[ISN] Payroll Giant Gives Scammer Personal Data of Hundreds of Thousands of Investors
http://abcnews.go.com/Technology/story?id=2160425 By DAN ARNALL ABC News July 6, 2006 The latest corporate data breach is from a company you may never have heard of, even though one in six American workers gets paid by the firm. Automatic Data Processing, one of the world's largest payroll service companies, confirmed to ABC News that it was swindled by a data thief looking for information on hundreds of thousands of American investors. According to a company spokeswoman, ADP provided a scammer with personal information of investors who had purchased stock through brokerages that use ADP's investor communications services. Initial reporting indicates that these firms include a number of brand-name brokers, including Fidelity Investments and Morgan Stanley. A Fidelity spokesman says the data breach compromised 125,000 of the 72 million active accounts at the brokerage. Morgan Stanley says 3,800 of its clients were affected. An industry source says Bear Stearns, Citigroup and Merrill Lynch also had account data leaked in the incident. A Merrill Lynch spokesperson refused comment. Calls to Citigroup and Bear Stearns have not been returned. A spokesperson for banking and financial services group UBS confirms that about 10,000 of its brokerage clients were among those whose data was disclosed. In a prepared statement, ADP spokeswoman Dorothy Friedman said the data thief exploited a Securities and Exchange Commission rule that allows public companies to get names and addresses of shareholders from brokers, as long as the shareholder has not objected to the disclosure of such information. The thief impersonated a corporate officer from a public company and got ADP to send the information. ADP refused to answer questions about its data security measures or why its existing policies did not prevent the data loss. ADP said that the loss, which occurred between November 2005 and February 2006, resulted in the inadvertent disclosure of investors' names, mailing addresses and the number of shares they held in certain companies. No Social Security numbers or brokerage account numbers were disclosed. ADP notified federal law enforcement authorities promptly after its discovery of the problem in February 2006, said Friedman. Shortly thereafter, ADP notified its broker clients. Law enforcement authorities are continuing to investigate the matter. Some customers whose personal data was compromised have received a letter from ADP. The three-page letter contains a list of 60 affected companies, including HealthSouth and Sirius Satellite Radio among many smaller corporate names. We have been advised that the information disclosed was not sufficient by itself to permit unauthorized access to your account, and we have no evidence that the information on the lists has been improperly used, reads the customer notification. However, we recommend that you be alert to any unusual or unexpected contact or correspondence that you may have with the listed public companies (or with anyone else) about your holdings in these companies. The letter then goes on to encourage affected customers to consider contacting one of the national credit bureaus to discuss getting a fraud alert service. ADP says federal authorities are investigating the matter. Copyright © 2006 ABC News Internet Ventures _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Computer system taken; thong panty left behind
http://www.buffalonews.com/editorial/20060706/7027334.asp The Buffalo News 7/6/2006 The owner of a Seneca Street company returning to work early Wednesday found that his computer system and accessories had been taken in a burglary, Buffalo police said. Left behind was a pair of black thong underwear with an attached note, whose contents were not disclosed by police. The owner of Big Bear, in the 700 block of Seneca, told police that a door had been jimmied open sometime between 7 p.m. Monday and 8:30 a.m. Wednesday and that the stolen computer system and accessories were valued at $5,000. Big Bear, an embroidery business, employs about 40 workers, according to the company's Web site. Copyright 1999 - 2006 - The Buffalo News _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Secunia Weekly Summary - Issue: 2006-27
The Secunia Weekly Advisory Summary 2006-06-29 - 2006-07-06 This week: 68 advisories Table of Contents: 1.Word From Secunia 2This Week In Brief 3...This Weeks Top Ten Most Read Advisories 4...Vulnerabilities Summary Listing 5...Vulnerabilities Content Listing 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ 2) This Week in Brief: A vulnerability has been reported in Apple iTunes, which can be exploited by malicious people to compromise a user's system using malicious AAC media files. Additional details can be found in the referenced Secunia advisory. Reference: http://secunia.com/SA20891 -- HD Moore has discovered a vulnerability in the HTML Help ActiveX Control in Internet Explorer, which potentially can be exploited by malicious people to compromise a user's system. References: http://secunia.com/SA20906 -- VIRUS ALERTS: During the past week Secunia collected 142 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. 3) This Weeks Top Ten Most Read Advisories: 1. [SA20906] Internet Explorer HTML Help ActiveX Control Memory Corruption 2. [SA20825] Internet Explorer Information Disclosure and HTA Application Execution 3. [SA20867] OpenOffice Multiple Vulnerabilities 4. [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow 5. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 6. [SA20891] Apple iTunes AAC File Parsing Integer Overflow Vulnerability 7. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability 8. [SA20860] Cisco Wireless Access Point Web Management Vulnerability 9. [SA20886] Geeklog connector.php File Upload Vulnerability 10. [SA20877] Mac OS X Update Fixes Multiple Vulnerabilities 4) Vulnerabilities Summary Listing Windows: [SA20938] iMBCContents ActiveX Control Execute() Insecure Method [SA20906] Internet Explorer HTML Help ActiveX Control Memory Corruption [SA20947] NASCAR Racing Empty UDP Datagram Denial of Service [SA20926] Hitachi Products Cross-Site Scripting Vulnerabilities UNIX/Linux: [SA20964] Ubuntu update for libmms [SA20944] Avaya Products Ethereal Vulnerabilities [SA20937] Gentoo mpg123 Heap Overflow Vulnerability [SA20921] libwmf Integer Overflow Vulnerability [SA20897] SUSE update for Opera [SA20951] Avaya Products PHP Multiple Vulnerabilities [SA20931] Red Hat update for Squirrelmail [SA20925] SUSE update for acroread [SA20917] Linux Kernel SCTP Denial of Service Vulnerability [SA20914] Debian update for kernel-source-2.6.8 [SA20913] SUSE update for OpenOffice_org [SA20910] Red Hat update for OpenOffice.org [SA20899] SUSE Updates for Multiple Packages [SA20895] rPath update for mutt [SA20894] HP Tru64 UNIX and HP Internet Express Perl Vulnerability [SA20893] Debian update for openoffice.org [SA20900] Gentoo update for kiax [SA20963] ppp setuid Security Issue [SA20902] Efone config.inc Information Disclosure Security Issue [SA20967] Ubuntu update for ppp [SA20966] Ubuntu update for shadow [SA20950] shadow setuid Vulnerability [SA20934] HP-UX mkdir Unspecified Unauthorized Access Vulnerability [SA20890] SUSE update for kdebase3-kdm [SA20939] phpSysInfo lng Parameter File Detection Weakness Other: [SA20896] Siemens Speedstream 2624 Password Protection Bypass Cross Platform: [SA20949] Mambo Galleria Module mosConfig_absolute_path File Inclusion [SA20923] SiteBuilder-FX admindir Parameter File Inclusion Vulnerability [SA20922] phpFormGenerator File Upload
[ISN] July to be another big patch month for Microsoft
http://www.networkworld.com/news/2006/070606-july-to-be-another-big.html By Robert McMillan IDG News Service 07/06/06 With online attackers taking advantage of holes in its Office software, Microsoft plans to release seven software patches next week. Four of the updates will fix bugs in Windows, while another three will address flaws in Microsoft Office, Microsoft said Thursday in a bulletin on its Web site. Both sets of patches will address critical flaws, which attackers could exploit to run unauthorized code on a PC without any user action. The patches will be released on July 11 as part of Microsoft's regularly scheduled monthly security updates. Microsoft's advance note on the updates can be found here. The new software will likely fix a number of publicly reported vulnerabilities in Office, some of which concern Excel, said Gunter Ollmann, director of Internet Security Systems' X-Force threat analysis service. Last month, Microsoft confirmed that it was investigating three issues that relate to Office, following reports that hackers had launched a targeted attack, against an unnamed government contractor, that took advantage of a bug in its Excel spreadsheet software. Two of the bugs could be used to compromise a PC, but they would first require user action like opening a malicious document and clicking on hyperlinks. The third appears to be less critical, but it could be used to run an unauthorized ActiveX control, Microsoft said. On Thursday another bug was added to the mix with security vendor Secunia warning of a flaw affecting Asian language versions of Excel. As with the other bugs, victims would need to be tricked into doing a little work before compromising their systems, but if this were to happen, attackers could run their malicious software on the PC, Secunia said. More details on this latest flaw can be found here. The seven patches may keep system administrators busy next week, but not as busy as they were in June. Last month Microsoft released 12 security updates. The IDG News Service is a Network World affiliate. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Computer hacker will be extradited to US, rules Home Office
http://news.scotsman.com/scotland.cfm?id=990732006 By AURA SABADUS 7 July 2006 A SCOT accused of the biggest military hack of all time will be extradited to the United States, the Home Office confirmed last night. Gary McKinnon, originally from Glasgow, faces more than 50 years in prison if convicted in the US of sabotaging vital defence systems, including networks owned by NASA and the country's army, navy and air force. The 40-year-old has two weeks to appeal the order, which was approved by John Reid, the Home Secretary on Tuesday. A judge ruled in May that McKinnon, who has been indicted in New Jersey and northern Virginia, should be sent to the US to face trial. However, the decision required Mr Reid's authorisation. McKinnon allegedly accessed a network of 300 computers at the Earle Naval Weapons Station in New Jersey. US estimates claim the costs of tracking and correcting the problems he allegedly caused were around $700,000 (£400,000). McKinnon last night said he was planning to appeal the decision. He added: I am very worried and feeling very let down by my own government. McKinnon accused of hacking into 97 United States military and NASA computers between 2001 and 2002. Lawyers for McKinnon had argued he could even be sent to Guantanamo Bay as a terrorist suspect - despite claiming to have only accessed Pentagon computers looking for information about UFOs. He has claimed that he was not a malicious hacker bent on bringing down US military systems, but rather more of a bumbling computer nerd. But the former hairdresser lost the first round of his battle against extradition in May, when District Judge Nicholas Evans at Bow Street Magistrates' Court dismissed these objections as fanciful. Speaking after that hearing, McKinnon vowed to continue resisting attempts to remove him from the country. He portrayed himself as an amateur hacker who used a dial-up modem to access sensitive government networks from his bedroom in Wood Green, north London. He said: I was amazed at the lack of security and the reason I left not just one note but multiple notes on multiple desktops was to say: look, this is ridiculous. My intention was never to disrupt security. Among the most serious charges are that McKinnon deleted system files and logs at the New Jersey naval base in the immediate aftermath of the 11 September, 2001, attacks, rendering its entire network of more than 300 computers inoperable. After the hearing in May, McKinnon said he regretted his actions but insisted he had been motivated only by curiosity and had not caused any damage. Solo, as he was known online, was originally arrested under the Computer Misuse Act by the UK National Hi-Tech Crime Unit in 2002. However, he was never charged in Britain. * The Conservatives yesterday issued an appeal for the NatWest Three to be tried in Britain rather than being sent to the US to face American justice over their alleged role in an Enron fraud. The party's legal affairs spokesman Dominic Grieve wrote to Attorney General Lord Goldsmith warning that the threatened extradition of the three bankers risked bringing the criminal justice system into disrepute. David Bermingham, Gary Mulgrew, the son of Labour MSP Trish Godman, and Giles Darby are accused of an £11 million fraud in which their former employees NatWest were advised to sell part of an Enron company for less than it was worth. The three men deny any criminal conduct and have always insisted that if there was a case against them it should be tried in England because that is where they live and where the alleged offences took place. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Malware targets security research tool
http://www.theregister.co.uk/2006/07/06/gattmann_virus/ By John Leyden 6th July 2006 Virus writers have created a proof-of-concept virus, dubbed Gattman, that targets an analysis tool widely used by anti-virus researchers. Only the most inept anti-virus researchers are likely to become infected, according to one expert, so the interest in the malware is its curiosity value rather than any threat it poses, which is virtually nil. Gattman spreads using a program called Interactive Disassembler Pro (IDA), a popular reverse engineering tool from Data Rescue, widely used in anti-virus research labs, which converts machine code inside program files into a human-readable source code format. The tool allows the behaviour of code to be analysed. The malware infects the scripting language used by IDA, elements of which are sometimes shared between researchers during joint analysis efforts, to create a Windows executable file. This executable searches out new IDC files to create a new executable file. Gattmann is programmed only to spread and doesn't feature any malicious payload. Gotcha The exchange of executable files is strictly controlled in anything approaching professionally-run security labs. Carole Theriault, senior security consultant at UK-based anti-virus firm Sophos, said the authors of Gattman were presumably hoping to embarrass incautious researchers by spreading a virus using the very tools of their trade. The virus shows some technical knowledge. It was probably written in an attempt to embarrass anti-virus firms but it's unlikely to spread except among researchers - or more likely malware authors - who are both curious and careless, Theriault told El Reg. The approach taken by the virus to spread is rather odd. Gattman is a polymorphic virus, a technique that has fallen out of favour in recent times, which means it alters its appearance as it spreads. Both the IDC and EXE parts of this virus can change their form as they replicate. The changes in EXE files generated by Gattman use file-morphing utilities on each infected PC. Such utilities are often found on the PCs of malware researchers but uncommon more generally. ® _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] UT notifying employees of computer hacker
http://www.tfponline.com/absolutenm/templates/breaking.aspx?articleid=2542zoneid=41 July 06, 2006 University of Tennessee system officials are notifying around 36,000 employees and other individuals affiliated with UT that a hacker has broke into a computer that held personal information about them. Although we have no indication the hacker accessed or used the personal information, we are taking the precaution of notifying everyone whose information was on the database and urging them to take steps to protect themselves, said Brice Bible, assistant vice president for information technology. We regret that this has happened and have conducted a thorough investigation. Every precaution is being taken to safeguard security, including a thorough review of file storing and sharing and strengthening security measures in the affected area, Mr. Bible said. Officials said the hacker's activities occurred during a nine-month period from August 2005 to May 2006. UT has set up a toll-free hotline to help answer questions for affected persons. That number is (866) 748-1680. The help line will be operational Monday through Friday from 8 a.m. to 6 p.m. EST, starting July 7. Persons affected by the security breach can find more information at UT's Information Security Office Web site, http://security.tennessee.edu. Copyright ©2006, Chattanooga Publishing Company _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] A new beginning for InfoSec News
It was on or about July 26th of 2001 that InfoSec News made the move to Attrition.org after being dumped by our last list provider for trying to be honest. Since then through thick and thin, Jericho and the merry denizens of Attrition.org have helped InfoSec News grow to become one of the largest, oldest and hopefully most trusted daily information security lists on the Internet. Hosting on Attrition.org was really supposed to be a temporary measure, at least until we got our act together and started hosting ISN on our own. Now nearly five years later, we're finally ready to host InfoSec News on our own server, with a RSS feed, list archives, and plenty of room for hosting additional security lists and services. So this will be the last mailing of InfoSec News on Attrition.org and starting 7/10/2006, ISN will be posting from infosecnews.org On Monday we'll also roll out the new website, you may need to add the new address (isn [at] infosecnews [dot] org) to whitelists, procmail recipes or other filters. Thank you for all of your support! Sincerely, William Knowles Editor InfoSec News wk [at] infosecnews [dot] org _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] DOE's Federated Model aims to identify security threats
