnerability in W1L3D4 Philboard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25265/ -- [SA25252] yEnc32 NTX Decoding Filename Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2007-05-14 Tan Chew Keong has reported a vulnerability in yEnc32, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25252/ -- [SA25247] EfesTECH Haber "id" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-14 CyberGhost has reported a vulnerability in EfesTECH Haber, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25247/ -- [SA25282] Eudora SMTP Server Reply Processing Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2007-05-16 Krystian Kloskowski has discovered a vulnerability in Eudora, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25282/ -- [SA25275] HP Systems Insight Manager Session Fixation Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2007-05-15 Luka Treiber and Aljosa Ocepek have reported a vulnerability in HP Systems Insight Manager, which can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/25275/ -- [SA25300] CA BrightStor ARCserve Backup Two Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2007-05-17 M. Shirk has reported two vulnerabilities in BrightStor ARCserve Backup, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25300/ UNIX/Linux:-- [SA25274] NagiosQL "functions/prepend_adm.php" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-15 Some vulnerabilities have been discovered in NagiosQL, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25274/ -- [SA25260] MonAlbum "admin_configuration.php" PHP Code Injection Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-14 Dj7xpl has reported some vulnerabilities in MonAlbum, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25260/ -- [SA25255] Trustix Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, Manipulation of data, Brute force, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2007-05-17 Trustix has issued updates for multiple packages. These fix some vulnerabilities where some have unknown impact and others can be exploited by malicious, local users to gain escalated privileges, by malicious users to perform actions with escalated privileges, manipulate certain data, disclose potentially sensitive information, bypass certain security restrictions, to cause a DoS (Denial of Service) and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25255/ -- [SA25254] YAAP "root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-15 3l3ctric-Cracker has reported a vulnerability in YAAP, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25254/ -- [SA25288] Red Hat update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2007-05-17 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to potentially bypass certain security restrictions or to cause a DoS. Full Advisory: http://secunia.com/advisories/25288/ -- [SA25239] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2007-05-16 SUSE has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25239/ -- [SA25270] Debian update for samba Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2007-05-16 Debian has issued an update for samba. This fixes some vulnerabilities, which can be exploited by malicious users to perform certain actions with escalated privileges and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25270/ -- [SA25259] Gentoo update for samba Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2007-05-16 Gentoo has issued an update for samba. This fixes some vulnerabilities, which can be exploited by malicious users to perform certain actions with escalated privileges and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25259/ -- [SA25257] Red Hat update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2007-05-15 Red Hat has issued an update for samba. This fixes some vulnerabilities, which can be exploited by malicious users and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25257/ -- [SA25256] Mandriva update for samba Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2007-05-15 Mandriva has issued an update for samba. This fixes some vulnerabilities, which can be exploited by malicious users to perform certain actions with escalated privileges and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25256/ -- [SA25251] Ubuntu update for samba Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2007-05-16 Ubuntu has issued an update for samba. This fixes some vulnerabilities, which can be exploited by malicious users to perform certain actions with escalated privileges and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25251/ -- [SA25246] Slackware update for samba Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2007-05-15 Slackware has issued an update for samba. This fixes some vulnerabilities, which can be exploited by malicious users to perform certain actions with escalated privileges and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25246/ -- [SA25241] rPath update for samba and samba-swat Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2007-05-15 rPath has issued an update for samba and samba-swat. This fixes some vulnerabilities, which can be exploited by malicious users to perform certain actions with escalated privileges and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25241/ -- [SA25232] Samba Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2007-05-15 Some vulnerabilities have been reported in Samba, which can be exploited by malicious users to perform certain actions with escalated privileges and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25232/ -- [SA25293] Debian update for quagga Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-17 Debian has issued an update for quagga. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25293/ -- [SA25281] Ayava Products Gnu GCC fastjar Directory Traversal Critical: Less critical Where: From remote Impact: System access Released: 2007-05-16 Avaya has acknowledged some vulnerabilities in various Avaya products, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/25281/ -- [SA25280] Red Hat update for tomcat Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-05-15 Red Hat has issued an update for tomcat. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25280/ -- [SA25273] Slackware update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-17 Slackware has issued an update for libpng. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25273/ -- [SA25268] rPath update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-17 rPath has issued an update for libpng. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25268/ -- [SA25264] Red Hat update for bluez-utils Critical: Less critical Where: From remote Impact: System access Released: 2007-05-15 Red Hat has issued an update for bluez-utils. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25264/ -- [SA25263] Debian update for qt4-x11 Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-16 Debian has issued an update for qt4-x11. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct cross-site scripting attacks in applications using the library. Full Advisory: http://secunia.com/advisories/25263/ -- [SA25236] Debian update for squirrelmail Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-15 Debian has issued an update for squirrelmail. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/25236/ -- [SA25238] Gentoo update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2007-05-11 Gentoo has issued an update for postgresql. This fixes a security issue, which potentially can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25238/ -- [SA25291] Adobe Version Cue Installation Disables Firewall Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2007-05-17 A security issue has been reported in Adobe Version Cue, which may result in the firewall being disabled. Full Advisory: http://secunia.com/advisories/25291/ -- [SA25267] rPath update for shadow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2007-05-14 rPath has issued an update for shadow. This fixes a security issue, which can potentially be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/25267/ Other:-- [SA25302] 3Com TippingPoint IPS HTTP Unicode Encoding Detection Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-05-16 A vulnerability has been reported in TippingPoint IPS, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25302/ -- [SA25285] Cisco Products HTTP Unicode Encoding Detection Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2007-05-15 A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25285/ -- [SA25266] T-Com Speedport Login Brute Force Weakness Critical: Not critical Where: From local network Impact: Brute force Released: 2007-05-14 Michael Domberg has reported a weakness in T-Com Speedport, which can be exploited by malicious people to brute force an administrative user's password. Full Advisory: http://secunia.com/advisories/25266/ Cross Platform:-- [SA25303] Glossword "sys[path_addon]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2007-05-17 BeyazKurt has discovered a vulnerability in Glossword, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25303/ -- [SA25295] Sun JDK ICC and BMP Parser Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2007-05-16 Chris Evans has reported some vulnerabilities in Sun JDK, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25295/ -- [SA25283] BEA JRockit Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Privilege escalation, System access Released: 2007-05-15 Some vulnerabilities have been reported in JRockit, which can be exploited by malicious people to bypass certain security restrictions or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25283/ -- [SA25272] Geeklog Media Gallery Module "_MG_CONF[path_html]" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-15 ThE TiGeR has discovered a vulnerability in the Media Gallery module for Geeklog, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25272/ -- [SA25271] Linksnet Newsfeed "dirpath_linksnet_newsfeed" File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2007-05-15 ThE TiGeR has discovered a vulnerability in Linksnet Newsfeed, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25271/ -- [SA25297] FAQEngine "questionref" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-17 Silentz has reported a vulnerability in FAQEngine, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25297/ -- [SA25296] SimpNews "newsnr" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-17 Silentz has reported a vulnerability in SimpNews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25296/ -- [SA25294] Little cms ICC Profile Parsing Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2007-05-16 Chris Evans has reported a vulnerability in Little cms, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/25294/ -- [SA25284] BEA Products Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Brute force, Exposure of sensitive information, DoS Released: 2007-05-15 Some vulnerabilities and two security issues have been reported in BEA WebLogic, which can be exploited by malicious users to disclose sensitive information, bypass certain security restrictions, and conduct script insertion attacks, and by malicious people to bypass certain security restrictions, brute force an administrator's password, conduct cross-site scripting attacks, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25284/ -- [SA25279] SonicBB SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2007-05-15 Jesper Jurcenoks has discovered some vulnerabilities in SonicBB, which can be exploited by malicious people to conduct SQL injection attacks or cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25279/ -- [SA25262] PinkCrow Designs Gallery "src" Directory Traversal Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-05-14 Dj7xpl has discovered a vulnerability in PinkCrow Designs Gallery, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/25262/ -- [SA25261] R2K Gallery "lang2" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2007-05-14 Dj7xpl has discovered a vulnerability in R2K Gallery, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/25261/ -- [SA25250] CommuniGate Pro WebMail Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-14 Alla Bezroutchko has reported a vulnerability in CommuniGate Pro, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/25250/ -- [SA25243] H-Sphere SiteStudio "template" Information Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2007-05-11 A vulnerability has been reported in H-Sphere SiteStudio, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/25243/ -- [SA25240] Connect Daily Unspecified Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2007-05-14 A security issue with an unknown impact has been reported in Connect Daily. Full Advisory: http://secunia.com/advisories/25240/ -- [SA25237] iFdate Administrative Section Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2007-05-16 Liz0zim has reported a vulnerability in iFdate, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25237/ -- [SA25235] libexif EXIF Information Handling Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2007-05-11 Victor Stinner has reported a vulnerability in libexif, which can be exploited by malicious people to cause a DoS and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/25235/ -- [SA25234] Thyme "eid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2007-05-11 Warlord has reported a vulnerability in Thyme, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25234/ -- [SA25306] PHP SOAP Extension HTTP Authentication Weak Nonce Critical: Less critical Where: From remote Impact: Security Bypass, Brute force Released: 2007-05-16 Stefan Esser has reported a weakness in PHP, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/25306/ -- [SA25299] xajax Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-16 A vulnerability has been reported in xajax, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25299/ -- [SA25298] Xoops Resmanager Module "id_reserv" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2007-05-16 ajann has discovered a vulnerability in the Resmanager module for Xoops, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/25298/ -- [SA25292] libpng tRNS Chunk Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-16 A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25292/ -- [SA25249] EQdkp "show" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2007-05-15 kefka has discovered some vulnerabilities in EQdkp, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25249/ -- [SA25244] ClamAV OLE2 Parser Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2007-05-11 Victor Stinner has reported a vulnerability in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/25244/ -- [SA25242] TeamSpeak Server Privilege Escalation and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Privilege escalation Released: 2007-05-14 Gilberto Ficara has reported a security issue and some vulnerabilities in TeamSpeak, which can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/25242/ -- [SA25301] MySQL Two Privilege Escalation Security Issues Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2007-05-17 Two security issues have been reported in MySQL, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/25301/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From alerts at infosecnews.org Fri May 18 01:30:43 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Wireless hacker attacks on the rise Message-ID: http://www.asahi.com/english/Herald-asahi/TKY200705180101.html By Yoshitaka Sumida THE ASAHI SHIMBUN 05/18/2007 Prepaid wireless network cards provide convenient Internet access anywhere, but in the wrong hands they can be misused to commit fraud. And this amounts to an open invitation to "wireless hackers," whose numbers are proliferating. Prepaid wireless network cards are the tool of choice because they leave no tell-tale fingerprints, which allows perpetrators to slip away undetected into cyberspace. If card distributors were to confirm the identity of the purchaser, this could be avoided. But if the retailer skips the process then no record of the customer is retained. Police investigating a hacker attack may be able to track down the prepaid wireless card but they will be unable to find the hacker who used it. To prevent their use in the commission of a crime, the National Police Agency will require distributors to push for more comprehensive customer background checks. Wireless network cards work when they are inserted into ports on personal computers to wirelessly enable them at any location where PHS or cellphones can be used. The cards are sold with a variety of Internet access plans to meet a user's needs. A prepaid card includes Internet access and communication fees for a certain time period. They are hassle-free as no further billing is required. That is why some distributors allow retailers to forgo ID checks. According to the National Police