http://www.networkworld.com/news/2006/070506-argonne-national-lab.html By Cara Garretson NetworkWorld.com 07/05/06 Argonne National Laboratory, a division of the Department of Energy (DOE) operated out of the University of Chicago, is spearheading an effort to collect information about cyber security events that is beginning to gain steam. Called The Federated Model, this information-sharing initiative among government, universities, and research labs began last fall and currently has about half a dozen active members, says Scott Pinkerton, manager of network services for the lab in DuPage County, Ill. The initiative is open to any organization wanting to share details, or even just view information, regarding attempts by different IP addresses to access networks and how organizations have responded to these attempts, in an effort to spot patterns of malicious behavior and proactively block security threats, says Pinkerton. For example, if one member of the Federated Model suffers an attack from a certain IP address, another member may be able to block that IP address from accessing its network and thwart a second attack, he says. We're reinforcing the idea that we could be smarter, and more prepared, Pinkerton says. While the number of members is growing, Pinkerton says The Federated Model hasn't yet hit critical mass. Pinkerton discussed The Federated Model's progress at Network Worlds IT Roadmap conference held in Chicago late last month during a session on security. He stressed the importance of monitoring NetFlow data to search for zero-day attack traffic patterns, a practice his department engages in. NetFlow is a Cisco technology for storing traffic flow histories on routers and switches. Argonne has taken on the development of The Federated Model's repository and laid out specifications to be used for submitting and accessing information. Following IETF standards, data is submitted in XML format that is encrypted. The lab is working on adding features, such as an RSS feed that would tell members when new information has been added to the repository, Pinkerton says. What's valuable about this data is not only learning what IP addresses are doing, but what organizations are doing in response to potential threats, says Tami Martin, intrusion detection systems engineer with Argonne. You're learning the reactive measures other sites are taking, she says. Also of intrinsic value is [learning] the severity of the action taken. Eventually, members could get to the point where they can completely thwart an attack by following the actions of a trusted member, says Pinkerton. All contents copyright 1995-2006 Network World, Inc _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Security expert dubs July the 'Month of browser bugs'
http://news.com.com/Security+expert+dubs+July+the+Month+of+browser+bugs/2100-1002_3-6090959.html By Greg Sandoval Staff Writer, CNET News.com July 5, 2006 Each day this month, a prominent security expert will highlight a new vulnerability found in one of the major Internet browsers. HD Moore, the creator of Metasploit Framework, a tool that helps test whether a system is safe from intrusion, has dubbed July the Month of Browser Bugs. Already, the security researcher has featured five security flaws, three for Microsoft's Internet Explorer and one apiece for Mozilla's Firefox and Apple Computer's Safari. Moore noted that one of the IE bugs appeared to have been recently patched. This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure, Moore said on his blog. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Browser security holes are nothing new, but Moore's repository of flaws shines a light on the problem. Moore says on his site that he reported two of the IE bugs to Microsoft last March. Microsoft acknowledged that it had been in contact with Moore but downplayed the seriousness of the flaws Moore is publicizing. (Microsoft's) investigation has revealed that most issues relating to Internet Explorer in particular will result in the browser closing unexpectedly, the company said in an e-mail statement. Moore doesn't indicate how many of his published vulnerabilities are critical, but security company Secunia has rated one of the flaws, which Moore calls Internet.HHCtrl Image Property, as highly critical. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Web perils advise switch to Macs
Forwarded from: eric wolbrom, CISSP [EMAIL PROTECTED] http://news.bbc.co.uk/2/hi/technology/5150508.stm BBC News 5 July 2006 Security threats to PCs with Microsoft Windows have increased so much that computer users should consider using a Mac, says a leading security firm. Sophos security said that the 10 most commonly found pieces of malicious software all targeted Windows machines. In contrast, it said, none of the malware were capable of infecting the Mac OS X operating system. Microsoft has pledged that the latest version of its operating system, known as Vista, will be its most secure yet. It is our goal to give PC users the control and confidence they need so they can continue to get the most out of their PCs, a Microsoft spokesperson said. Windows Vista contains a number of new safety features that, taken together, are designed to make Windows PCs more secure and online experiences safer. Microsoft said that security on Vista would be an integral part of the operating system rather than an add-on like in previous systems. Top threats The advice from Sophos was given as it released a report, detailing the security threats posed to computers so far in 2006. The report says that there has been a vast drop in malicious software like viruses and worms. However, the company warns that there has been a sharp increase in the number of Trojans. It said that 82% of new security threats this year were from these programs. Trojans are pieces of malicious software that are hidden in other legitimate programs such as downloaded screensavers. The Trojan may collect financial information or allow the infected computer to be controlled remotely for sending spam or launching web attacks. The continuing rise of malware will concern many - the criminals responsible are obviously making money from their code, otherwise they'd give up the game, said Graham Cluley, senior technology consultant at Sophos. Mac flaws Although Trojans dominate the list of security threats, the most widespread problem was the Sober-Z worm. The worm, which was spread by e-mail, infected people's computers and tried to turn off security settings. It replicated by looking for other e-mail addresses on the computers' hard drives. At its peak, the worm accounted for one in every 13 e-mails being sent. The worm infected computers running the Windows operating system, but was not designed to infect Apple Macs. It seems likely that Macs will continue to be the safer place for computer users for some time to come, said Mr Cluley. [That is] something that home users may wish to consider if they're deliberating about the next computer they should purchase, he added. Earlier this year, a security flaw in the way that Macs downloaded files was identified; while three concept viruses and a worm written specifically for Apple computers were also discovered. The viruses were never released into the wild and posed little security threat _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Nmap Hackers Pick Top 100 Security Tools
This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Sherpa http://list.windowsitpro.com/t?ctl=3094A:4FB69 Thawte http://list.windowsitpro.com/t?ctl=3094C:4FB69 Symantec http://list.windowsitpro.com/t?ctl=30947:4FB69 1. In Focus: Nmap Hackers Pick Top 100 Security Tools 2. Security News and Features - Recent Security Vulnerabilities - Windows Genuine Advantage Now at a Disadvantage - Microsoft Response to Exploit Riles Metasploit Developer - SharePoint Antivirus Solutions 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Encryption for SOHO Sponsor: Sherpa How will compliance regulations affect your IT infrastructure? Help design your retention and retrieval, privacy and security policies to make sure that your organization is compliant. http://list.windowsitpro.com/t?ctl=3094A:4FB69 1. In Focus: Nmap Hackers Pick Top 100 Security Tools by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You've most likely heard of Nmap, the network-mapping tool developed by Fyodor. Nmap is widely used and is a standard tool in countless security administrators' toolkits. Fyodor operates a mailing list, nmap-hackers, for general announcements, patches, and light discussion regarding Nmap. In 2000 and 2003, Fyodor surveyed the members of the mailing list to find out which security tools were their favorites. The 2000 survey resulted in a list of the top 50 most popular security tools. The 2003 survey resulted in an expanded list of the top 75 most popular security tools. Both lists have been great resources, and many people have discovered new tools that they weren't previously aware of. It's been three years since the last survey, and in that time lots of new security tools have come into existence, while other security tools have been updated (in some cases several times) with new features and functionality. This year, Fyodor conducted a new survey, and 3243 people responded. This latest survey resulted in an even longer list: the top 100 most popular security tools. Although the list contains tools for several platforms, including Windows, Linux, BSD, Solaris, and Mac OS X, it's easy to figure out which tools work on which platforms because each tool description includes platform-specific icons. There are also icons that let you know whether a tool is free, whether it has a command-line interface or GUI, and whether source code is available. Another feature of the list shows you whether the tool has risen or dropped in popularity compared with the 2003 survey results. Surprisingly, the top four tools on the current list remain unchanged in their popularity rank. Those top four tools are Nessus, Wireshark (formerly Ethereal), Snort, and Netcat. Metasploit Framework (released after the 2003 survey) is new to the list and is ranked the fifth most popular tool. Incidentally, you can read a semi-related news story, Microsoft Response to Exploit Riles Metasploit Developer, on our Web site at the URL below. http://list.windowsitpro.com/t?ctl=30956:4FB69 An interesting trend revealed by 2006 survey results is that wireless security is far more important to security administrators than it was three years ago, evidenced by the fact that the wireless sniffer Kismet rose from the 17th most popular tool in 2003 to 7th most popular tool in 2006. Aircrack, originally released in mid-2004, now ranks as the 21st most popular security tool in the list. Aircrack helps crack Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) encryption, which, as you probably know, are typically used to help secure communication on WiFi networks. Another interesting trend is that two great password-cracking tools, John the Ripper and Cain and Abel, broke into the top 10 as the 9th and 10th most popular tools respectively. John the Ripper was previously ranked #11 in 2003 and Cain and Abel was ranked #23, so the latter made quite a jump in popularity. So that's a brief rundown of a few of the tools and trends from the list. You can of course glean even more information about security tool trends by reviewing the complete list, and you can learn about more tools that are new to the list, such as BackTrack, P0f, WebScarab, WebInspect, Core Impact, Canvas, and others. Check out the full survey results at http://list.windowsitpro.com/t?ctl=3095B:4FB69 . Sponsor: Thawte Secure Your Online Data Transfer with SSL Increase your customers' confidence and your business by securely collecting
[ISN] Air Force to change network structure
http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20060705/BREAKINGNEWS/60705008 By John Andrew Prime jprime @ gannett.com July 5, 2006 A reorganization of war-fighting network operations that begins today will touch 8th Air Force, headquartered at Barksdale Air Force Base. A release from 8th Air Force headquarters says the change, which will place ... under the command of 8th Air Force commander Lt. Gen. Robert J. Bob Elder J., will better allow the service to deliver sovereign options for the defense of the United States of America and its global interests - to fly and fight in Air, Space, and Cyberspace. The change will consolidate Air Force Network Operations under Elder, the release said. That will take place with a ceremony at 2 p.m. on the base. The change will put all Air Force units charged with network operations under Elder's command. These responsibilities had previously been spread among 10 major command Network Operations and Security Centers as well as the 8th Air Force, the Air Intelligence Agency, the Operations and Sustainment Systems Group and the Air Force Communications Agency. In order to implement this change, the 67th Information Operations Wing at Lackland Air Force Base, Texas, has been reorganized and will be redesignated as the 67th Network Warfare Wing. It will oversee the stand-up of two Integrated Network Operations and Security Centers. One will be at Langley Air Force Base, Va., and the other at Peterson Air Force Base, Colo. Reorganization is expected to take several months to fully implement, 8th Air Force headquarters said. © The Times _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Consultant Breached FBI's Computers
http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501489.html By Eric M. Weiss Washington Post Staff Writer July 6, 2006 A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused. The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon's curiosity hacks nonetheless exposed sensitive information. Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions. The incident is only the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau's attempt to sharpen its focus on intelligence and terrorism. An FBI spokesman declined to discuss the specifics of the Colon case. But the spokesman, Paul E. Bresson, said the FBI has recently implemented a comprehensive and proactive security program'' that includes layered access controls and threat and vulnerability assessments. Beginning last year, all FBI employees and contractors have had to undergo annual information security awareness training. Colon pleaded guilty in March to four counts of intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States. He could face up to 18 months in prison, according to the government's sentencing guidelines. He has lost his job with BAE Systems, and his top-secret clearance has also been revoked. In court filings, the government also said Colon exceeded his authorized access during a stint in the Navy. While documents in the case have not been sealed in federal court, the government and Colon entered into a confidentiality agreement, which is standard in cases involving secret or top-secret access, according to a government representative. Colon was scheduled for sentencing yesterday, but it was postponed until next week. His attorney, Richard Winelander, declined to comment. According to Colon's plea, he entered the system using the identity of an FBI special agent and used two computer hacking programs found on the Internet to get into one of the nation's most secret databases. Colon used a program downloaded from the Internet to extract hashes -- user names, encrypted passwords and other information -- from the FBI's database. Then he used another program to crack the passwords by using dictionary-word comparisons, lists of common passwords and character substitutions to figure out the plain-text passwords. Both programs are widely available for free on the Internet. What Colon did was hardly cutting edge, said Joe Stewart, a senior researcher with Chicago-based security company LURHQ Corp. It was pretty run-of-the-mill stuff five years ago, Stewart said. Asked if he was surprised that a secure FBI system could be entered so easily, Stewart said, I'd like to say 'Sure,' but I'm not really. They are dealing with the same types of problems that corporations are dealing with. Colon's lawyer said in a court filing that his client was hired to work on the FBI's Trilogy computer system but became frustrated over bureaucratic obstacles, such as obtaining written authorization from the FBI's Washington headquarters for routine matters such as adding a printer or moving a new computer onto the system. He said Colon used the hacked user names and passwords to bypass the authorization process and speed the work. Colon's lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list. The FBI's struggle to modernize its computer system has been a recurring headache for Mueller and has generated considerable criticism from lawmakers. Better computer technology might have enabled agents to more
[ISN] Hacker attacks hitting Pentagon
http://www.baltimoresun.com/news/nationworld/bal-te.nsa02jul02,0,754404.story?coll=bal-home-headlines By Siobhan Gorman sun reporter July 2, 2006 Sun exclusive WASHINGTON -- The number of reported attempts to penetrate Pentagon computer networks rose sharply in the past decade, from fewer than 800 in 1996 to more than 160,000 last year - thousands of them successful. At the same time, the nation's ability to safeguard sensitive data in those and other government computer systems is becoming obsolete as efforts to make improvements have faltered and stalled. A National Security Agency program to protect secrets at the Defense Department and intelligence and other agencies is seven years behind schedule, triggering concerns that the data will be increasingly vulnerable to theft, according to intelligence officials and unclassified internal NSA documents obtained by The Sun. When fully implemented, the program would build a new encryption system to strengthen protections on computer networks and would more effectively control the access of millions of people to government computer systems and buildings. Launched in 1999, the program was to have been completed last year, but it fell behind in part because of differences between the NSA and the Pentagon. The NSA is trying to revamp the program, although the deadline has slid to 2012, with the most substantive security improvements planned for 2018. An internal NSA report in April 2005 described the problem as critical, noting that 30 percent of the agency's security equipment does not provide adequate protection; another 46 percent is approaching that status. Much of the existing cryptographic equipment is based on ... technologies that are 20-30+ years old, said the report from the agency's information security directorate. At the same time, it noted, technology for breaking into computer systems has improved, which gives our adversaries enhanced capabilities. Pentagon computers, in particular, are under constant attack. Recently, Chinese hackers were able to penetrate and steal data from a classified computer system serving the Joint Chiefs of Staff, according to two sources familiar with the incident. A security team spent weeks eliminating the breach and installing additional safeguards. The Pentagon declined interview requests for two information security officials, but a spokesman said in a written statement that the NSA is continually assisting the Pentagon to maintain best security practices and raise the level of information security. NSA spokesman Don Weber said in a statement that because information security is a core mission of the agency, any speculation that we, along with our partners would leave national security systems vulnerable, is unfounded. Among 18 current and former officials and security experts interviewed for this article, several would speak only on condition of anonymity because many details of the program are sensitive and reveal vulnerabilities in the nation's defenses. Encryption, which is an electronic lock, is among the most important of security tools, scrambling sensitive information so that it can ride securely in communications over the Internet or phone lines, and requiring a key to decipher. Powerful encryption is necessary for protecting information that is beamed from soldiers on the battlefield or that guards data in computers at the NSA's Fort Meade headquarters. Without updated encryption, sensitive information could be stolen by China or other countries that have regularly tried to break into U.S. government systems to steal military and intelligence secrets. There are emerging concerns about Iran's desire to do so, as well. This stuff is enormously important, said John P. Stenbit, the Pentagon's chief information officer until 2004. If the keys get into the wrong hands, all kinds of bad things happen. You don't want to just let a hacker grab the key as it's going through the Internet. The NSA report warned that serious risks in the Pentagon's security system jeopardize its ability to execute its missions effectively. A December 2005 NSA planning document described the program as crucial for ensuring adequate protection for all national security programs. It's a pretty critical thing to do right ... because the government relies on confidential communications so heavily, said Martin Roesch, founder of Sourcefire, a computer security company in Columbia, Md. It's kind of a fundamental capability. A growing threat As the program, known as Key Management Infrastructure, has faltered, the potential for penetrating government computers has grown. Intelligence officials have said that as many as 100 countries pose legitimate threats to U.S. government computers and those of companies doing government work. In the past decade, reported attempts to hack into Pentagon computers have grown 200-fold, according to the Pentagon. Numerous states, terrorist and hackers groups, criminal syndicates,
[ISN] Identity Thief Finds Easy Money Hard to Resist
http://www.nytimes.com/2006/07/04/us/04identity.html By TOM ZELLER Jr. July 4, 2006 By the time of Shiva Brent Sharma's third arrest for identity theft, at the age of 20, he had taken in well over $150,000 in cash and merchandise in his brief career. After a certain point, investigators stopped counting. The biggest money was coming in at the end, postal inspectors said, after Mr. Sharma had figured out how to buy access to stolen credit card accounts online, change the cardholder information and reliably wire money to himself - sometimes using false identities for which he had created pristine driver's licenses. But Mr. Sharma, now 22, says he never really kept track of his earnings. I don't know how much I made altogether, but the most I ever made in a quick period was like $20,000 in a day and a half or something, he said, sitting in the empty meeting hall at the Mohawk Correctional Facility in Rome, N.Y., where he is serving a two- to four-year term. Working like three hours today, three hours tomorrow - $20,000. And once he knew what he was doing, it was all too easy. It's an addiction, no doubt about that, said Mr. Sharma, who inflected his words with the sort of street cadence adopted by smart kids trying to be cool. I get scared that when I get out, I might have a problem and relapse because it would be so easy to take $300 and turn it into several thousand. That ease accounts for the sizable ranks of identity-fraud victims, whose acquaintance with the crime often begins with unexplained credit card charges, a drained bank account or worse. The victims' tales have become alarmingly familiar, but usually lack a protagonist - the perpetrator. Mr. Sharma's account of his own exploits provides the missing piece: an insight into both the tools and the motivation of a persistent thief. Identity theft can, of course, have its origins in a pilfered wallet or an emptied mailbox. But for computer-savvy thieves like Mr. Sharma, the Internet has forged new conduits for the crime, both as a means of stealing identity and account information and as the place to use it. The Secret Service and the Federal Bureau of Investigation have invested millions of dollars in monitoring Internet sites where thousands of users from around the world congregate to swap tips about identity theft and to buy and sell personal data. Mr. Sharma frequented such sites from their earliest days, and the techniques he learned there have become textbook-variety scams. Shiva Sharma was probably one of the first, and he was certainly one of the first to get caught, said Diane M. Peress, a former Queens County prosecutor who handled all three of Mr. Sharma's cases and who is now the chief of economic crimes with the Nassau County district attorney's office. But the kinds of methods that he used are being used all the time. As far back as 2002, Mr. Sharma began picking the locks on consumer credit lines using a computer, the Internet and a deep understanding of online commerce, Internet security and simple human nature, obtained through years of trading insights with like-minded thieves in online forums. And he deployed the now-common rods and reels of data theft - e-mail solicitations and phony Web sites - that fleece the unwitting. Much of this unfolded from the basement of a middle-class family home in Richmond Hill, Queens, at the hands of a high school student with a knack for problem solving and an inability, even after multiple arrests, to resist the challenge of making a scheme pay off. That is what worries Mr. Sharma's wife, Damaris, 21, who has no time for the Internet as she raises the couple's 1-year-old daughter, Bellamarie. I hate computers, she said. I think they're the devil. A Thief's Tool Kit Mr. Sharma is soft-spoken, but he does not shrink from the spotlight. He gained fleeting attention after his first arrest, as the first person charged under a New York State identity-theft statute - and later, at his high school graduation at the Rikers Island jail, where he was the class valedictorian. For a prison interview, he has applied gel to his mane of black hair. He is Hollywood handsome, with deceptively sleepy eyes and smiles that come as tics in reaction to nearly every stimulus - a question, a noise. Prosecutors interpreted those smiles as evidence of smug indifference. A tattoo of Shiva, the Hindu god of destruction and his namesake, is just visible on Mr. Sharma's right arm, under the short sleeve of his green prison jumpsuit. Recalling his youth, Mr. Sharma said he was not unlike many other young people growing up with the mating calls of modems and unprecedented access to people, sounds, software and other thrills streaming into the family's home over the Internet. As the youngest of three children in a family of immigrants from Trinidad - his parents brought the family to Queens when he was 6 - Mr. Sharma said sibling battles for access to the computer were common. He studied programming at
[ISN] IT security crucial to UAE
http://www.khaleejtimes.com/DisplayArticleNew.asp?xfile=data/business/2006/July/business_July40.xmlsection=business BY JAMILA QADIR 2 July 2006 DUBAI - IT security is crucial to the UAE financial markets, as the financial sector in particular has always been a target for fraud worldwide, according to Khalfan Al Mazrouei, IT manager, Abu Dhabi Securities Market (ADSM). The dramatic growth in Internet and email use has helped and hindered financial markets. Internet and email gives investors instant access to financial markets all over the world. But both have also opened up new opportunities for hackers to exploit, he explained. Pressures on security come from within a corporation as well as outside. Up to 70 per cent of all IT security fraud is internal. No matter how advanced our systems are, we are always vulnerable, he said. Since it was established in November 2000 ADSM has made IT security one of its top priorities as part of its international best practices programme. ADSM is playing a leading role in promoting security awareness across the market. It has already improved and broadened its trading and registry reporting services to shareholders through voice, Internet and mobile systems. We have also introduced e-trading for brokers. In fact, the majority of them now operate remotely which poses a huge security challenge for our IT systems. We have enhanced transparency by introducing International Financial Reporting Standards (IFRS) compliance and quarterly reporting from all ADSM listed companies. The UAE is the first country in the Middle East to be awarded an XBRL (eXtensible Business Reporting Language) provisional jurisdiction. It allows companies to compile and publish financial data in a format that can be better understood and analysed than the current process. This will enhance transparency in the market, he said. ADSM, with the UAE XBRL steering committee, has been instrumental in this move. We will be taking a lead in encouraging all UAE listed companies to adopt XBRL to improve both transparency and efficiency in the market. Our IT systems have had to evolve to deal with new office openings, a huge increase in the number of brokerage firms and new links with foreign exchanges. National investors should be able to trade foreign stocks from ADSM. They should not have to expose themselves to the risk of trading directly on a foreign exchange, he said, adding that was the reason why ADSM has created links with other foreign exchanges. We currently have an electronic link with Muscat and we are introducing another one with Doha. We also have cross-listing agreements in place with the Cairo Alexandria (CASE) and Khartoum exchanges. We look forward to further links with other exchanges in the near future, Al Mazrouei said. The number of trades on ADSM this year goes up each month compared to 2005. Since the inception, it has opened four regional branches throughout the UAE and will be opening a further two this year. ADSM now has over 60 broker firms operating in its market. Almost half of these opened in the first quarter of this year alone, he said. One of ADSM's current aims is to become the first exchange in the UAE to achieve ISO 17799 certification, which will enhance the security procedures between the brokers, registrars and investors, he added. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] DEF CON 14: Speakers Selected and more.
Forwarded from: The Dark Tangent [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey everyone, I want to make some announcements surrounding DEF CON 14. It's about that time to briefly lay down the inf0z, so here it goes. - - Speakers have been selected, and are now listed on-line: http://www.defcon.org/html/defcon-14/dc-14-schedule.html They include an assistant Secretary of Defense, an FBI agent, Scary Hackers, privacy fanatics, security studs, and a hardware hacking ninja. - - The con hotel is sold out, but overflow exists here: http://www.defcon.org/html/defcon-14/dc-14-hotel.html - - Need a ride or got a room to spare? Check out the ride and room section of the DEF CON Forums https://forum.defcon.org/forumdisplay.php?f=26 - - There are a lot of new contests, and some old ones that are no more (We'll miss you WiFi Shootout!) I'd mention them all, but it takes up too much space. To get a good grip on what is happening I'd suggest reading the contest area of the forums: https://forum.defcon.org/forumdisplay.php?f=102 - - Black and White Ball is two nights this year, with some great bands and DJs including Regenerator, The Minibosses, DJ Jackalope, Catharsis and DJ Wintamute. - - DEF CON 13 Audio and Video is now on-line for DOWNLOAD. Yep, you saw that right. We are phasing out the real media server and going to download mode. The audio is in .mp3, and the video is in H.264 2-pass 192k .mp4, optimized for the iPod video screen size. Right now you gotta subscribe to the rss feed, but the web site will soon sport the direct links. We hope to have DC-12 on-line in the next week. http://www.defcon.org/defconrss.xml Notes: This year we are at a new hotel, the Rivera. I did this because DEF CON was going to stagnate and die if it stayed at the Alexis Park any longer. The benefits of the new hotel are that the speaking rooms are larger, there is air conditioning, and we have room to grow. This year we get about 1/2 the space, and next year we should get 3/4 of the space. That extra room will allow us to offer break out classes, get togethers, and an additional track of speaking. Things we could only dream of before, but now are possible. It will take us all a year or two to learn what to do with all the space, but those are the kinds of problems I can live with. Did I mention the sky boxes? General hang out site: http://forum.defcon.org/ Remember DEF CON is what you make of it, and we have been lucky over the years to have a great group of people supporting us. The line up this year looks great, and the rest is up to us. -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBRKW+ow6+AoIwjTCUAQL0Sgf/QNO9SSsS0rI+cMbqX9TzKGk3+m+NyHj2 z0bB2WCAWftMT75HECyw88npvqTB01sdZaj8SeDqFq0ghD8dHq9NYEJZLqtqtEKz ry/2DKQhZe7gfhVWGtiYqAJF12yV4bPkKFhaD2bxFwY6GJx/OR00Ac5ylMC93/h6 GV7dx0IJfl6rDExQQ8asZXeGQ7j3a4Fnv6bvQp6C8OSc23ZpmGBGSeVzW1wHPn19 /EJyaBXnOcoVlG5gidgOwj8xkvkVthRAU7E0MS8JlhfrzRxBNFfHyqTfdYiSZ5mC GvI5Q+yeAHX7TeUrg9yWMuXvPtFjDsk3P0+x6yxZxO339ZCWHVBiEQ== =TYEC -END PGP SIGNATURE- _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] IntellNet is back!
Forwarded from: Brooks Isoldi [EMAIL PROTECTED] To all who may be concerned: After a nearly 24 month hiatus, it is with great pride and honor that I announce the re-lauch of IntellNet.org (http://www.intellnet.org). Founded in early 2000 as a private project to more easily disseminate information, during the 4 years since its creation IntellNet proved itself to be a great source of knowledge. With today's re-launch, The Intelligence Network will stand upon the shoulders of giants in order to see further and push higher; expanding upon the very foundations of the U.S. Open Source Intelligence (OSINT) community. Our potential knows no boundaries and can only ever be limited by our imaginations. It is by no means a mere figure of speech that I referenced Sir Isaac Newton. It is with both humility and courage that we acknowledge those that not only came before, but after as well in what has become a global effort to achieve synergy with the flow of information. In the coming months, we will unveil initiatives designed to enhance and develop current and new capabilities as well as extend our reach into both existing and unchartered territories. In line with these developments, I have placed the IntellNet website and The OSINT Group under the umbrella of The Intelligence Network where they will be autonomous divisions with similar methods and common goals. New divisions will be created as more initiatives are deployed and we will be increasingly in need of intelligent, saavy and thougtful individuals to staff them. Additionally, The Intelligence Network will maintain an open door policy to any similar organizations willing to collaborate, on any level in order to further our common goals. Please feel free to pass this email around and if there is anyone who wishes to contribute to the organization or has any questions or comments, please to contact me. Finally, it is with those predictions and self-imposed challenges, that we invite you all to become loyal viewers and to make IntellNet what it once was. Thank you. Brooks Isoldi The Intelligence Network _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] ITL Bulletin for June 2006
Forwarded from: Elizabeth Lennon [EMAIL PROTECTED] ITL Bulletin for June 2006 DOMAIN NAME SYSTEM (DNS) SERVICES: NIST RECOMMENDATIONS FOR SECURE DEPLOYMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Domain Name System (DNS) services have an important function in helping users readily access the many resources that are available through the Internet. DNS services make communications convenient for the user by translating the unique resource identifier that is known as the Internet Protocol (IP) address into a domain name that is easy for the user to remember. The IP address to which a user wishes to be connected is represented by four groups of numbers separated by dots, such as123.67.43.254. The computers in the network route communication packets across the Internet based on the IP addresses of the packets. However, when accessing websites and using e-mail services, the user can simply employ a domain name such as nist.gov, which is easier to remember than the full IP address. The DNS transforms human-readable domain names into machine-readable IP addresses and also does the reverse process, taking a query with an IP address and returning the domain name associated with it. The DNS infrastructure, which carries out the domain name translation, is made up of computing and communication entities that are geographically distributed throughout the world. There are more than 250 top-level domains, such as gov and .com, and several million second-level domains, such as nist.gov and ietf.org. As a result, there are many name servers in the DNS infrastructure that contain information about only a small portion of the domain name space. The different servers work together to provide DNS services. The domain name data provided by DNS is intended to be publicly available to any computer located anywhere in the Internet. While DNS services are not the primary target of most attacks on information systems today, the DNS infrastructure is expected to become more vulnerable as more applications use DNS for network operations. NIST's Information Technology Laboratory (ITL) has developed guidance to help organizations protect their DNS components, prevent possible future attacks on domain name information, and maintain the availability of DNS services and data. NIST Special Publication (SP) 800-81, Secure Domain Name System (DNS) Deployment Guide NIST SP 800-81, Secure Domain Name System (DNS) Deployment Guide, presents NIST's recommendations to help organizations analyze their operating environments and the threats to their DNS services, and to apply appropriate risk-based security measures for all DNS components. Written by ITL's Ramaswamy Chandramouli and Scott Rose, the publication provides guidelines for the secure deployment of each DNS component through the use of configuration options and checklists that are based on policies or best practices. Development and publication of the guide were carried out in collaboration with the Department of Homeland Security (DHS). NIST SP 800-81 explains the structure and operations of DNS data, software, and transactions and discusses the threats, the security objectives, and the security approaches that can be employed. Extensive guidance is provided on maintaining data integrity and performing source authentication, and on configuring DNS deployments to protect the availability of DNS services and prevent denial of service attacks. Other topics covered include how to secure DNS query and response activities, how to minimize information exposure through DNS data content control, and how to maintain secure operations. The appendices explain the technical terms and the acronyms used in the publication and contain extensive references to publications and websites with additional information. The publication is available on NIST's web pages at: http://csrc.nist.gov/publications/nistpubs/index.html. The Domain Name System Infrastructure The Domain Name System is composed of several components. Users enter domain names to access Internet resources, through a program such as a web browser. The browser calls the DNS to provide the IP address for the appropriate web server and web page. This function of mapping domain names to IP addresses is name resolution, and the client system uses the DNS protocol to perform the name resolution function. The DNS has a data repository where the domain names and their associated IP addresses are stored. Software manages this data repository, which may be distributed, and provides name resolution service. This function is the name server. The function, which accesses the services provided by a DNS name server on behalf of user programs, is called the resolver. The DNS infrastructure is composed of the communication protocol, the various DNS components, the policies governing the configuration