Agency, crime involving the cards began cropping up three years ago. In 2005, police nationwide made arrests or sent papers to prosecutors in 271 illegal Internet access cases. Of the total, 28 cases involved prepaid cards. Police investigations into illegal Internet access involve tracking down the source by checking the access record of the server that came under attack. If the network was accessed via cable, the user can be identified via the Internet service account. However, in cases where a prepaid card was used, and the retailer failed to record customer ID, it is only possible to get to the card used in a wireless attack, but not to the "hacker" as there is no Internet service contract record. According the National Police Agency, police were aware of 592 illegal access cases in 2005, through complaints made or suits filed. However, as of May 2006, investigations had gone cold in 31 of the cases that involved prepaid cards. But through diligent cyber sleuthing, some cases have been cracked. In September 2005, police in Ibaraki Prefecture broke a fraud and illegal access case after 16 months of detective work and arrested a man and a woman who had no fixed address. The pair, who were constantly on the move in their vehicle, sold nonexistent merchandise on Internet auction sites using a wireless network card. Some 340 gullible buyers were allegedly duped into paying a total 80 million yen to the couple. Police were able to trace their network card via Internet access records. However, the retailer had not confirmed the purchaser's ID. So the police traced PHS signals to locations of origin, and tracked down a suspicious vehicle that was traveling in and out of the area. The car was tailed from Itabashi and Ikebukuro in Tokyo to Saitama, before police arrested the couple on suspicion of fraud. In July 2006, the Ishikawa prefectural police tracked down a group that was trafficking pornographic DVDs. In this case, the retailer had not ID'd the purchaser of the prepaid card used in the crime. To complicate things further, the card had been given to another user. But the Ishikawa police got a lucky break. The original purchaser used a point reward card issued by the retailer--made out in the real name--when buying the card. This allowed the police to identify the suspects. From alerts at infosecnews.org Fri May 18 01:31:03 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Contractor Pleads Guilty To Stealing Classified Data From Los Alamos Labs Message-ID: http://www.informationweek.com/news/showArticle.jhtml;jsessionid?articleID=199601495 By Sharon Gaudin InformationWeek May 17, 2007 A former employee with a contractor at the Los Alamos National Laboratory pleaded guilty this week to stealing classified information from the lab. Jessica Lynn Quintana faces a maximum of one year in jail and a $100,000 fine. She has lost her security clearance and also could receive up to five years of probation. Quintana was hired to archive classified information at the multi-disciplinary scientific laboratory in northern New Mexico. According to a release from the Department of Justice, she admitted in her plea that on July 27, 2006, she was working in a secure area at the lab and printed pages of classified documents and downloaded other classified information onto a thumb drive. She put the stolen data in a backpack and took them home. Quintana told government agents that she stored the pages and thumb drive at her home, which was outside of her authorization limits. The government didn't release any details about why she took the information. On Oct.17, officers of the Los Alamos Police Department executed a state search warrant on Quintana's home and seized the thumb drive containing classified information, according to the Justice Department release. Three days later, the FBI seized the classified printouts during the execution of a federal search warrant on her home. She pleaded guilty in U.S. District Court in Albuquerque, N.M., on Tuesday afternoon. Just last week, the government released new information about an FBI intelligence analyst who stole classified information from the White House and the FBI's own database for nearly four years. Leandro Aragoncillo -- a career Marine who had served under two vice presidents in the White House -- pleaded guilty and is awaiting his sentencing this summer in U.S. District Court in Newark, N.J. From alerts at infosecnews.org Fri May 18 01:31:16 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Estonian attacks reveal vulnerability of corporate networks Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=8862 By Jeremy Kirk IDG news service 17 May 2007 A spate of denial of service attacks in Estonia has revealed the extent to which corporate networks are vulnerable to such onslaughts. Although the attacks in Estonia appear to be subsiding, the government there has called for greater response mechanisms to cyber attacks within the European Union. The attacks, which started around 27 April, have crippled websites for Estonia's prime minister, banks, and less-trafficked sites run by small schools, said Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team (CERT). But most of the affected websites have been able to restore service. "Yes, it's serious problem, but we are up and running," Aarelaid said. Aarelaid said analysts have found postings on websites indicating Russian hackers may be involved in the attacks. However, analysis of the malicious traffic shows that computers from the US, Canada, Brazil, Vietnam and others have been used in the attacks, he said. NATO experts are helping Estonia investigate the attacks, Aarelaid said. Press reports also speculated that tension between the two countries may have resulted in a coordinated campaign by Russia against Estonia. Last month, Estonia irked Russia by moving a Soviet-era World War II memorial of a bronze soldier, sparking protests. Aarelaid dismissed the theory, saying Estonians were also divided on the issue. A DOS attack involves commanding other computers to bombard a website with requests for data, causing the site to stop working. Hackers use botnets - or groups of computers they've infected with malicious software - to launch an attack. It's difficult to trace who controls botnets, as the networks involve compromised computers located around the world. "If you have an unknown number of attackers with different skills and capabilities, it's quite painful," Aarelaid said. In Brussels on Monday, Estonia's defence minister, Jaak Aaviksoo, called for the development of a stronger capability to respond to cyber attacks within the European Union. "Extensive cyber attacks against Estonia show clearly that this matter should be seriously dealt with and relevant information exchange with one another," Aaviksoo said. From alerts at infosecnews.org Mon May 21 01:26:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Regulators seek cause of reactor shutdown Message-ID: http://www.enewscourier.com/local/local_story_137225918.html From staff, wire reports May 17, 2007 WASHINGTON -- An overloaded computer network prompted an emergency shutdown in a reactor at the Tennessee Valley Authoritys Browns Ferry Nuclear Plant in Athens last year, and federal regulators still cant say where the interference came from. The shutdown occurred amid growing congressional scrutiny over whether utilities and other high-risk sites are vulnerable to cyber attacks as they increasingly rely on computer networks to remotely control their operations. Nuclear Regulatory Commission officials say the August 2006 malfunction did not threaten the safety of the plant and that they are confident an outside hacker was not responsible. But in a letter to the agency this week, the House Homeland Security Committee called for a broader investigation, citing a host of unanswered questions. Browns Ferry spokesman Craig Beasley on Thursday took issue with the APs characterization of the Unit 3 shutdown as an emergency. "It was not an emergency shutdown, said Beasley. The operators saw a problem and chose to shut the plant down. Beasley said the problem was a result of poor energy supply to the recirculation pumps. The pumps werent working as they should and it showed up on the control panel, so we shut down the plant manually, said Beasley. Beasley said the solid-state power supply to the pump motors is operated by a computer controller. This network became overloaded, and when it got overloaded it