[ISN] Companies safeguard against growing risk of laptop 'dumpster-diving'
http://www.palmbeachpost.com/business/content/business/epaper/2006/07/02/a1f_Laptops_0702.html By Stephen Pounds Palm Beach Post Staff Writer July 02, 2006 Laptops have become the latest loose-lipped losers of personal and corporate data. The electronic documents opened on a stolen laptop computer can jeopardize sensitive corporate and personal information and force firms to issue embarrassing statements to those who might be harmed by the data breach. Now high-tech managers are looking to reduce their risk of data loss not to mention damage control resulting from pilfered notebook PCs tethered to company mainframes and critical servers. Companies go into crisis mode, said Pete Nicoletti, vice president of secure information systems at Terremark Worldwide Inc., a network services and real estate company in Miami. With interconnected networks, the entire world can dumpster-dive in your computers. Today's laptops are lighter, cheaper and more powerful than ever before. With a wireless Internet card, users can access the Web from anywhere, making them ideal for remote work from home or while traveling. But that same portability has made them more attractive to thieves. In the past year, business and government laptops have been yanked from homes, cars, aircraft and hotel rooms or lost to owner fumble-itis in 29 instances, says the San Diego-based Privacy Rights Clearinghouse. Those losses put the personal information of tens of millions of people at risk. In one of the largest data breaches ever, a laptop carrying the personal information of 26.5 million veterans discharged since 1975 was stolen in May from the home of a Department of Veterans Affairs analyst. The VA announced Thursday the laptop has been recovered, with no evidence of identity theft. And just last month, the Federal Trade Commission, the government's standard-bearer against data theft, revealed that two laptop computers containing personal and financial data it had gathered in investigations on 110 people had been stolen from an employee's car. Laptops are a significant (cause) of data theft, said Beth Givens, director of the Privacy Rights Clearinghouse. It is symptomatic of people taking their work with them everywhere they go. If data has been compromised, 24 states require companies to notify those who could be harmed; eight more states have enacted laws that will go into effect in the next six months. All of this is forcing tech managers to bolster laptop security. First, they are training employees on laptop management, starting with common sense: Employees are to carry their laptops at all times or to lock them up. After a data breach last November involving a stolen laptop with data on 160,000 employees at the Boeing Co. in Chicago, the company began requiring human-resource and payroll employees who take a laptop home or on travel to physically lock them to a desk while using them. The company also has begun random audits of laptops to check for old and forgotten data files. If you have information on your laptop, it should be encrypted and the computer is supposed to be secured, said Boeing spokesman Tim Neale. Companies also are disabling extra USB ports and writeable CD-ROM drives to keep employees from copying information to thumb drives, compact disks and other portable storage devices. They are restricting some files only to their secure networks and banning employees from taking pictures of documents with camera phones. And if a laptop is stolen, they are to report it to the company and to authorities immediately, said Bob McConnell, a security consultant who worked with Alpharetta, Ga.-based ChoicePoint Inc. last year when the data broker suffered a major breach of its databases. Almost all companies that travel will have to become sensitive to it because of what they've seen in the media, McConnell said of laptop security. They can't afford the fallout of compromised data. Damage control could be costly and distracting. Already, the VA has spent $14 million just to notify veterans of the breach. The government also has agreed to provide free credit monitoring to the veterans whose personal information may have been compromised, a move expected to cost millions more. Even so, five veterans groups have filed a class-action lawsuit seeking damages for violation of privacy. A report last year by the Elk Rapids, Mich.-based Ponemon Institute found it costs a company about $5 million to notify victims of a data breach, or about $138 a victim. It can be much more for firms such as data brokers and banks and financial services. But the real loss may be in disenchanted customers. Even when companies made the effort to notify consumers of a data breach, 19 percent of survey respondents said they would discontinue their business with the company, or already had, the Ponemon study showed. Customers may churn rather than work with a company that has a bad reputation. A data breach is a signal that a company is
[ISN] VA Laptop Sold From Back of a Truck
http://redtape.msnbc.com/2006/07/what_happened_t.html By Bob Sullivan July 3, 2006 We have a few more details on what happened to the nation's most famous runaway laptop computer during those mysterious two months it was missing, courtesy of NBC's Pete Williams. We're talking about the computer and hard drive that were stolen from a Department of Veterans Affairs employee in May, an incident that made headlines because the hardware contained private information on 26.5 million veterans and current GIs. Last week, VA chief Jim Nicholson announced in dramatic fashion [1] that the prodigal computer had been found, but details about the return were sparse. NBC's Williams has been able to fill in some of the blanks after talking to law enforcement officials investigating the incident. Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We're talking about the kind of market that is literally run out of the back of a truck, one official said. Fortunately, a buyer purchased both components at this black market, keeping the missing hardware together. The male buyer, who has not been publicly identified, later spotted fliers posted at a nearby supermarket seeking the return of the equipment. After matching the serial numbers on the flier with those on the equipment, the buyer decided to turn in the equipment. No doubt, a posted $50,000 reward helped encourage that decision. He had a friend in the U.S. Park Police who brokered the exchange with the FBI, Williams was told. At that point, the FBI ran forensics tests on the equipment and concluded the sensitive data - such as veterans' Social Security numbers -- had not been accessed. (Read more details about those tests here). Knowing more about the secret life of the disappearing hardware should make veterans a little more comfortable that their personal information was not compromised during the incident. But not all questions have been answered yet. The obvious missing puzzle piece is this: How did the hardware get from the VA employee's home in Aspen Hill, Md., to the back of a truck in Wheaton, about 4 miles away? And what happened during the trip? [1] http://www.msnbc.msn.com/id/13613727/ _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] State's laptops vulnerable?
http://www.columbusdispatch.com/news-story.php?story=dispatch/2006/07/03/20060703-C1-00.html By Randy Ludlow THE COLUMBUS DISPATCH July 03, 2006 Data thieves don't always sneak in through a digital back door. Sometimes, their work is decidedly low-tech, such as strolling through a real door and snatching a laptop computer. In Ohio, some state agencies and universities appear to be lagging the technological curve as the federal government tightens the security of data on portable computers. The feds' action was prompted by the lifting of a laptop and external hard drive, recovered The Department of Job and Family Services and Department of Administrative Services are planning to encrypt data, but are not there yet. Ohio State University and Ohio University also do not use scrambling software on portable devices, but appear to be on the verge. Securing portable data appears to have evolved slowly in Ohio, said Marc Mezibov, a Cincinnati lawyer who is suing OU and the Department of last week, that held the Social Security numbers of about 26.5 million military veterans. New security guidelines require civilian agencies to encrypt sensitive data to make it nearly impossible to steal identities should laptops and handhelds disappear. Among a sampling of state agencies handling personal information on millions of Ohioans, only the Department of Taxation boasts of nearly impenetrable data encryption. Veterans Affairs over data thefts. I'm sure there will be a lot of finger-pointing and wondering why some of these institutions and organizations are behind the curve, he said. State agencies and contractors have been handed a financial incentive to encrypt data under a state law that took effect early this year. They can escape mandatory, costly noti- fication of data-theft victims if the data is encrypted. The Ohio Office of Information Technology prescribes minimum security standards for state computers and encourages that they be exceeded, but does not require the use of encryption software. With Social Security numbers and employment, investment and income information, the tax collectors hold the most far-reaching personal information of any agency. The data, says taxation spokesman Gary Gudmundson, is encrypted with state-ofthe-art software on both servers and laptops, and is considered virtually hack-proof. Four state laptops used by taxation employees were stolen during the past three years, but only one contained data on individual taxpayers, he said. That computer held information on an audit of one taxpayer, but it was deemed inaccessible because of encryption, he said. The Department of Jobs and Family Services works with personal data involving welfare, Medicaid, child-support and unemployment recipients. Plans call for installing dataencryption software on portable devices before the end of the year, spokesman Dennis Evans said. Only one department laptop with personal information - on 20 Medicaid recipients - has been stolen. It was taken from an employee's car in December 2004, prompting a directive not to leave computers in vehicles, he said. The Department of Administrative Services functions as the centralized human-resources office for the state and handles other sensitive material involving state contracts and bidding. It, too, is moving to add encryption software to its list of security features protecting laptops, said spokesman Ben Piscitelli. No computers with personal data have gone missing. Ohio State and OU do not require encryption software to protect sensitive information on laptops, but are studying a move toward such protection, officials said. OSU is working with a consortium of Big Ten and other universities to identify best practices, likely to include stepped-up security, said Robert Kalal, director of information technology policy and services. OU has made headlines with a series of computer security breaches in which hackers stole vast amounts of personal information, including Social Security numbers on more than 173,000 students, alumni, faculty and others. Neither university has experienced the theft of laptops containing personal data, officials said. What about the Bureau of Motor Vehicles and its voluminous files on drivers and online vehicle registrations involving banking information? The bureau does not allow any sensitive information to be stored on laptop computers or other portable devices, spokesman Fred Stratmann said. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] REVIEW: Practical VoIP Security, Thomas Porter et al
Forwarded from: Rob, grandpa of Ryan, Trevor, Devon Hannah [EMAIL PROTECTED] BKPVOIPS.RVW 2060602 Practical VoIP Security, Thomas Porter et al, 2006, 1-59749-060-1, U$49.95/C$69.95 %A Thomas Porter %C 800 Hingham Street, Rockland, MA 02370 %D 2006 %G 1-59749-060-1 %I Syngress Media, Inc. %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 [EMAIL PROTECTED] %O http://www.amazon.com/exec/obidos/ASIN/1597490601/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597490601/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597490601/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 563 p. %T Practical VoIP Security VoIP (Voice over Internet Protocol) is something of the new kid on the technology block, and computer folks may have limited experience with telephony. It therefore seems a bit strange that chapter one, as an introduction to VoIP security, starts out by talking about computer security and attacks. However, the structure of the book is rather odd in any case. The basics of telephony, and the Public Switched Telephone Network (PSTN), are not covered until chapter four. Even then, while there is some useful trivia, most of the content is a list of telephony protocols. Chapter three covers some of the basic hardware and element information, discussing PBX (Private Branch eXchange) systems, VoIP components, and even power supplies. That material, in turn, would be helpful to those who try to understand chapter two, which is supposed to be about the Asterisk PBX software package. Although the text purports to deal with configuration and features of Asterisk, most of the section's content covers PBX operations and functions, dial plans, telephony numbering plans, and even a terse piece on the vital aspect of circuit versus packet switching. With chapter five, the book moves into some of the specifics of VoIP, discussing H.323, a protocol to specify data formats that is used extensively in commercial IP telephony products. SIP, the Session Initiation Protocol (used to negotiate interactive sessions over the net), gets a more detailed treatment (along with examination of related protocols) in chapter six. Other IP telephony architectures are briefly listed in chapter seven: the very popular Skype, H.248, IAX (Inter Asterisk eXchange), and Microsoft's Live Communications Server 2005 (MLCS). Diverse protocols used in support of VoIP are discussed in chapter eight. Most of these are commonly used in other Internet applications: some; such as RSVP (Resource reSerVation Protocol), SDP (Session Description Protocol), and Skinny; are more specialized. All the listed protocols have some review of security implications, which marks the first time in the book that security seems to be a major issue. Chapter nine examines specific threats and attacks, mostly related to denial of service and hijacking. Securing the infrastructure used for VoIP is important, although the material in chapter ten is fairly standard information security. Chapter eleven reviews a number of ordinary authentication tools that are frequently used in VoIP. Active Security Monitoring, in chapter twelve, is the traditional intrusion detection and penetration testing, and has nothing specific to IP telephony applications. Similarly, chapter thirteen examines normal traffic management and LAN segregation issues: the only telephony related content is in regard to VoIP aware firewalls. The IETF (Internet Engineering Task Force) has recommended certain existing security protocols in regard to IP telephony, and one addition (SRTP, Secure Real-time Transfer Protocol): these are outlined in chapter fourteen. Chapter fifteen lists various (United States) data security related regulations and the European Union privacy directive. The IP Multimedia Subsystem (IMS) structure is reviewed in chapter sixteen. Chapter seventeen repeats the recommendations made in chapters ten through fourteen. It is handy to have a number of the issues related to VoIP addressed in one work. There is some depth to the content of the text as well, and those dealing with system internals may find that useful. However, for those who need to manage or make policy or purchasing decisions in regard to VoIP, this book may not have the forcefulness of complete analysis, or a structure that would assist in learning the background. While there is a considerable amount of helpful information, it reads more like an accumulation of miscellaneous facts than a directed study. copyright Robert M. Slade, 2006 BKPVOIPS.RVW 2060602 == (quote inserted randomly by Pegasus Mailer) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] An Englishman, even if he is alone, forms an orderly queue of one - George Mikes Dictionary Information Security www.syngress.com/catalog/?pid=4150
[ISN] Hacker breaks into Treasurer's Office