couldnt process the information so the solid-state stopped supplying power. Beasley said technicians basically segmented controls apart to preclude any kind of overload againTheyve been working fine since. We made sure it wouldnt happen with Unit 2. Beasley stressed that the control system is not connected to a network outside the plant. It was excessive internal traffic, said Beasley. It appears from the information that weve collected so far that this (plant) may or may not have been compromised. We want the NRC to determine the source, committee Chairman Bennie Thompson, D-Miss, said in an interview. We need to know whether instances like this are internal or external, and to what extent we are going to deal with them. For the NRC to rely on the operators explanation of what happened ... we think does not go far enough, he said. In a report issued last month, the NRC said TVA officials manually shut down the plants Unit 3 reactor after excessive traffic on the computer network caused recirculation pumps to fail, creating a potentially unstable condition. Although TVA hasnt determined the source of the data overload, the NRC said the utility reacted appropriately to the failure and has addressed it by installing new firewalls to better control traffic on the network. NRC and TVA officials said the Browns Ferry network involved is an internal-only network and when operated as designed cannot accept data from outside sources. TVA spokesman Terry Johnson said the utility believes the failure may have been caused by an unexplained glitch in the computer system. But when pressed, the officials would not categorically rule out the possibility of outside access. We have reasonable assurance that there is no external access to this system, said Eva Brown, the NRCs project manager at Browns Ferry. We did an independent assessment to convince ourselves that (TVAs) conclusions were acceptable, and there was no evidence of an external source. Shutdowns at nuclear plants are somewhat rare; Browns Ferry had two shutdowns in all of 2006, and has had two so far this year. NRC spokesman Scott Burnell said the agencys public notice on the August 2006 incident should serve to warn other operators of the potential problem, although the NRC is not requiring any action. At this point there isnt any regulatory reason to, he said. Sometimes it does take small events like this to bring issues to the attention of the staff at the plant and the NRC. Thats why we issued this informational notice. Joe Weiss, managing partner at Applied Control Solutions and an expert on industrial computer security, said he doubted that anyone intentionally caused the Browns Ferry network to fail. But, he said, it raises concerns regardless. The whole area of cyber security in industrial facilities is effectively in its infancy, he said. There needs to be a greater appreciation within the nuclear community that these systems truly are connected. Since the Sept. 11, 2001, terrorist attacks, security experts have warned of vulnerabilities in the computer networks of the nations critical infrastructure, including emergency response agencies, electricity providers and water treatment plants. A 2005 report from the Environmental Protection Agencys inspector general, for example, found that water utilities had installed computer-based remote controls with little attention paid to security, leaving valves, pumps and chemical mixers open to cyber attack. In 2003, a computer virus temporarily disabled the safety monitoring system at the Davis-Besse nuclear station in Ohio, even though the utility thought the network was protected from such a breach. From alerts at infosecnews.org Mon May 21 01:26:34 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Linux Advisory Watch - May 18th 2007 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 18th 2007 Volume 8, Number 20a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for squirrelmail, samba, qt4-x11, samba, php, postgresql, ImageMagick, Xscreensaver, phpwiki, mod_security, free radius, tomcat, bluez-utils, ipsec tools, vixie-cron, evolution, libpng, and pptpd. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. --- Vyatta Open-Source Router, Firewall & VPN Vyatta software and appliances combine the features, performance and reliability of enterprise-class networking gear with the cost-savings and flexibility of open-source solutions. Vyatta empowers you to replace overpriced proprietary router, firewall and VPN equipment with commercially supported open-source solutions. >> Free Webinars & Vyatta Community Edition 2 Software >> http://www.linuxsecurity.com/ads/adclick.php?bannerid=28 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- RFID with Bio-Smart Card in Linux In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. http://www.linuxsecurity.com/content/view/125052/171/ --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Linux 2.6.18 packages fix several vulnerabilities 13th, May, 2007 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. http://www.linuxsecurity.com/content/view/128165 * Debian: New squirrelmail packages fix cross-site scripting 13th, May, 2007 It was discovered that the webmail package Squirrelmail performs insufficient sanitising inside the HTML filter, which allows the injection of arbitrary web script code during the display of HTML email messages. http://www.linuxsecurity.com/content/view/128166 * Debian: New samba packages fix multiple vulnerabilities 15th, May, 2007 Several issues have been identified in Samba, the SMB/CIFS file and print-server implementation for GNU/Linux. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. http://www.linuxsecurity.com/content/view/128207 * Debian: New qt4-x11 packages fix cross-site scripting vulnerability 15th, May, 2007 ndreas Nolden discovered a bug in the UTF8 decoding routines in qt4-x11, a C++ GUI library framework, that could allow remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. http://www.linuxsecurity.com/content/view/128209 * Debian: New samba packages fix multiple vulnerabilities 17th, May, 2007 Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. http://www.linuxsecurity.com/content/view/128228 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 6 Update: php-5.1.6-3.6.fc6 14th, May, 2007 This update fixes a number of security issues in PHP. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. http://www.linuxsecurity.com/content/view/128184 * Fedora Core 5 Update: samba-3.0.24-5.fc5 14th, May, 2007 This release of Samba fixes some Serious security bugs, CVE-2007-2444, CVE-2007-2446 and CVE-2007-2447. Fixes the security bugs which causes a Samba smbd denial of service. http://www.linuxsecurity.com/content/view/128189 * Fedora Core 6 Update: samba-3.0.24-5.fc6 14th, May, 2007 This release of Samba fixes some Serious security bugs CVE-2007-2444, CVE-2007-2446, and CVE-2007-2447 http://www.linuxsecurity.com/content/view/128192 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: PostgreSQL Privilege escalation 10th, May, 2007 An error involving insecure search_path settings in the SECURITY DEFINER functions has been reported in PostgreSQL. This error contains a vulnerability that could result in SQL privilege escalation. http://www.linuxsecurity.com/content/view/128148 * Gentoo: ImageMagick Multiple buffer overflows 10th, May, 2007 iDefense Labs has discovered multiple integer overflows in ImageMagick in the functions ReadDCMImage() and ReadXWDImage(), that are used to process DCM and XWD files. It can allow for the execution of arbitrary code. http://www.linuxsecurity.com/content/view/128149 * Gentoo: XScreenSaver Privilege escalation 13th, May, 2007 XScreenSaver allows local users to bypass authentication under certain configurations. XScreenSaver incorrectly handles the results of the getpwuid() function in drivers/lock.c when using directory servers during a network outage. http://www.linuxsecurity.com/content/view/128167 * Gentoo: ImageMagick Multiple buffer overflows 14th, May, 2007 Multiple integer overflows have been discovered in ImageMagick allowing for the execution of arbitrary code. iDefense Labs has discovered integer overflows in ImageMagick in the functions ReadDCMImage() and ReadXWDImage(), that are used to process DCM and XWD files. http://www.linuxsecurity.com/content/view/128177 * Gentoo: Samba Multiple vulnerabilities 15th, May, 2007 Samba contains multiple vulnerabilities potentially resulting in the execution of