http://www.journalstar.com/articles/2006/06/29/local/doc44a3fa6c4f795799631319.txt By NATE JENKINS Lincoln Journal Star June 30, 2006 Personal and financial information of more than 300,000 people may be in the hands of a hacker following a Wednesday break-in of the state computer system that processes child-support payments. A preliminary investigation of the incident suggests that the hacker did not download the information, said State Treasurer Ron Ross. But the possibility does exist. Based upon the method of attack, it is more likely the hacker's intent was not to steal information, but rather to do something malicious since the hacker inserted a virus onto the server, which we immediately removed, Ross said. The child-support payment system was centralized in the treasurer's office five years ago and now processes $1 million in transactions daily. Identity information potentially stolen by the hacker, which investigators believe may be based outside the U.S. and possibly in Asia, includes: names, addresses, bank account numbers, social security numbers and tax identification numbers. Roughly 300,000 individuals and 9,000 employers may be affected. Ross said it was the first time the computer system, called KidCare, had been hacked. He was not aware of similar security breaches in other states. The break-in, which Ross said lasted about 40 minutes, was detected by an employee after coming to work Wednesday morning. The system is not monitored 24 hours a day by a person. The State Patrol has initiated a full investigation that could include help from the FBI and other agencies. Ross pledged to get to the bottom of it and implement new safeguards to prevent future break-ins. But that won't likely include round-the-clock monitoring of the system by a person. I don't think we're at a point in government we want somebody standing by a computer screen 24-7, but we do need protocols in place, Ross said. We thought we had good safeguards...somebody got in a door we didn't think they'd be able to get into. The hard drive and server affected by the breach were immediately replaced. Unlike many arms of state government, the child-support system is not part of the state's centrally controlled computer system, said Brenda Decker, chief information officer for the state. The incident will prompt state officials to take a closer look at whether it should be. We're working with the State Patrol to see if we can make this as secure and hardened as the rest of the system, Decker said. Asked during a press conference if the child-support system had the best available security system, Ross said he believed it did. Those who pay or receive child-support should closely monitor their bank accounts, and are advised to close them if the see suspicious activity. © 2002-2006, Lincoln Journal Star. All rights reserved. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Secunia Weekly Summary - Issue: 2006-26
The Secunia Weekly Advisory Summary 2006-06-22 - 2006-06-29 This week: 88 advisories Table of Contents: 1.Word From Secunia 2This Week In Brief 3...This Weeks Top Ten Most Read Advisories 4...Vulnerabilities Summary Listing 5...Vulnerabilities Content Listing 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ 2) This Week in Brief: Plebo Aesdi Nael has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information and potentially compromise a user's system. Secunia has constructed a test for one of the issues, which is available at: http://secunia.com/internet_explorer_information_disclosure_vulnerability_test/ Additional details can be found in the referenced Secunia advisory. Reference: http://secunia.com/SA20825 -- VigilantMinds has reported a vulnerability in the Opera browser, which potentially can be exploited by malicious people to compromise a user's system. Additionally, a weakness has also been reported, which can be exploited to display the SSL certificate from a trusted site on an untrusted site. Further details are available in the referenced Secunia advisories. References: http://secunia.com/SA20787 http://secunia.com/SA19480 -- Two vulnerabilities have been reported in various F-Secure Antivirus products, which can be exploited by malware to bypass the scanning functionality. The vendor has released patches, which corrects these vulnerabilities. Please refer to referenced Secunia advisory for additional details. Reference: http://secunia.com/SA20858 -- VIRUS ALERTS: During the past week Secunia collected 253 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. 3) This Weeks Top Ten Most Read Advisories: 1. [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow 2. [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability 3. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability 4. [SA20787] Opera JPEG Processing Integer Overflow Vulnerability 5. [SA20825] Internet Explorer Information Disclosure and HTA Application Execution 6. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 7. [SA20773] Yahoo! Messenger Denial of Service Weakness 8. [SA20789] Cisco CallManager RealVNC Password Authentication Bypass 9. [SA20723] IBM HMC Sendmail and OpenSSH Vulnerabilities 10. [SA20783] GnuPG parse-packet.c Denial of Service Vulnerability 4) Vulnerabilities Summary Listing Windows: [SA20862] Nokia PC Suite CDDBControl ActiveX Control Buffer Overflow [SA20861] Gracenote CDDBControl ActiveX Control Buffer Overflow [SA20789] Cisco CallManager RealVNC Password Authentication Bypass [SA20858] F-Secure Antivirus Products Scanning Bypass Vulnerability [SA20855] Lotus Domino Malformed vCal Processing Denial of Service [SA20851] Icculus.org Quake3 Engine Two Vulnerabilities [SA20790] MailEnable SMTP Service HELO Denial of Service [SA20777] Webmin Directory Traversal Vulnerability [SA20825] Internet Explorer Information Disclosure and HTA Application Execution [SA20856] CA Products Scan Job Description Format String Vulnerability [SA20816] Cisco Secure ACS Session Management Security Issue [SA20794] Trend Micro Control Manager Username Script Insertion [SA20830] Lanap BotDetect ASP.NET CAPTCHA Bypass Weakness UNIX/Linux: [SA20879] Mandriva update for mutt [SA20866] Mandriva update for tetex [SA20854] Gentoo update for mutt
[ISN] EMC to buy RSA for $2.1 billion
http://news.com.com/EMC+to+buy+RSA+for+2.1+billion/2100-7350_3-6089665.html By Joris Evers Staff Writer, CNET News.com June 29, 2006 update: Data storage specialist EMC has agreed to acquire digital security company RSA Security for slightly less than $2.1 billion. EMC will pay $28 in cash for each share of RSA and the assumption of outstanding options, the Hopkinton, Mass., company said Thursday in a statement. That brings the aggregate purchase price to just under $2.1 billion, net of RSA's existing cash balance, it said. With the takeover, EMC said, it will create a company that can help organizations securely manage their information. EMC is a large provider of data storage products, while RSA sells identity and access management technologies, such as its SecurID tokens, as well as encryption and key management software. EMC is where information lives and tomorrow EMC will be the company where information lives securely, Joe Tucci, chief executive of the data storage maker, said on a conference call. During the conference call, Tucci faced heat from financial analysts who questioned the relatively high price paid for RSA and the reasons for acquiring the company. This company and this space are incredibly hot, Tucci said in response to the critique. This was critical technology. I am telling you this was very competitive. Not having it would have put us at a severe disadvantage, and others that might have bought it would not have wanted to share it with us. To grow its business, EMC needs to integrate data storage and security, Tucci said. That is mandatory and if you don't do it right, you fall off. The whole name of the game here is how you build continued value for the long shot. The announcement of the deal came after RSA Security earlier on Thursday issued a statement saying that it was in negotiations with unnamed parties on a potential strategic deal. That statement followed a New York Times report that said EMC was close to buying the digital security company. RSA put itself up for auction several months ago, the newspaper said. The acquisition is expected to be completed late in the third quarter or early in the fourth quarter of 2006, subject to customary closing conditions and regulatory approvals, EMC said. Upon completion of the deal, RSA will operate as EMC's Information Security Division, headquartered in Bedford, Mass. Art Coviello, RSA's current president and CEO, will become an executive vice president of EMC and president of the division. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Stolen VA Laptop and Hard Drive Recovered
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/AR2006062900352.html By Christopher Lee and Zachary A. Goldfarb Washington Post Staff Writers June 30, 2006 Federal officials yesterday announced the recovery of computer equipment stolen from an employee of the Department of Veterans Affairs. They said that sensitive personal information of 26.5 million veterans and military personnel apparently had not been accessed. The laptop and external hard drive, stolen May 3 from a VA data analyst's home in Aspen Hill, contained the names, birth dates and Social Security numbers of millions of current and former service members. The theft was the largest information security breach in government history and raised fears of potential mass identity theft. VA Secretary Jim Nicholson announced the recovery yesterday during a hearing of the House Committee on Veterans Affairs. Law enforcement has in their possession the laptop and hard drive, Nicholson said. The serial numbers match. They are diligently conducting forensic analysis on it to see if they can tell whether it's been duplicated or utilized or entered in any way, and that work is not complete. However, they did say to me that there is reason to be optimistic. FBI officials and local authorities said at a news conference that a person who had the laptop contacted U.S. Park Police on Wednesday after seeing news accounts and notices of a $50,000 reward offered by Montgomery County police. The devices were recovered in the general vicinity of Aspen Hill, said Chief Dwight E. Pettiford of the Park Police. FBI Special Agent in Charge William D. Chase, of the agency's Baltimore office, said it is way too early to say whether the person will get the reward or whether criminal charges will be filed soon. FBI spokeswoman Michelle Crnkovich said the tipster is not a suspect. A preliminary review of the equipment by computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen, the FBI said in a statement. A thorough forensic examination is underway, and the results will be shared as soon as possible. Lawmakers hailed the investigative work but said VA still has much to do to improve data security. [T]he basic deficiencies leading to this data loss must be corrected, Rep. Steve Buyer (R-Ind.), chairman of the Veterans Affairs Committee, said in a statement. The history of lenient policies and lack of accountability within VA management must be rectified. Rep. Lane Evans (Ill.), the committee's ranking Democrat, said in a statement: Today's announcement does not relieve the Department of Veterans Affairs from fixing its broken data security system and failed leadership. The theft has proved to be an embarrassing and expensive management failure for VA. In a series of hearings, lawmakers have criticized Nicholson for the department's lax security practices and sluggish response, noting that the secretary was not told of the burglary for 13 days. The incident also has cast light on the department's consistent ranking near the bottom among federal agencies in an annual congressional scorecard of computer security. Pedro Cadenas Jr., the VA official in charge of information security, resigned yesterday for personal reasons, VA officials said. Earlier, a high-ranking political appointee was dismissed and a longtime career manager was forced to retire. The Bush administration this week asked Congress for $160.5 million to pay for free credit monitoring for veterans and military personnel. VA already has budgeted $25 million to create a call center to handle veterans' questions and to send letters alerting veterans about the theft. Several veterans groups have filed class-action lawsuits locally and in Kentucky against the government, seeking $1,000 in damages per affected veteran. Initially, VA thought that all of the 26.5 million people affected were veterans. But a database comparison revealed that the stolen equipment also contained Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel, including 1.1 million active-duty military personnel, 430,000 National Guard members and 645,000 reserve members. Nicholson said it is too early to tell whether free-credit monitoring for veterans is now unnecessary. VA still plans to hire a data analysis company to monitor whether veterans' identities are being stolen, he said. Rep. Bob Filner (D-Calif.) said yesterday that three VA documents obtained by the Veterans Affairs Committee indicate that the data analyst was authorized to take a laptop home and use a software package to access the data. That contradicted Nicholson's previous testimony that the employee was not authorized to have the information at home. He got all the approvals that he was supposed to have, Filner said. I don't know of a policy that he violated, if you'll tell me one. And that's the real negligence -- that there were
[ISN] Indy VA office is missing backup tape with vets' records
http://www.indystar.com/apps/pbcs.dll/article?AID=/20060630/NEWS02/606300440 By Maureen Groppe Star Washington Bureau June 30, 2006 WASHINGTON -- The Department of Veterans Affairs is missing a backup tape with more than 16,000 legal case records from an Indianapolis office serving veterans in Indiana and Kentucky. That disclosure came the same day Veterans Affairs Secretary Jim Nicholson announced the recovery of a stolen laptop computer and hard drive containing personal information on as many as 26.5 million veterans. The missing tape from the Regional General Counsel's Office in Indianapolis doesn't contain as much data as was on the stolen laptop, said U.S. Rep. Steve Buyer, R-Ind., who heads the House Veterans' Affairs Committee. But the information is of greater sensitivity, he said, because much is privileged and confidential. The Indianapolis tape contains personally identifiable information on veterans, their dependents or department employees, such as dates of birth, Social Security numbers, patient records and other documentation related to legal cases handled by the Regional General Counsel's Office. The office, in the Federal Building in Indianapolis, handles VA cases involving such issues as collections on bankruptcies, hospital debt, tort claims, workers' compensation and other employee complaints. The cases also may involve neighboring states. Whether the tape was misplaced or stolen, or something else happened, Buyer said, is completely open to the realm of imagination and speculation. Nicholson said veterans potentially affected are being notified and will have access to the same free credit-protection monitoring system that has been offered to those whose information was on the stolen laptop. Copyright 2006 IndyStar.com. All rights reserved _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] REVIEW: Configuring SonicWALL Firewalls, Chris Lathem et al
Forwarded from: Rob, grandpa of Ryan, Trevor, Devon Hannah [EMAIL PROTECTED] BKCNSWFW.RVW 20060602 Configuring SonicWALL Firewalls, Chris Lathem et al, 2006, 1-59749-250-7, U$49.95/C$69.95 %A Chris Lathem %C 800 Hingham Street, Rockland, MA 02370 %D 2006 %G 1-59749-250-7 %I Syngress Media, Inc. %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 [EMAIL PROTECTED] %O http://www.amazon.com/exec/obidos/ASIN/1597492507/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597492507/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597492507/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 500 p. %T Configuring SonicWALL Firewalls Chapter one provides an overview of the basics of networking, information security (at a rather simplistic level), and firewalls. The features of SonicWALL devices are described in chapter two. The material is mostly at sales brochure level. While some negative points are raised the text is not particularly careful: at one point we are told that the SonicWALL can terminate any type of VPN (Virtual Private Network), while later it is admitted that it can terminate any IPSec VPN. Management and configuration is covered in chapter three, although the command line interface gets pretty short shrift. Access control and policy management is dealt with in chapter four. Chapter five reviews user accounts and authentication. The two routing protocols possible with SonicWALL, RIP (Routing Information Protocol) and OSPF (Open Shortest Path First), are described in chapter six. Chapter seven explains network address translation (NAT) and lists the SonicWALL dialogue boxes for it. Transparent (layer two) mode screenshots are contained in chapter eight. Chapter nine throws around terms like attack detection and defence and intrusion prevention but is really a list of the application proxy setting screens. IPSec adjustments are shown in chapter ten. Availability and redundancy functions are described in eleven. Troubleshooting, in chapter twelve, enumerates various utilities and diagnostics. Chapter thirteen shows shots of the multi-device management system. This is a decent enough replacement for vendor documentation, but not much more. copyright Robert M. Slade, 2006 BKCNSWFW.RVW 20060602 == (quote inserted randomly by Pegasus Mailer) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] It is bad to suppress laughter; it goes back down and spreads to your hips. Dictionary Information Security www.syngress.com/catalog/?pid=4150 http://victoria.tc.ca/techrev/rms.htm _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Authorities warn of wireless cyber pirates
http://www.9news.com/acm_news.aspx?OSGNAME=KUSAIKOBJECTID=1db245df-0abe-421a-019d-d112657c4febTEMPLATEID=0c76dce6-ac1f-02d8-0047-c589c01ca7bf By Ward Lucas I-Team Reporter 6/28/2006 DOUGLAS COUNTY - The Sheriff's Department says it's going to start warning computer users that their networks may be vulnerable to hackers. It may be one of the first law enforcement agencies in the country to do so. Wireless computer equipment and home computer networks are everywhere these days. Almost all new computers sold are used by consumers to network in one way or another to other computers. However, that wireless capability may be making those computers vulnerable to hackers. If someone is driving by on the street they could easily use your internet access to commit a crime, whether it's fraudulent credit card transactions or surfing child porn or something else, said Brian Radamacher, a member of the Douglas County Sheriff's Special Investigations Unit. Wireless computer equipment sends out signals that sometimes broadcast for up to a mile. Other computer users can home in on those signals and use them to access the internet. Radamacher says hackers can use stolen Internet access to make fraudulent credit card purchases or bank transfers. He also says hackers can upload or download such things as child pornography. That activity would be completely invisible to the legitimate owner of that network. However, it could make innocent computer users vulnerable to having their computers confiscated during police investigations. The unfortunate thing is when we go to issue the warrants or something else you may end up getting your computer seized because of it, said Radamacher. A lot of times it can take months to get your computer back after the processing. The Sheriff's Department plans to equip several of its community service and patrol cars with devices that detect unprotected computer networks. In cases where investigators can figure out who owns the networks, they'll try to warn of potential security issues. They'll also drop off brochures with instructions to computer users on how to password protect their networks. Copyright by KUSA-TV, All Rights Reserved _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] It's the Economy, Stupid