arbitrary code with root privileges. A remote attacker could exploit these vulnerabilities to gain root privileges via various vectors. http://www.linuxsecurity.com/content/view/128202 * Gentoo: PhpWiki Remote execution of arbitrary code 17th, May, 2007 A vulnerability has been discovered in PhpWiki allowing for the remote execution of arbitrary code. A remote attacker could upload a specially crafted PHP file to the vulnerable server, resulting in the execution of arbitrary PHP code with the privileges of the user running PhpWiki. http://www.linuxsecurity.com/content/view/128229 * Gentoo: Apache mod_security Rule bypass 17th, May, 2007 A vulnerability has been discovered in mod_security, allowing a remote attacker to bypass rules.A remote attacker could send a specially crafted POST request, possibly bypassing the module ruleset and leading to the execution of arbitrary code in the scope of the web server with the rights of the user running the web server. http://www.linuxsecurity.com/content/view/128230 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated php packages fix multiple vulnerabilities 10th, May, 2007 A heap buffer overflow flaw was found in the xmlrpc extension for PHP. A script that implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the apache user. This flaw does not, however, affect PHP applications using the pure-PHP XML_RPC class provided via PEAR. http://www.linuxsecurity.com/content/view/128153 * Mandriva: Updated php packages fix multiple vulnerabilities 10th, May, 2007 A heap buffer overflow flaw was found in the xmlrpc extension for PHP. A script that implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the apache user. This flaw does not, however, affect PHP applications using the pure-PHP XML_RPC class provided via PEAR http://www.linuxsecurity.com/content/view/128154 * Mandriva: Updated samba packages fix multiple vulnerabilities 14th, May, 2007 A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server http://www.linuxsecurity.com/content/view/128199 * RedHat: Important: php security update 10th, May, 2007 Updated PHP packages that fix several security issues are now available for Red Hat Application Stack.This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128144 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: freeradius security update 10th, May, 2007 Updated freeradius packages that fix a memory leak flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. A remote attacker could send a specially crafted authentication request which could cause FreeRADIUS to leak a small amount of memory. If enough of these requests are sent, the FreeRADIUS daemon would consume a vast quantity of system memory leading to a possible denial of service. http://www.linuxsecurity.com/content/view/128146 * RedHat: Critical: samba security update 14th, May, 2007 Updated samba packages that fix several security flaws are now available.Various bugs were found in NDR parsing, used to decode MS-RPC requests in Samba. A remote attacker could have sent carefully crafted requests causing a heap overflow, which may have led to the ability to execute arbitrary code on the server. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128174 * RedHat: Important: tomcat security update 14th, May, 2007 Updated tomcat packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128175 * RedHat: Moderate: bluez-utils security update 14th, May, 2007 Updated bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. A flaw was found in the Bluetooth HID daemon (hidd). A remote attacker would have been able to inject keyboard and mouse events via a Bluetooth connection without any authorization. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128176 * RedHat: Important: kernel security and bug fix update 16th, May, 2007 Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available.One of the flaws is in the handling of IPv6 type 0 routing headers that allowed remote users to cause a denial of service that led to a network amplification between two routers. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128219 * RedHat: Moderate: ipsec-tools security update 17th, May, 2007 Updated ipsec-tools packages that fix a denial of service flaw in racoon are now available for Red Hat Enterprise Linux 5. A denial of service flaw was found in the ipsec-tools racoon daemon. It was possible for a remote attacker, with knowledge of an existing ipsec tunnel, to terminate the ipsec connection between two machines. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128231 * RedHat: Moderate: vixie-cron security update 17th, May, 2007 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. Raphael Marichez discovered a denial of service bug in the way vixie-cron verifies crontab file integrity. A local user with the ability to create a hardlink to /etc/crontab can prevent vixie-cron from executing certain system cron jobs. http://www.linuxsecurity.com/content/view/128232 * RedHat: Moderate: evolution security update 17th, May, 2007 Updated evolution packages that fix a security bug are now available for Red Hat Enterprise Linux 3 and 4. A flaw was found in the way Evolution processed certain APOP authentication requests. A remote attacker could potentially acquire certain portions of a user's authentication credentials by sending certain responses when evolution-data-server attempted to authenticate against an APOP server. http://www.linuxsecurity.com/content/view/128233 * RedHat: Moderate: squirrelmail security update 17th, May, 2007 A new squirrelmail package that fixes security issues is now available for Red Hat Enterprise Linux 3, 4 and 5.Several HTML filtering bugs were discovered in SquirrelMail. An attacker could inject arbitrary JavaScript leading to cross-site scripting attacks by sending an e-mail viewed by a user within SquirrelMail. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128234 +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ * Slackware: samba 15th, May, 2007 New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, and current to fix security issues. The security fixes local SID/Name translation bug can result in user privilege elevation, multiple heap overflows allow remote code execution, and Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution. Vulnerabilities and Exposures (CVE) database: http://www.linuxsecurity.com/content/view/128200 * Slackware: libpng 16th, May, 2007 New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,10.2, 11.0, and -current to fix a security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database. http://www.linuxsecurity.com/content/view/128222 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Linux kernel (SUSE-SA:2007:030) 10th, May, 2007 This kernel update is for SUSE Linux 9.3 which fixes the some security problems. The ftdi_sio driver allowed local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued. This requires this driver to be loaded, which only happens if such a device is plugged in. http://www.linuxsecurity.com/content/view/128140 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: pptpd vulnerability 14th, May, 2007 A flaw was discovered in the PPTP tunnel server. Remote attackers could send a specially crafted packet and disrupt established PPTP tunnels, leading to a denial of service. http://www.linuxsecurity.com/content/view/128198 * Ubuntu: Samba vulnerabilities 15th, May, 2007 Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. http://www.linuxsecurity.com/content/view/128212 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From alerts at infosecnews.org Mon May 21 01:26:49 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] AusCERT prepares for biggest ever conference Message-ID: http://www.zdnet.com.au/news/security/soa/AusCERT-prepares-for-biggest-ever-conference/0,130061744,339277575,00.htm By Munir Kotadia ZDNet Australia 18 May 2007 Australia's best-known security conference will open for business on Monday and organisers say this year's event should be the biggest ever. Graham Ingram, general manager of AusCERT, told ZDNet Australia last week that the organisation was considering shutting down registrations because the event was nearing capacity. "The numbers are limited -- we won't let it go past a certain number and there is a good chance we are going to close off registrations. In terms of the content, the type of delegates we are getting, and what we intend to produce at the conference, it is bigger," said Ingram. The