http://www.wired.com/news/columns/0,71264-0.html By Bruce Schneier June 29, 2006 I'm sitting in a conference room at Cambridge University, trying to simultaneously finish this article for Wired News and pay attention to the presenter onstage. I'm in this awkward situation because 1) this article is due tomorrow, and 2) I'm attending the fifth Workshop on the Economics of Information Security, or WEIS: to my mind, the most interesting computer security conference of the year. The idea that economics has anything to do with computer security is relatively new. Ross Anderson and I seem to have stumbled upon the idea independently. He, in his brilliant article from 2001, Why Information Security Is Hard -- An Economic Perspective (.pdf), and me in various essays and presentations from that same period. WEIS began a year later at the University of California at Berkeley and has grown ever since. It's the only workshop where technologists get together with economists and lawyers and try to understand the problems of computer security. And economics has a lot to teach computer security. We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure. When you start looking, economic considerations are everywhere in computer security. Hospitals' medical-records systems provide comprehensive billing-management features for the administrators who specify them, but are not so good at protecting patients' privacy. Automated teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers. And one reason the internet is insecure is that liability for attacks is so diffuse. In all of these examples, the economic considerations of security are more important than the technical considerations. More generally, many of the most basic security questions are at least as much economic as technical. Do we spend enough on keeping hackers out of our computer systems? Or do we spend too much? For that matter, do we spend appropriate amounts on police and Army services? And are we spending our security budgets on the right things? In the shadow of 9/11, questions like these have a heightened importance. Economics can actually explain many of the puzzling realities of internet security. Firewalls are common, e-mail encryption is rare: not because of the relative effectiveness of the technologies, but because of the economic pressures that drive companies to install them. Corporations rarely publicize information about intrusions; that's because of economic incentives against doing so. And an insecure operating system is the international standard, in part, because its economic effects are largely borne not by the company that builds the operating system, but by the customers that buy it. Some of the most controversial cyberpolicy issues also sit squarely between information security and economics. For example, the issue of digital rights management: Is copyright law too restrictive -- or not restrictive enough -- to maximize society's creative output? And if it needs to be more restrictive, will DRM technologies benefit the music industry or the technology vendors? Is Microsoft's Trusted Computing initiative a good idea, or just another way for the company to lock its customers into Windows, Media Player and Office? Any attempt to answer these questions becomes rapidly entangled with both information security and economic arguments. WEIS encourages papers on these and other issues in economics and computer security. We heard papers presented on the economics of digital forensics of cell phones (.pdf) -- if you have an uncommon phone, the police probably don't have the tools to perform forensic analysis -- and the effect of stock spam on stock prices: It actually works in the short term. We learned that more-educated wireless network users are not more likely to secure their access points (.pdf), and that the best predictor of wireless security is the default configuration of the router. Other researchers presented economic models to explain patch management (.pdf), peer-to-peer worms (.pdf), investment in information security technologies (.pdf) and opt-in versus opt-out privacy policies (.pdf). There was a field study that tried to estimate the cost to the U.S. economy for information infrastructure failures (.pdf): less than you might think. And one of the most interesting papers looked at economic barriers to adopting new security protocols (.pdf), specifically DNS Security Extensions. This is all heady stuff. In the early years, there was a bit of a struggle as the economists and the computer security technologists tried to learn each others' languages. But now it seems that
[ISN] NHS mobile data security is pants
http://www.theregister.co.uk/2006/06/28/nhs_mobile_security_survey/ By John Leyden 28th June 2006 Sensitive medical and personal details are in danger of exposure because of lax data security among health sector workers, according to a new survey. The study, sponsored by mobile security firm Pointsec, found that almost two thirds of health sector workers use inadequate security. Half of those in the NHS use their own mobile devices to store data, a basic breach of security practice. The Mobile device usage in the health care sector survey carried out by Pointsec and the British Journal of Healthcare Computing Information Management also found found that one-fifth of the devices used to store data have no security on them at all. A further 40 per cent have only password-controlled access that would be easy for a skilled hacker to defeat using a dictionary-style attack. Only a quarter of respondents used passwords in conjunction with other security features such as encryption, biometrics, smart card and two-factor authentication. The 117 participants in the survey included information managers, IT managers and medical professionals in the NHS. A quarter of those who took part in the study supplied equipment to the health care sector. USB memory sticks or cards (76 per cent) were often used to download data among health care pros, followed by laptops (69 per cent), PDA/Blackberry (51 per cent), smartphones (nine per cent) and mobile phones (two per cent). Almost half (42 per cent) of respondents owned at least one of the devices they used. These mobile devices were commonly used to store work contact details (75 per cent), but nearly two thirds stored corporate data, and one in five used mobile devices to store security details, such as passwords and PIN codes. About half of the medical professionals surveyed stored patient records on mobile devices, a potentially serious risk to patient confidentiality given that a quarter of respondents have admitted losing a mobile device. Pointsec says its survey is evidence that inadequate security procedures are allowing mobile devices to fall through the security net. It advises wider use of mobile encryption technologies, a business Pointsec itself specialises in. ® _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Storage Company's Online Security Breach Exposed
http://cbs5.com/topstories/local_story_178210503.html By Sue Kwon Reporting Jun 27, 2006 (CBS 5) A CBS 5 investigation has confirmed a security breach at a popular self-storage company that may have exposed customers' private information on its website. A Rent-A-Space has taken its online payment system offline and is notifying thousands of customers to check for identity theft after CBS 5 told the company about a flaw on their website. Howard Fortner describes the security at A Rent-A-Space in Colma as tighter than Fort Knox. So he was surprised when the cyber gate was left wide open on the storage facility's website. While trying to make an online payment, Fortner says he accidently typed in someone else's storage unit number along with his password, which is his phone number. Up popped another customer's private information, including a name, address, credit card, and Social Security number. I thought about mine's as vulnerable as that one, Fortner said. I tried it with a different number, and several accounts opened up. His password opened at least five other customer profiles. After CBS 5 alerted A Rent-A-Space to the problem, the company worked with the Arizona software developer who created the site's account-based program called Web-Expres. By late Tuesday afternoon, they found the glitch and have taken the payment system offline until it is patched. A Rent-A-Space says its online payment system has been up for a year with no other incidents reported. The company says it plans to mail out 13,000 letters about the discovery to custmers in California and Hawaii, including those who have items stored at the 10 Bay Area facilities. (© MMVI, CBS Broadcasting Inc. All Rights Reserved.) _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Energy CIO outlines security plans
http://www.fcw.com/article95092-06-28-06-Web By Michael Hardy June 28, 2006 Tom Pyke, chief information officer at the Energy Department, launched a security revitalization program there when he took the position in November 2005. Today that program is making strides in locking intruders out of the department's systems, he told an audience at a luncheon hosted by Input. DOE has been in the spotlight recently because of a successful attack in which cyberthieves stole personal data on about 1,500 contract and agency employees. That incident happened in July 2005, Pyke said, but it was not reported to agency leaders until recently. The revitalization project was not connected to that theft, he added. The thieves used an old-fashioned social engineering attack, sending an e-mail message with malicious code in an attachment. An employee clicked on the attachment, executing software that set up a back door for the thieves to access the network of the National Nuclear Security Agency, a semi-autonomous organization within DOE. DOE includes a network of national laboratories, and about 60 percent of the computer systems within the department are connected to national security, which calls for extra protection, he said. We have a lot of the right policies and we have very bright people, Pyke said. It's just a matter of [my] helping refocus priorities. DOE seems to be a favorite target of would-be hackers, with several hundred thousand attempted attacks a day, he said. Most of those, however, are routine and harmless, and fewer than 100 so far this year have been deemed incidents needing a response. The revitalization effort includes the increased use of encryption software, regular analysis of every aspect of cybersecurity throughout the department and the use of red teams, employees who try to defeat the defenses to identify weaknesses, he said. Despite best efforts, however, agency leaders and the public need to understand there's no such thing as perfect cyberdefense, Pyke said. We have made systems so complex that there will be vulnerabilities, and sometimes those vulnerabilities will be exploited before we can get protection in place. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] U.S. Cybersecurity Chief May Have a Conflict of Interest
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/28/AR2006062801903.html Associated Press June 29, 2006 The Bush administration's cybersecurity chief is a contract employee who earns $577,000 under an agreement with a private university that does extensive business with the federal office he manages. Donald Andy Purdy Jr. has been acting director of the Homeland Security Department's National Cyber Security Division for 21 months. His two-year contract with Carnegie Mellon University in Pittsburgh has drawn attention from members of Congress. By comparison, the Homeland Security secretary, Michael Chertoff, is paid $175,000 annually. Purdy is on loan from the school to the government, which is paying nearly all his salary. Meanwhile, Purdy's cybersecurity division has paid Carnegie Mellon $19 million in contracts this year, almost one-fifth of the unit's total budget. Purdy said he has not been involved in discussions of his office's business deals with the school. I'm very sensitive to those kinds of requirements, Purdy said. It's not like Carnegie Mellon has ever said to me, 'We want to do this or that. We want more money.' Some lawmakers who oversee the department questioned the decision to hire Purdy as acting cybersecurity director. They noted enduring criticism by industry experts and congressional investigators over the department's performance on cybersecurity matters. Purdy's contract raises questions about whether the American people are getting their money's worth, Democratic Reps. Bennie Thompson of Mississippi and Loretta Sanchez and Zoe Lofgren, both of California, wrote in a letter to Republicans. Purdy, a longtime lawyer, has held a number of state and federal legal and managerial jobs. He has no formal technical background in computer security. Purdy controls a budget of about $107 million and as many as 44 full-time federal employees. He said his salary is commensurate with those of some other government contractors. Purdy's former boss and predecessor as cybersecurity chief, Amit Yoran, earned $131,342 before he resigned abruptly in October 2004. Chertoff agreed one year ago to create a position of assistant secretary over cybersecurity. The job is unfilled, a point of consternation among many security experts. Carnegie Mellon is highly regarded among experts who study hacker attacks and software flaws. The university declined to comment on Purdy's salary, citing employee confidentiality. It said it has avoided discussing government contracts with Purdy in his role as chief of the cybersecurity office that awards those contracts. The department said Purdy consulted with ethics lawyers when he signed his employment contract. Purdy is so careful about avoiding potential conflicts that he leaves the room when employees discuss contracts related to Carnegie Mellon's work, said one DHS official, who spoke on the condition of anonymity because this official is not authorized to speak with reporters. © 2006 The Washington Post Company _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Ohio University Sued As Result Of Data Theft
http://www.channelcincinnati.com/news/9431401/detail.html June 27, 2006 ATHENS, Ohio -- Two graduate students have filed lawsuits against Ohio University due to recent data thefts from school computers. Donald Jay Kulpa, 31, of Cincinnati, and Kenneth Neben, 34, formerly of Columbus and now living in New Jersey, sued OU, claiming their privacy had been violated. Kulpa and Neben are two of possibly 173,000 students, employees, or faculty whose Social Security numbers were stolen in five separate instances since March 2005. Of the 173,000 people, about 367,000 files containing personal information such as Social Security numbers, names, medical records, and home addresses were breached. The lawsuit was filed Friday in the Ohio Court of Claims in Columbus. On the same day, OU made a decision to spend $4 million to heighten computer security on campus. The lawsuit asks a judge to order the school to compensate for any financial loss as a result of identity thefts linked to security breaches at OU. They also want the school to pay for credit monitoring services for anybody whose personal information may have been breached. Kulpa and Neben's lawsuit seeks class-action status to represent anyone affected, including students, faculty, and employees. John Burns, OU's legal affairs director, said he expected a lawsuit but not one that reached class-action status. We'll review it and we'll defend it, Burns said. Mark Mezibov, a Cincinnati lawyer representing Kulpa and Neben, said the university was negligent and indifferent in failing to protect personal information A recent consultants' report concluded that OU's Computer and Network Services division considered security as a low priority for the past decade. However, the division had an annual budget of about $11 million and recent annual surpluses averaging $1.4 million. Last week, OU suspended the director of Computer and Network Services and the Internet and systems manager, pending an investigation regarding the security breaches. On April 21, the university announced it had discovered a security breach at its training center for fledgling businesses. Since the incident, breaches have been reported at the alumni office, health center, and the department that handles records for businesses the university hires. Copyright 2006 by ChannelCincinnati.com. The Associated Press contributed to this report. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] HSBC customers hit by Bangalore breach
http://software.silicon.com/security/0,39024655,39159940,00.htm By Andy McCue 27 June 2006 A security breach at HSBC's offshore data processing unit in Bangalore has led to £233,000 being stolen from the accounts of a small number of UK customers. A 24-year-old worker at the HSBC operation has been suspended after being accused of accessing confidential account information and passing it on to criminal associates in the UK. Fears of the security of offshore business process outsourcing (BPO) operations will be heightened by reports in India claiming the HSBC employee also used false records to obtain the job at the bank. The HSBC worker was caught when the fraud was detected by the bank's security systems. A spokesman for HSBC told silicon.com: Our internal security team discovered one of HSBC's staff in Bangalore caused customer data to be leaked leading to a small number of accounts from the UK being compromised. He declined to comment any further on the details of the breach but said all affected customers - reported to be around 20 in number - have been contacted and will be fully reimbursed for any losses. The HSBC spokesman added: We are taking data protection seriously. These systems are sophisticated and in place to help track these things down. Sunil Mehta, VP of India's IT industry body Nasscom, insisted such security breaches are not unique to offshore operations and can happen in any country. He said: India, with its strong legal system and its independent judiciary, is a country that takes this responsibility extremely seriously. Nasscom will work with the legal authorities in the UK and India to ensure that those responsible for any criminal breaches are promptly prosecuted and face the maximum penalty. Just last month Nasscom created a new regulatory body to help improve data security among India's offshore IT services and BPO companies. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Does Wi-Fi security matter?