conference will open with a keynote from Nick Tate, the director, Information Technology Services and AusCERT. He will be followed by Ivan Krsti?, who is a software architect from the One Laptop Per Child project. Krsti? will explain some of the problems faced by his team when trying to secure 100 million identical computers. Other speakers include Oracle's chief security officer Mary Ann Davidson, Jeff Wright from the US Department of Homeland Security, Johannes Ullrich from the SANS Internet Storm Centre. On the second day, delegates will hear from Howard A Schmidt, who retired from the White House in 2003 after serving as vice-chair of President Bush's Critical Infrastructure Protection Board and as the special adviser for Cyberspace Security for the White House in December 2001. The conference will wind down on Wednesday afternoon with a presentation from the controversial Richard Thieme, who also spoke at last year's event. Thieme is well known for speaking his mind on industry issues. AusCERT's Ingram said that registrations for this year's conference indicate that delegates will be from a more senior level than was the case in previous years. He said the event has also attracted an increasing number of international visitors. "Delegates are saying that this is one of the international security conferences that people need to attend. There is more international participation and more countries are sending people," said Ingram. From alerts at infosecnews.org Mon May 21 01:27:02 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] State computer security breached Message-ID: http://www.sj-r.com/sections/news/stories/114739.asp By Mike Ramsey GATEHOUSE NEWS SERVICE May 19, 2007 CHICAGO - The state's professional-regulation department is notifying roughly 300,000 licensees and applicants that a computer server with some of their personal data was breached early this year, a spokeswoman for the agency said Friday. Potentially at risk for identity theft are banking and real-estate professionals whose licensing information - including addresses, tax numbers and Social Security numbers - were kept on the storage server, said Sue Hofer, spokeswoman for the Illinois Department of Financial and Professional Regulation. The individuals will receive letters advising them how to monitor their credit histories to determine if they have been victimized, she said, adding that it will take about a week to get all the letters out. "We are doing everything we can to help the licensees protect themselves," Hofer said. She said investigators have determined that the breach "looks like criminal conduct," and the hacking appears to have come from a source outside state government. Department officials notified the Illinois State Police and FBI after they determined on May 3 that the computerized information had been compromised, probably in January, Hofer said. She said authorities initially asked Gov. Rod Blagojevich's administration not to tell licensees about the breach so that the investigation would not be compromised. The administration also did not immediately inform members of the General Assembly at the request of authorities, Hofer said. Spokespeople for the state police and FBI could not be reached Friday afternoon for comment. Hofer said the information about the banking and real-estate licensees was six to 12 months old. She said the breached server did not contain credit-card information. The suspected hacking of the state records follows several high-profile thefts of databases. Last month, two laptop computers containing information about 40,000 employees were stolen from Chicago Public Schools headquarters. Discount retailer T.J. Maxx disclosed earlier this year that credit-card data of customers had been compromised. State law is somewhat open-ended about how soon a public or private body must notify individuals when their personal data has been stolen, said Deborah Hagan, the chief of consumer protection for Illinois Attorney General Lisa Madigan. The law allows investigators to delay disclosure, she said. "I think there has to be a balance in terms of getting this information out to affected persons as quickly as possible ... versus not interfering with an investigation which may result in catching the perpetrator," Hagan said. Madigan's office offers instructions on combating identify theft at this Web address: www.illinois attorneygeneral.gov/consumers/ hotline.html. Consumers can also call a hot line - (888) 999-5630 - during business hours. The state Department of Financial and Professional Regulation has information about the breach at www.idfpr.com. The 300,000 licensees affected by the incident include mortgage brokers, pawn-shop operators and real-estate agents, Hofer said. Her agency licenses a total of 1.2 million professionals in Illinois, she said. From alerts at infosecnews.org Mon May 21 01:27:18 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Symantec: Chinese hackers grow in number, skills Message-ID: http://www.networkworld.com/news/2007/051807-symantec-chinese-hackers-grow-in.html By Jeremy Kirk IDG News Service 05/18/07 China's hacking scene appears poised for growth, as the number of Internet users rise with a commensurate interest in criminal hacking and government spying, according to a new Symantec study. "China?s hacking scene is clearly an active one," the report said. "These individuals and groups are known for discovering vulnerabilities, writing exploit code and developing sophisticated hacking techniques." China ranks second behind the U.S. as far as malicious activity on the Internet as a whole, Symantec said, citing its own data. The country had 131 million Internet users as of the end of 2006, accounting for about 10 percent of its population and 11 percent of the world's Internet users. A well-known cyberwar between Chinese and American hackers erupted in April 2001 following the collision of a U.S. military spy plane and Chinese fighter. U.S. government Web sites were hacked and defaced with slogans such as "Beat down imperialism of American," courtesy of a group calling itself the Honker Union of China. Not to be out-hacked, U.S. hackers responded over China's handling of the incident, which involved an awkward demand for an apology. But perhaps more disturbing have been the efficient ways Chinese hackers are believed to have obtained sensitive information. In June 2004, South Korea was reportedly victimized by a concerted attack using Trojan horse programs -- which appear harmless but have malicious functions -- to pilfer classified documents on weapons systems. In total, 211 South Korean government computers are believed to have been compromised, in addition to 67 other machines belonging to companies, media groups and universities, according to Symantec. Chinese computer gurus have also experimented with the "pump-and-dump" scheme, a trick used to inflate stock prices for profit, Symantec said. Starting in October 2004, a group used a Trojan horse to steal account details for users of several online stock traders, then used the accounts to run-up certain stocks. The victims lost more than $1.3 million, with the attackers profiting around $114,000. But in recent years, some of the bad guys have come clean, starting up their own computer security companies. China now has about six antivirus vendors, in addition to a number of computer security research and consulting groups. However, there's "growing concern of an escalated cyber threat from China, from the perspective of both governments and enterprises," Symantec said. The IDG News Service is a Network World affiliate. All contents copyright 1995-2007 Network World, Inc From alerts at infosecnews.org Mon May 21 01:27:35 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Cyber Assaults on Estonia Typify a New Battle Tactic Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html By Peter Finn Washington Post Foreign Service May 19, 2007 TALLINN, Estonia, May 18 -- This small Baltic country, one of the most wired societies in Europe, has been subject in recent weeks to massive and coordinated cyber attacks on Web sites of the government, banks, telecommunications companies, Internet service providers and news organizations, according to Estonian and foreign officials here. Computer security specialists here call it an unprecedented assault on the public and private electronic infrastructure of a state. They say it is originating in Russia, which is angry over Estonia's recent relocation of a Soviet war memorial. Russian officials deny any government involvement. The NATO alliance and the European Union have rushed information technology specialists to Estonia to observe and assist during the attacks, which have disrupted government e-mail and led financial institutions to shut down online banking. As societies become increasingly dependent on computer networks that cross national borders, security experts worry that in wartime, enemies will attempt to cripple those networks with electronic attacks. The Department of Homeland Security has warned that U.S. networks should be secured against al-Qaeda hackers. Estonia's experience provides a rare chance to observe how such assaults proceed. "These attacks were massive, well targeted and well organized," Jaak Aaviksoo, Estonia's minister of defense, said in an interview. They can't be viewed, he said, "as the spontaneous response of public discontent worldwide with the actions of the Estonian authorities" concerning the memorial. "Rather, we have to speak of organized attacks on basic modern infrastructures." The Estonian government stops short of accusing the Russian government of orchestrating the assaults, but alleges that authorities in Moscow have shown no interest in helping to end them or investigating evidence that Russian state employees have taken part. One Estonian citizen has been arrested, and officials here say they also have identified Russians involved in the attacks. "They won't even pick up the phone," Rein Lang, Estonia's minister of justice, said in an interview. Estonian officials said they traced some attackers to Internet protocol (IP) addresses that belong to the Russian presidential administration and other state agencies in Russia. "There are strong indications of Russian state involvement," said Silver Meikar, a member of Parliament in the governing coalition who follows information technology issues in Estonia. "I can say that based on a wide range of conversations with people in the security agencies." Russian officials deny that claim. In a recent interview, Kremlin spokesman Dmitri Peskov called it "out of the question." Reached Friday at a Russia-E.U. summit, he reiterated the denial, saying there was nothing to add. A Russian official who the Estonians say took part in the attacks said in an interview Friday that the assertion was groundless. "We know about the allegations, of course, and we checked our IP addresses," said Andrei Sosov, who works at the agency that handles information technology for the Russian government. His IP address was identified by the Estonians as having participated, according to documents obtained by The Washington Post. "Our names and contact numbers are open resources. I am just saying that professional hackers could easily have used our IP addresses to spoil relations between Estonia and Russia." Estonia has a large number of potential targets. The economic success of the tiny former Soviet republic is built largely on its status as an "e-society," with paperless government and electronic voting. Many common transactions, including the signing of legal documents, can be done via the Internet. The attacks began on April 27, a Friday, within hours of the war memorial's relocation. On Russian-language Internet forums, Estonian officials say, instructions were posted on how to disable government Web sites by overwhelming them with traffic, a tactic known as a denial of service attack. The Web sites of the Estonian president, the prime minister, Parliament and government ministries were quickly swamped with traffic, shutting them down. Hackers defaced other sites, putting, for instance, a Hitler mustache on the picture of Prime Minister Andrus Ansip on his political party's Web site. The assault continued through the weekend. "It was like an Internet riot," said Hillar Aarelaid, a lead specialist on Estonia's Computer Emergency Response Team, which headed the government's defense. The Estonian government began blocking Internet traffic from Russia on April 30 by filtering out all Web addresses that ended in .ru. By April 30, Aarelaid said, security experts noticed an increasing level of sophistication. Government Web sites and new targets, including media Web sites, came under attack from electronic cudgels known as botnets. Bots are computers that can be remotely commanded to participate in an attack. They can be business or home computers, and are known as zombie computers. When bots were turned loose on Estonia, Aaviksoo said, roughly 1 million unwitting computers worldwide were employed. Officials said they traced bots to countries as dissimilar as the United States, China, Vietnam, Egypt and Peru. By May 1, Estonian Internet service providers had come under sustained attack. System administrators were forced to disconnect all customers for 20 seconds to reboot their networks. Newspapers in Estonia responded by closing access to their Web sites to everyone outside the country, as did the government. The sites of universities and nongovernmental organizations were overwhelmed. Parliament's e-mail service was shut for 12 hours because of the strain on servers. Foreign governments began to take notice. NATO, the United States and the E.U. sent information technology experts. "It was a concerted, well-organized attack, and that's why Estonia has taken it so seriously and so have we," said Robert Pszczel, a NATO spokesman. Estonia is a new member of NATO and the E.U. The FBI also provided assistance, according to Estonian officials. The bureau referred a reporter's calls to the U.S. Embassy in Estonia, which said there was no one available to discuss American assistance to the Baltic State. On May 9, the day Russia celebrates victory in World War II, a new wave of attacks began at midnight Moscow time. "It was the Big Bang," Aarelaid said. By his account, 4 million packets of data per second, every second for 24 hours, bombarded a host of targets that day. "Everyone from 10-year-old boys to very experienced professionals was attacking," he said. "It was like a forest fire. It kept spreading." By May 10, bots were probing for weaknesses in Estonian banks. They forced Estonia's largest bank to shut down online services for all customers for an hour and a half. Online banking remains closed to all customers outside the Baltic States and Scandinavia, according to Jaan Priisalu, head of the IT risk management group at Hansabank, a major Baltic bank. "The nature of the latest attacks is very different," said Linnar Viik, a government IT consultant, "and it's no longer a bunch of zombie computers, but things you can't buy from the black market," he said. "This is something that will be very deeply analyzed, because it's a new level of risk. In the 21st century, the understanding of a state is no longer only its territory and its airspace, but it's also its electronic infrastructure. "This is not some virtual world," Viik added. "This is part of our independence. And these attacks were an attempt to take one country back to the cave, back to the Stone Age." ? 2007 The Washington Post Company From alerts at infosecnews.org Mon May 21 01:27:53 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Red Team U. creates critical thinkers Message-ID: http://seattlepi.nwsource.com/national/1110AP_Military_Red_Teams.html By John Milburn Associated Press Writer May 18, 2007 FORT LEAVENWORTH, Kan. -- During World War II, British Field Marshal Bernard Montgomery relied upon junior officers to study German Field Marshal Irwin Rommel in Africa and Europe, then assess the Allies' plans. That idea's modern incarnation is the Red Team University course at Fort Leavenworth's University of Foreign Military and Cultural Studies. The goal is to produce soldiers who don't hesitate to find the flaws in a commander's strategies to prevent failed operations and save lives. Eleven students from the Red Team University graduated Thursday from the 18-week course. Its curriculum is designed to forge officers who anticipate cultural perceptions of U.S. coalition partners, adversaries and others and to find vulnerabilities. In short, they're supposed to think like the "red team" - the enemy - and give other officers insight into that thinking. The first class graduated in 2006, as the war in Iraq entered its fourth year. "They learn to escape the gravitational pull of Western military thought," said Greg Fontenot, a retired Army