http://news.zdnet.co.uk/internet/security/0,39020375,39277577,00.htm By Tom Espiner ZDNet UK June 27, 2006 People 'just don't care' about Wi-Fi security according to researchers, but some senior security experts argue there's no need to secure networks at all A large percentage of Wi-Fi networks are horribly insecure, according to researchers at Indiana University. In a study of almost 2,500 access points in Indianapolis, presented at the Workshop on the Economics of Information Security at the University of Cambridge on Monday, researchers found that 46 percent were not running any form of encryption. People just really don't care about Wi-Fi security, and open Wi-Fi at home is a nice big target, said Matthew Hottell, lecturer in informatics at Indiana University. Defaults [settings] are king, added Hottell. Most of the secured networks used routers whose security setting had been pre-installed by the vendor, rather than having being activated by the end user. Some used WEP encryption wizards to encourage people to turn on the security settings. Education seems to have little effect. People with a higher economic status are not responsive to the heightened risk of privacy erosion, and people in general don't recognise that higher population density [heightens risk], said Hottell. However, security expert Bruce Schneier argued that as long as people's devices were secure, having a secured network was unnecessary. I have a completely open Wi-Fi network, Schneier told ZDNet UK.Firstly, I don't care if my neighbours are using my network. Secondly, I've protected my computers. Thirdly, it's polite. When people come over they can use it. University of Cambridge security expert Richard Clayton also questioned the assumption that unsecured networks were necessarily insecure. What is your definition of secure? Clayton asked the researchers. Did you try to exploit the systems? Hottell said the wardriving team had not attempted to hack any systems or read any network traffic. Microsoft's chief privacy advisor for Europe, Caspar Bowden, said there seemed to be a consensus among security experts that having a Wi-Fi network open to sharing has positive uses, but warned that people could not rely on WEP encryption if they wanted to secure networks. If you do want to secure your network, look at end-to-end solutions rather than some of the dodgy crypto around like WEP, said Bowden. There's only one thing worse than no security, and that's a false sense of security, he added. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] U.S. vulnerable to 'cyber Katrina'
http://www.gcn.com/online/vol1_no1/41172-1.html By Alice Lipowicz Contributing Writer 06/27/06 The United States is poorly prepared for a cyber Katrina, with no coordinated plan for restoring and recovering the Internet after a major disruption, according to a new Business Roundtable report [1], released yesterday. Despite efforts to address the problem, the federal government and private sector have not developed a coordinated plan for restoring the Internet and maintaining confidence in financial markets following a major breach in functioning. The gaps identified include no cyberattack early warning system, unclear and overlapping responsibilities for responding to Internet disruptions, and no sufficient resources. If there's a cyberdisaster, there is no emergency number to call - and no one in place to respond, because our nation simply doesn't have the kind of coordinated plan in place that we need to restart and restore the Internet, Edward Rust Jr., chairman of State Farm Insurance Companies and head of the Roundtable Security Task Force's working group on cybersecurity, said in a news release. Government and industry must work together to beef up our cybersecurity and recovery efforts. The roundtable, which comprises chief executives of major corporations representing nearly a third of the total value of the U.S. stock market, said the private sector should take the lead in restoring the communications infrastructure following a disaster. The federal government should establish clearer roles and responsibilities. For example, while the Homeland Security Department said it has authority to declare a national cyberemergency and intends to consult with business leaders, the report said it is not clear how this consultation will occur or what the factors are for declaring an emergency. The federal government also should provide funding for long-term programs, and make sure that national response plans treat major Internet disruptions as serious national problems, the report said. The National Cyber Security Division within DHS receives about $70 million a year, but almost none of the funds support cyber-recovery, the report said. Federal authorities should set a clear policy for Internet recovery, which would define DHS' role and responsibility; define the responsibilities of the U.S. Computer Emergency Response team; specify how the Homeland Security Operations Center will be used; and clarify the roles of other agencies, such as the Federal Communications Commission and the Federal Emergency Management Agency, the report said. Private sector executives are urged to designate a point person for cyber-recovery, update their plans to prepare for a widespread Internet outage and the impact on movement of goods and services, and set priorities for restoring Internet service and corporate communications. The roundtable also urged creation of a federally funded panel of experts to assist in developing plans for recovering the Internet after a cyberdisaster. It also suggests DHS and industry jointly conduct large-scale cyberemergency exercises. [1] http://www.businessroundtable.org/pdf/20060622002CyberReconFinal6106.pdf _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Navy: Exposed personal data was Katrina-related
http://www.fcw.com/article95068-06-27-06-Web By Bob Brewin June 27, 2006 The Navy said the personal information of more than 30,000 sailors that a civilian Web site exposed pertains to sailors and their families located in areas affected by Hurricane Katrina. Lt. Justin Cole, a spokesman for the chief of naval personnel, said the Navy collected the personal information in relation to hurricane relief operations. Cole said the Navy has no idea how someone published the information on the Web site. The site has removed that information. Cole declined to identify the site or its purpose, but he said it was not a medical or health information Web site. The Navy said last week it first became aware of the exposure of the personal information June 22 in a report by the Joint Task Force-Global Network Operations the Navy Cyber Defense Operations Command, part of the Naval Network Warfare Command (Netwarcom). The personal information was contained in five spreadsheet files on the Web site and included the name, birth dates and Social Security numbers of sailors and family members, the Navy said. The service mailed letters to all 30,618 service members and their families affected by the incident, the Navy added. The service said it has no evidence that someone has illegally used the personal information on the Web site. Cole said the Naval Criminal Investigative Service is investigating the incident. But he declined to provide further details. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Apple updates Mac OS to squash bugs
http://news.com.com/Apple+updates+Mac+OS+to+squash+bugs/2100-1002_3-6088787.html By Joris Evers Staff Writer, CNET News.com June 27, 2006 Apple Computer on Tuesday released an update for its Mac OS X that repairs several security flaws and includes feature updates. The update, Mac OS X 10.4.7, fixes four security vulnerabilities, Symantec said in an alert sent to customers. These issues can be exploited to cause denial-of-service conditions, gain access to sensitive information, and execute code, it said. The security flaws lie in various components of Mac OS X, Symantec said. There is no known attack code for the vulnerabilities, the company said, indicating that there is no threat imminent to Mac users. An Apple representative did not immediately return calls seeking comment on the security issues. The Cupertino, Calif.-based company also had not published any security fix information on its security Web site as of Tuesday late afternoon. Apple's last security update was last in May, addressing bugs in Mac OS X and QuickTime. Aside from the security fixes, Mac OS X 10.4.7 delivers some improvements and repairs a few issues related to Mail, Finder and iChat, among other things, according to a posting on Apple's support Web site. If iChat users encounter a problem while trying to set up a conference, they can now send a message to Apple that automatically outlines what went wrong, much the same way Safari users can choose to send a message when the browser crashes, Apple said. The update also fixes a number of issues with syncing, improving support for Motorola phones and fixing some problems with .Mac syncing, according to Apple. Users can download Mac OS X 10.4.7 through Software Update or the standalone installer. Apple plans to showcase Mac OS 10.5, code-named Leopard, at its annual developer meeting in August, the company announced Monday. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Navy contractor charged with sabotaging computer system
http://home.hamptonroads.com/stories/story.cfm?story=106658ran=64860 By TIM MCGLONE The Virginian-Pilot © June 27, 2006 NORFOLK - A Navy contractor has been charged with sabotaging a computer system that plots the locations of ships and submarines. The computer intrusion could have caused collisions between Navy and commercial vessels, but it was uncovered before any serious harm was done, according to a criminal complaint unsealed Monday in U.S. District Court here. The suspect, Richard F. Sylvestre, 43, of Massachusetts, was charged with unauthorized access to a government national defense computer, a crime that carries a penalty of as much as 10 years in prison. Sylvestre said little during his first court appearance Monday. Do you understand why you're before this court? Magistrate James E. Bradberry asked Sylvestre . Yes, sir, he replied. Sylvestre, listed in the court record as owner of computer company Ares Systems International, is accused of programming malicious software codes into computers at the Navy's European Planning and Operations Command Center in Naples, Italy, last month, according to the court records. Sylvestre later confessed to the crime, according to the complaint filed by a Naval Criminal Investigative Service agent in Norfolk. He told the agent he was upset that his company's bid on a project was passed over, the papers say. Ares already held a Navy contract to provide computer maintenance for the Navy's European Command. On May 21 , two Navy computers in Naples were rendered inoperable, the complaint says. A computer administrator determined that someone had programmed what's known as a cron job into the system. A cron job enables someone to schedule the start of program commands at some future date. The investigation determined that the commands were entered on a computer last used by Sylvestre on May 19, the complaint says. The computer administrator also discovered three additional infected computers that, had the programs been launched, would have shut down the entire network that tracks the locations of ships and submarines. The system helps prevent military and commercial vessels from running into each other. Sylvestre denied that he had any intention to cause a collision or crash, the complaint says. Sylvestre returned to Norfolk on Sunday aboard the Air Mobility Command and was taken into custody by the U.S. Marshals. After Monday's court appearance, Bradberry allowed Sylvestre to post a $10,000 bond and return home to Massachusetts, but not without a stern warning first. This is deadly serious business, Bradberry told him. Don't take this lightly. A grand jury will hear the case within the month, a prosecutor said in court. Reach Tim McGlone at (757) 446-2343 or tim.mcglone at pilotonline.com. © 2006 HamptonRoads.com/PilotOnline.com _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] REVIEW: How to Break Web Software, Mike Andrews/James A. Whittaker
Forwarded from: Rob, grandpa of Ryan, Trevor, Devon Hannah [EMAIL PROTECTED] BKHTBWSW.RVW 20060520 How to Break Web Software, Mike Andrews/James A. Whittaker, 2006, 0-321-36944-0, U$34.99/C$46.99 %A Mike Andrews [EMAIL PROTECTED] %A James A. Whittaker [EMAIL PROTECTED] %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2006 %G 0-321-36944-0 %I Addison-Wesley Publishing Co. %O U$34.99/C$46.99 416-447-5101 800-822-6339 [EMAIL PROTECTED] %O http://www.amazon.com/exec/obidos/ASIN/0321369440/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321369440/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321369440/robsladesin03-20 %O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P 219 p. + CD-ROM %T How to Break Web Software The preface stresses that this book is neither about how to attack a Web site, nor how to develop one, but, rather, how to test. Chapter one points out that the Web is a different environment, in terms of software security, because we have desktop machines, not centrally administered, talking to everyone (with much of the traffic being commercial in nature). The authors even point out that issues of error-handling, performance, and ease-of-use all contribute to increased levels of vulnerability. Various attacks designed to obtain information about Web applications, structure, and functions are described in chapter two. For client-side scripting, chapter three notes, any validation done on the client should be untrusted and re- validated on the host, since it may be altered on the client, or data manually entered as if it came from the client. Chapter four explains the danger of using client-side data (cookies or code) for state information. Chapter five examines user supplied data, and delves into cross-site scripting (XSS, the explanation of which is not well done), SQL (Standard Query Language) injection, and directory traversal. Language-based attacks, in chapter six, involve buffer overflows (which are not explained terribly well), canonicalization (HTML and Unicode encoding and parsing), and null string attacks. The server, with utilities and the underlying operating system, can be reached via stored procedures (excessive functionality), fingerprinted for other attempts, or subject to denial of service (in limited ways) as chapter seven notes. Authentication, in chapter eight, is really more about encryption: the various false forms (encryption via obscurity?), brute force attacks against verification systems, and forcing a system to use weak encryption. Privacy, and related Web technologies (of which cookies are only one), is reviewed in chapter nine. Chapter ten looks at Web services, and the vulnerabilities associated with some of these systems. The CD-ROM included with the book contains a number of interesting and useful tools for trying out the various attacks and tests mentioned in the text. This book is a valuable addition to the software security literature. The attacks listed in the work are known, but often by name only. This text collects and explains a wide variety of Web application attacks and weaknesses, providing developers with a better understanding of how their programs may be assailed. Some of the items mentioned are defined or explained weakly, but these are usually items that do have good coverage in other security works. copyright Robert M. Slade, 2006 BKHTBWSW.RVW 20060520 == (quote inserted randomly by Pegasus Mailer) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] If a man is called to be a streetsweeper, he should sweep streets even as Michelangelo painted, or Beethoven composed music, or Shakespeare wrote poetry. He should sweep streets so well that all the hosts of heaven and earth will pause to say, here lived a great streetsweeper who did his job well. - Martin Luther King Jr. Dictionary Information Security www.syngress.com/catalog/?pid=4150 http://victoria.tc.ca/techrev/rms.htm _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Microsoft warns of exploit code for dial-up bug
http://www.networkworld.com/news/2006/062606-microsoft-warns-of-exploit-code.html By Robert McMillan IDG News Service 06/26/06 Microsoft is warning users of malicious software that could be used to attack Windows systems that lack the company's latest security updates. The exploit code targets a vulnerability in the Remote Access Connection Manager (RASMAN) service, used by Windows to create network connections over the telephone. The bug, which was patched June 13, is rated critical by Microsoft, the most severe rating available. Hackers published the code on Web sites late last week, and it is now included in Metasploit, a hacking toolkit that is used by security researchers and criminals alike. The malicious software is not as dangerous as it could be. Most firewalls will block it and it also requires that the hacker be authenticated on the computer for it to work. Still, Windows 2000 and Windows XP Service Pack 1 users need to be wary because they could be the victims of particularly nasty attacks that do not require authentication, Microsoft said. The current exploit code ... requires authentication, but the underlying vulnerability does not, said Stephen Toulouse, a security program manager with Microsoft's security response center. For any attack to work on the latest versions of other Windows systems, like XP or Windows Server 2003, the attacker would need to be able to log on to the victim's machine, Microsoft said. Hackers will likely use the malicious software in criminal attacks since it is now in Metasploit, said Ken Williams, director of vulnerability research with CA. Complicating matters is the fact that some dial-up users have been having problems with the patch. Computers that use Window's dial-up scripting or terminal windows to make connections may find that their dial-up connections no longer work, according to Microsoft's alert. Users who cannot install the patch immediately should disable the RASMAN service, Microsoft said. Over the past two weeks, Microsoft has also been contending with a number of unpatched vulnerabilities in its Office and Excel software. Microsoft has not yet patched the bugs, but it said Saturday that one of them is now expected to be patched in its next round of security updates, due July 11. Microsoft's advisory on the malicious code can be found here. The IDG News Service is a Network World affiliate. All contents copyright 1995-2006 Network World, Inc. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Crypto utopia Sealand ravaged by fire
http://www.theregister.co.uk/2006/06/26/sealand_blaze/ By Andrew Orlowski 26th June 2006 Fire has damaged a World War II gun emplacement seven miles off the English coast. Better known as Sealand, the fort was acquired in the 1960s by Roy Bates, who declared it an independent principality. One man was airlifted from the platform after fire broke out in the generator room on Friday. Eyewitnesses [1] reported heavy damage, and the blaze was left to burn itself out. A public statement from the Sealand government said [2]: Due to a fire in the generation facility of the Fortress structure it has been necessary temporarily to evacuate all civilian residents to alternative accommodation as a matter of safety. This situation is expected to continue for the next 96 hours, and an update will be issued within this time. When Bates purchased the fort, UK sovereignty extended to structures only three miles from the shoreline. This has since changed, bringing Sealand within UK jurisdiction, and the principality remains unrecognised by any other state or international treaty organisation. But in recent years the ambiguity of Sealand's status prompted one of the more fascinating experiments in technological utopias. Bates' son Michael - Prince Michael of Sealand - blessed an experiment to create a crypto data haven on the fort, and became head of the operating company HavenCo [3] in June 2000 [4]. To the dismay of investors and cypherpunks, the venture wasn't a success. Ryan Lackey had moved to the fort in 1999, hoping to establish a safe location for privacy services such as anonymous remailers, and experiments such as anonymous digital cash. [July 2000 Slashdot QA [5]] In a presentation to the 2003 DefCon convention, a former employee described how internal politics and a lack of investment backing had thwarted the experiment. Contracts were broken, the bandwidth never materialised, and the location was vulnerable to DOS attacks. At the time [6] of his 2003 presentation, HavenCo had no new customers, and had seen several of its existing customers leave. Sovereignty alone has little value without commercial support from banks, etc, concluded Ryan. Inviting us draw our own conclusions as to where the real sovereign power lies. Banks don't like cash they can't count or control. ® [1] http://www.eadt.co.uk/content/eadt/news/story.aspx?brand=EADOnlinecategory=NewstBrand=EADOnlinetCategory=zNewsitemid=IPED24%20Jun%202006%2009%3A12%3A24%3A070 [2] http://www.sealandgov.org/notices/pn02706.html [3] http://www.havenco.com/ [4] http://www.theregister.co.uk/2000/06/07/exarmy_major_offers_dotcom_sanctuary/ [5] http://interviews.slashdot.org/article.pl?sid=00/07/02/160253mode=nested [6] http://www.metacolo.com/papers/dc11-havenco/ _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] OMB emphasizes data security guidance