colonel and director of Red Team University. Fontenot said the program teaches officers to approach problems and solutions from multiple perspectives, including using anthropological research about a given population. Students are also taught to work independently to help senior military staff find answers they need before plans are executed. Maxie McFarland, deputy chief of staff for intelligence at the Army's Training and Doctrine Command, told Thursday's graduates he became involved in red team concepts when he was with the 2nd Armored Division in the 1990s, when it was understaffed and lacked proper equipment. "In order to win, it wasn't about the technology, and it wasn't about the planning. It was the ability to outthink the opponent and get inside his head," McFarland said. The Red Team program also fits with the military's new counterinsurgency strategy, jointly developed by the Army and Marines at Fort Leavenworth under the direction of Gen. David Petraeus, now the top commander of U.S. forces in Iraq. But instructors note that Red Team graduates and their skills have wider application than the wars in Iraq and Afghanistan. "You don't know where you are going next," said Steve Rotkoff, a retired Army colonel. The concept isn't new, of course. Montgomery tried to anticipate Rommel's tactics, just as Confederate Gen. Robert E. Lee seemed to have the ability to guess what his Union counterparts would do during the Civil War. Red and blue teams have been part of U.S. military training for years. Forces preparing for battle - the blue team - develop plans for exercises, while the opponent - the red team - attempts to counter those efforts by defending a position or disrupting operations. But those traditional exercises were incomplete, McFarland said, because they were scripted according to the blue team's plans, without allowing the red team to alter its strategy and influence the blue team's tactics. Giving the red team a more active role gives a more critical mind-set to such exercises. Susan Craig, a graduate of the first Red Team class, is now an analyst with the Joint Intelligence Operations Center at the U.S. Pacific Command. She wrote in a recent edition of Military Review that part of red team training is learning to ask good questions of those making decisions and to think outside one's own culture. "We had to examine our most closely held beliefs and assumptions and fundamentally transform the way we think," she wrote. -=- On the Net: Fort Leavenworth: http://www.leavenworth.army.mil U.S. Army Training and Doctrine Command: http://www-tradoc.army.mil/index.htm From alerts at infosecnews.org Mon May 21 01:28:04 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:28 2008 Subject: [ISN] Navy floats on-board Wifi Message-ID: http://www.gcn.com/online/vol1_no1/44286-1.html By Patrick Marshall 05/18/07 In a first, the U.S. Navy has approved the use of 802.11g wireless devices for use by personnel boarding suspect vessels. Overseen by the Navy's Program Executive Office for C4I, the Expanded Maritime Interception Operations (EIMO) wireless system provides a data link between crews on interdicted vessels and their home ship up to a few nautical miles away. Unlike a simple radio unit, these wireless links can transmit biometric data, scanned documents, digital photos and e-mail from the boarding team, allowing near real-time analysis of such artifacts. The units use the 802.11g wireless protocol and Federal Information Processing Standard 140-2 encryptions standards. The Office of Naval Research commissioned this project in March 2006. The EMIO wireless system is designed not to interfere with other shipboard systems and to meet all operational requirements, including security requirements. According to a press release from the Navy, the system ?mitigates the critical issue of timely data accessibility that impacts decision-making, safety and data preservation.? The first installation of the system was on the USS Cole in April 2007. From alerts at infosecnews.org Mon May 21 01:30:05 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:29 2008 Subject: [ISN] Exclusive: Los Alamos Breach Was Easy Message-ID: http://www.cbsnews.com/stories/2007/05/20/eveningnews/main2829944.shtml By Sharyl Attkisson CBS News May 20, 2007 (CBS) - When Jessica Quintana wanted to sneak classified material out of the nation's top nuclear weapons lab, the biggest outrage is how scandalously simple it was. "Where I was, It was easy," she tells CBS News correspondent Sharyl Attkisson. Last week Quintana, 23, plead guilty to the national security breach at Los Alamos. In an exclusive interview with CBS News, she tells how she did it. She was just 18, right out of high school, when the Lab hired her to archive documents. The job came with a security clearance that gave her access to highly sensitive weapons data. Last summer Quintana claims she wanted to take some work home, a major security violation. She walked unchallenged into a special work vault with a computer storage device called a flashdrive. "I had the flashdrive in my pocket when I entered the vault that day," recalls Quintana. "And at some point in the day I knew I wasn't being watched, the racks were open, simply inserted the flashdrive into my computer, took what I needed." It was material related to underground nuclear weapons tests from the 70's, and she printed more classified documents ? 228 pages. "I printed out the pages I needed and put in my backpack with my school books and walked out like I did every day," said Quintana. The materials were found accidentally months later by local police during a drug raid on Quintana's roommate in their trailer home, reports Attkisson. It's an understatement to say that walking out with national secrets shouldn't have been so easy, especially in light of the rash of security scandals at Los Alamos: missing hard drives, even radioactive material smuggled out. Tens of millions of tax dollars have been spent to upgrade security. Quintana's case raises the question. Have others, even spies, made off with top secret material? Quintana says in the years she worked at the lab, nobody ever questioned or searched her. Not once. "They were so lax about coming in and out," said Quintana. Congress was so outraged that the Energy Department fired its top nuclear security official. Quintana has agreed to cooperate with prosecutors and faces up to a year in jail. Her lawyer says Americans can thank her for one thing: exposing persistent gaps in security at a place guarding some of our most sensitive nuclear secrets. ? MMVII, CBS Interactive Inc. All Rights Reserved. From alerts at infosecnews.org Tue May 22 00:35:13 2007 From: alerts at infosecnews.org (InfoSec News) Date: Thu Apr 10 04:02:29 2008 Subject: [ISN] The Impending Internet Address Shortage Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=199700668 By Thomas Claburn InformationWeek May 21, 2007 The coming shortage of Internet Protocol addresses on Monday prompted the American Registry for Internet Numbers (ARIN) to call for a faster migration to the new Internet Protocol, IPv6. The current version of the Internet Protocol, IPv4, allows for over 4 billion (2^32) Internet addresses. Only 19% of the IPv4 address space remains. Somewhere around 2012-2013, the last Internet address bloc will be assigned and the Internet will be full, in a manner of speaking. "We must prepare for IPv4's depletion, and ARIN's resolution to encourage that migration to IPv6 may be the impetus for more organizations to start the planning process," said John Curran, chairman of ARIN's Board of Trustees, in a statement. IPv6 promises some 16 billion-billion possible addresses (2^128). IP numbers are used to route traffic around the Internet. They're not the same thing as Internet domain names, which get mapped to IP numbers through the Domain Name System (DNS) because it's much easier to remember "Amazon.com" than "72.21.203.1." "Unless action is taken now, a quiet technical crisis will occur, not unlike Y2K in its complications, but without a fixed date or high level public attention," wrote Stephen M. Ryan, a partner at McDermott Will & Emery LLP and ARIN general counsel, and Raymond A. Plzak, CEO and president of ARIN, in a forthcoming policy paper. Ryan and Plzak foresee potential legal problems arising as address scarcity leads to a new black market in IP numbers. IP numbers are not, like Internet domain names, seen as property by U