http://www.gcn.com/online/vol1_no1/41169-1.html By Mary Mosquera GCN Staff 06/26/06 The Office of Management and Budget today provided a checklist of best practices that agencies must have in place in 45 days to compensate for the absence of physical security controls when employees remove information or access it from outside of agency premises. Most departments should already have the measures recommended by the National Institute of Standards and Technology in place, according to Clay Johnson, OMB deputy director for management. We intend to work with the inspectors general community to review these items, as well as the checklist, to ensure we are properly safeguarding the information the American taxpayer has entrusted to us, he said in the memo dated June 23 [1]. Besides the checklist, agencies also by early August must encrypt all data on mobile devices that carry sensitive data and allow remote access only with two-factor authentication. One of those factors should be provided by a device separate from the computer gaining access. Agencies will implement a time-out function for remote access and mobile devices users, who will need to re-authenticate after 30 minutes of inactivity. Agencies will log all computer-readable data extracts from databases holding sensitive information. They must verify that each extract of sensitive data has been erased within 90 days or its use is still required. OMB provided sample privacy documents for system of records notices for personnel security files, identity management systems, identity card proofing and Privacy Act statement and a Privacy Act statement for users of personal identity verification cards. Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, applauded OMB's memo. Today's action by the Office of Management and Budget to reinforce security standards for sensitive information controlled by the federal government is a sensible step, given the various data breaches we have seen in recent weeks, he said. [G]iven the spotty record of compliance [with the Federal Information Security Management Reform Act] we have seen among the agencies, I sincerely hope this action leads to both better results and better practices-and if not, perhaps Congress will have to step in and mandate specific security requirements. [1] http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Sitting Ducks at Sandhurst
http://www.people.co.uk/news/tm_objectid=17289093method=fullsiteid=93463headline=sitting-ducks-at-sandhurst--name_page.html By Daniel Jones 25 June 2006 DISGRACEFUL security lapses at Prince William's military academy are today exposed by The People. Carrying a lifelike fakebomb, one of our reporters casually strolled into Wills's accommodation block - and put his feet up in the 24-year-old prince's common room. For four shocking hours, he was allowed to roam the grounds and buildings of world-famous Sandhurst without EVER being challenged. A real terrorist would have had countless chances to plant a bomb that could have killed and maimed scores of people - including the man who will one day be King. The scandal is revealed less than two weeks before the anniversary of the 7/7 London bombings - and amid fears that Al- Qaida is planning plan a new wave of attacks in Britain. We linked up with former counterterrorism intelligence officer Charles Shoebridge to infiltrate Sandhurst - which William's brother Harry has just left - for an open day that attracted more than 3,000 visitors. In a string of appalling security blunders, our investigators: - OPENLY sat in the grounds putting together the fake bomb' STROLLED into William's New College quarters - where a cadet opened a door for them to get in' CHECKED out the VIP podium and a postbox where lethal explosives could easily have been hidden' and TOOK photos in areas which were supposed to be closed off as part of a £2million operation designed to protect William - a prime target - from international terrorists. Mr Shoebridge said: Sandhurst's worldwide reputation makes it an ideal terrorist target - especially with Prince William there. Yet you would not think this from the security we saw. If they had wanted to, then terrorists could have caused havoc. The disgraceful lapses began the moment our team arrived at the Berkshire military academy's Heritage Day. Astonishingly, visitors did not have to book their places - which meant they could not be vetted in advance. And guards did not even take their names as they entered, Armed soldiers and police at the main gate searched the bags of people arriving on foot. But like scores of other people, our investigators drove to Sandhurst - and were waved through to a car park. Once there, cadets made only a cursory search of the boot. But they did NOT look inside the car. And they did NOT carry out the widely used swab check - which reveals whether a person has been handling explosives. Mr Shoebridge - himself a Sandhurst graduate - said: Of the ten cars I watched being checked, no searches at all were made of their occupants or their bags or rucksacks, which could have been packed with explosives. Our reporter made no attempt at secrecy as he made his bomb based on a design used by Al-Qaida - a mobile phone acting as a timer wired to a blob of Semtex. We used lookalike Plasticine instead of the deadly high explosive. Our reporter put the device into a plastic lunch-box which he carried in a shoulder-bag - along with a dossier about Sandhurst and a map of the complex. Amazingly, a passing soldier revealed where the Prince is staying while he is at Sandhurst. Mr Shoebridge - who worked in the police and army for 20 years - pointed out a working postbox made of cast iron next to the parade square at William's college. He said: Just a small bomb hidden in there would shower deadly shrapnel over any cadets parading here the following morning. The postbox should have been sealed for the Heritage Day. New College, like most of Sandhurst's buildings, was officially closed to the public for the event. But it was a doddle for our investigators to get inside. Two ground-floor windows at the rear were UNLOCKED. But our team did not have to climb in because a cadet showing his family round helpfully held open a door for them. They were able to wander around the building - and even sat in the common room near William's personal quarters. A terrorist could simply have planted a bomb under a chair and detonated it at his leisure. Mr Shoebridge said: Most of the ground-floor windows were locked on a hot summer's day - which suggests staff were aware that someone might attempt unauthorised access. Yet cadets did not seem to have been briefed about the need to identify and accompany strangers before allowing them in through the door. Our investigators then checked out a podium used by VIPs for the finale of the open day - a march-past with a Gurkha band in front of the Mayor of Sandhurst Elizabeth North. There was NO guard here in the runup to the parade. Mr Shoebridge said: Had we used a timing device, we would have now escaped and the bomb would kill the VIPs, the bandmaster and several members of the public. If we were to trigger the bomb remotely as the band passed close to the podium, we would have killed several Gurkhas from the band too. There were also any number of chances to secrete
[ISN] REVIEW: The CISO Handbook, Mike Gentile/Ron Collette/Tom August
Forwarded from: Rob, grandpa of Ryan, Trevor, Devon Hannah [EMAIL PROTECTED] BKCISOHB.RVW 20060520 The CISO Handbook, Mike Gentile/Ron Collette/Tom August, 2006, 0-8493-1952-8, U$69.95/C$89.95 %A Mike Gentile %A Ron Collette %A Tom August %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2006 %G 0-8493-1952-8 %I Auerbach Publications %O U$69.95/C$89.95 800-950-1216 [EMAIL PROTECTED] [EMAIL PROTECTED] %O http://www.amazon.com/exec/obidos/ASIN/0849319528/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849319528/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0849319528/robsladesin03-20 %O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation) %P 322 p. %T The CISO Handbook: A Practical Guide to Securing Your Company The introduction states that there are generally two kinds of books on the security shelf--the hack to secure tomes and the exam preparation guides. (It may sometimes seem like the literature is restricted to those kinds of texts, although I would add a third that seems to be all too prevalent: poorly executed security management works. However, I fully sympathize with the authors' disdain for the hacking books, as well as their reasoning of the limited value of such manuals.) The authors also describe a standard structure for each chapter, as well as an overall design of the publication, following a fairly standard project management framework. Chapter one covers assessment. While this may not be a big surprise to those with the slightest familiarity with project management fundamentals, the authors provide a very complete description of the information that will be useful in appraising any situation in which you may find yourself. (The writing is generally clear and easy enough to read, but the point of the examples and illustrations is not always obvious or even intelligible. In some cases it seems the desire to entertain has overwhelmed exegetical utility.) A very complete checklist is given at the end of the chapter. Planning, in chapter two, does not fare as well. Much of the material reiterates the importance of obtaining information, or outlines organizational structures, personnel, and skills. (Rather ironically, the recommendations assume a fairly large corporation, budget, and staff, which was one of the complaints the authors made, in the introduction, about other security books.) Design is a difficult project to nail down, but chapter three doesn't really even try. Various aspects of security management, such as policy components, promotion to the rest of the company, and security reviews, are the major substance dealt with (some of the topics multiple times). Project management is covered in chapter four. Very detailed and complete project management, directed at creating a specific design and implementation, but applicable to any kind of project. (It is somewhat telling that the end-of-chapter checklists, which have been getting shorter, vanish entirely here.) Since the overall thread of the book has been to move through the phases of a large project, one could expect that the title of chapter five, Reporting, refers to a report back to management on progress or completion. Not so: marketing of security to the enterprise, which has been a thread all the way through the book, now gets a chapter all its own. Chapter six repeats the outline of the book we received in the introduction. A work addressed to the CISO (Chief Information Security Officer) can be expected to be primarily concerned with management issues. However, with the exception of chapter one, very little in the book could not be equally applicable to any C-level executive. (It is interesting to note that, of the references, only two deal with security, twenty-seven are business books.) Indeed, even though Charles Sennewald wrote Effective Security Management (cf. BKEFSCMN.RVW) for those dealing with physical security, there is more practical advice for senior information security management in it than in The CISO Handbook. While the authors have outlined definite structures for the chapters, these patterns are not always easy to determine or follow. I frequently found myself lost in the chapters, and while I could eventually realize where I was in the formation, the inconsistency and multiplicity of header formats certainly did not help matters any. Still, the work does have significant value. Those who rise through the ranks of computer security frequently lack management experience and knowledge, and this addresses, in some detail, the necessary skills. Not as directly, perhaps, as Fred Cohen in the Governance Guidebook (cf. BKCISOGG.RVW), but usefully nonetheless. copyright Robert M. Slade, 2006 BKCISOHB.RVW 20060520 == (quote inserted randomly by Pegasus Mailer) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] The brain is a mass of cranial nerve tissue, most of it in mint condition.
[ISN] Secunia Weekly Summary - Issue: 2006-25
The Secunia Weekly Advisory Summary 2006-06-15 - 2006-06-22 This week: 69 advisories Table of Contents: 1.Word From Secunia 2This Week In Brief 3...This Weeks Top Ten Most Read Advisories 4...Vulnerabilities Summary Listing 5...Vulnerabilities Content Listing 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ 2) This Week in Brief: Two vulnerabilities have been discovered in Microsoft Windows and Microsoft Excel, which can be exploited to compromise a vulnerable system. The first SA20686 has, according to Microsoft, already been used in targeted Zero-day attacks against a few companies. Currently, no patches are available from Microsoft. Please refer to the referenced Secunia advisories below for additional details. References: http://secunia.com/SA20686 http://secunia.com/SA20748 -- A vulnerability has been discovered in WinAmp, which potentially can be exploited by malicious people to compromise a user's system. An updated version has been released by the vendor that fixes this vulnerability. Reference: http://secunia.com/SA20722 -- VIRUS ALERTS: During the past week Secunia collected 224 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. 3) This Weeks Top Ten Most Read Advisories: 1. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability 2. [SA20748] Microsoft Office Long Link Buffer Overflow Vulnerability 3. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 4. [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities 5. [SA20576] Adobe Reader Unspecified Vulnerabilities 6. [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability 7. [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability 8. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 9. [SA15779] Sendmail Multi-Part MIME Message Handling Denial of Service 10. [SA20661] Horde Cross-Site Scripting Vulnerabilities 4) Vulnerabilities Summary Listing Windows: [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability [SA20721] ASP Stats Generator SQL Injection and Code Injection [SA20719] Hitachi Products MDAC RDS.Dataspace ActiveX Vulnerability [SA20756] MAILsweeper for SMTP/Exchange Multiple Vulnerabilities [SA20752] Maximus SchoolMAX error_msg Parameter Cross-Site Scripting [SA20743] Hosting Controller Privilege Escalation Vulnerability [SA20698] SSPwiz Plus message Cross-Site Scripting Vulnerability UNIX/Linux: [SA20710] SUSE update for awstats [SA20709] Gentoo update for mozilla-thunderbird [SA20708] Gentoo update for typespeed [SA20766] SUSE Updates for Multiple Packages [SA20716] Ubuntu update for kernel [SA20715] Trustix update for libtiff [SA20712] Ubuntu update for mysql-dfsg [SA20703] Linux Kernel xt_sctp Denial of Service Vulnerability [SA20694] Mandriva update for sendmail [SA20693] Mandriva update for libtiff [SA20690] Gentoo update for pam_mysql [SA20692] Mandriva update for spamassassin [SA20750] Debian update for horde2 [SA20734] CHM Lib extract_chmLib Directory Traversal Vulnerability [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability [SA20754] dhcdbd DHCP Message Handling Denial of Service [SA20702] Mandriva update for kdebase [SA20729] NetPBM pamtofits Off-By-One Buffer Overflow Vulnerability [SA20711] HP-UX Support Tools Manager Denial of Service Vulnerability Other: [SA20726] FortiMail Sendmail Multi-Part
[ISN] Security breach report comes out, recommends suspensions
http://thepost.baker.ohiou.edu/articles/2006/06/22/news/14120.html Sean Gaffney skatripp at gmail.com June 22, 2006 Ohio University suspended two administrators and created a new position at the recommendation of a network security report Tuesday. The university suspended - Tom Reid, director of Communication Network Services and Computer Services and - Todd Acheson, manager of Internet and Systems, until a disciplinary investigation is completed according to a university news release. Both men will still be paid while on suspension. At a later date, Reid and Acheson will have a chance to respond to the findings prior to the university's final determination, which could include termination, according to the news release. Two independent consultants have been brought in to temporarily manage the Central Information Technology Management Team, according to the release. The report follows a three-week comprehensive analysis of the network security breaches conducted by Moran Technology Consulting of Naperville, Ill. The audit analyzed the department and employees, searching for negligence or faults that contributed to the security breaches, according to the release. A new position, Chief of Staff to the Chief Information Officer has been created and national search has been launched to fill the position, according to the release. - Bill Sams is presently the chief information officer and associate provost for information technology. As a result of the report, the Information Technology departments will be restructured to establish clear roles, responsibilities, and accountabilities, according to the release. Two departments, CNS and Computer Services, were already combined to ease unnecessary competition and friction that contributed to department malfeasance. Unnecessary competition between the departments resulted in negligence, Sams has said in previous interviews. OU President - Roderick McDavis is working with university officials and others to solve the problem. I am angry and embarrassed by the computer security system lapses that were undetected before my time as leader of the university, McDavis said the release. McDavis decreased the IT budget by $1 million since taking office in 2004. There was a 3 percent reduction in the IT budget last year, and as a 12 percent reduction was being implemented this year, the security breaches were detected, said university spokesman - Jack Jeffery. That was part of the standard reductions made across the university, during 2006 fiscal year, Jeffery said. We wanted to make sure we weren't cutting from the academic programs, he added. Sams has previously said that the university has a reached a critical point in budget cuts and will need to replace funds in the IT budget. Next week, McDavis will request that the OU Board of Trustees authorize up to $2 million to invest in securing information technology systems, according to the release. The total cost to recover from the security breaches will be millions of dollars, Sams said. Since April 21, 365,000 personal identities have been compromised in security breaches at Ohio University. The latest breach was detected on a university computer that housed IRS 1099 tax forms for 2,480 vendors and independent contractors who worked for the university between 2004 and 2005, according to the university's Web site. The university also discovered that a computer hosting a variety of Web-based forms that included class lists containing the social security numbers of about 4,900 current and former students had been accessed. The data is fragmentary and it is not certain if the compromised information can be traced to individuals, according to the university's Web site. Employees, students, alumni and contractors have been urged to monitor credit reports and request fraud watches be placed on their report. About 24 people have expressed to the university that they have been victims of identity theft in the past year, according to an Associated Press article. Copyright © 2006 The Post _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Wireless piggybacking lands man in trouble
http://www.katu.com/stories/87037.html By Dan Tilkin and KATU.com Web Staff June 21, 2006 VANCOUVER, Wash. - Brewed Awakenings, with its pithy name, artful drinks and wireless Internet service, has found itself unexpectedly percolating on the forefront of high-tech law. He doesn't buy anything, Manager Emily Pranger says about the man she ended up calling 911 about. It's not right for him to come and use it. Pranger says 20-year-old Alexander Eric Smith of Battle Ground sat in the parking lot in his truck for three months, spending hours at a time piggybacking on the coffee shop's wireless Internet service for free. When deputies told Smith to knock it off, he came back and is now charged with theft of services. It's a repetitive occurrence and it's something that is borderline creepy, says Pranger. As it turns out, Smith is a Level One Sex Offender, but whether he in fact committed a crime by not buying a single tall latte before accessing the Internet, well that remains to be seen. The sheriff's office and prosecutors are now reviewing the case. Eric Gardner is a paying customer at Brewed Awakenings and he agreed to demonstrate how easy it is to pick off wireless signals. I can stop at a stop light and it (my laptop) may automatically log on to somebody's Internet access and check my e-mail for me, he says. On a random neighborhood street in Vancouver, a KATU News laptop detected 11 networks, five of which were unsecured, meaning anyone could log on to them for free. The way to protect yourself is to change your wireless router settings to only allow the computers in your home to access your airwaves. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Study: Most Technology Companies Have Data Losses
http://www.eweek.com/article2/0,1895,1979924,00.asp By Matt Hines June 21, 2006 Over half of all companies doing business in the technology, media and telecommunications sectors have experienced data breaches that potentially exposed their intellectual property or customer information, a new research report shows. According to the report, published by Deloitte Touche Tohmatsu, not only have many technology providers been hit with the same sorts of data losses that have recently plagued other industries, but a large number of the firms have also failed to make sufficient investments in security technologies aimed at preventing future incidents. Deloitte researchers said that security has long been neglected by technology, media and telecommunications companies despite their dependence on digital information to run their businesses. The consulting company surveyed executives at 150 such companies and found that even in the face of public embarrassment, financial losses and potential litigation linked to data breaches, many of the businesses have yet to make necessary investments to more adequately protect their information. According to the report, more than 50 percent of the companies surveyed admitted to having a data loss within the last 12 months, with roughly one-third of those incidents directly resulting in financial losses. Half of the companies reporting data breaches said the incidents involved internal attacks or policy violations. Of the firms surveyed, only 4 percent said their employers are doing enough to address the issue, and just 20 percent of respondents said that they feel confident that their companies' intellectual property is being sufficiently safeguarded. Some 24 percent of interviewees said that the security tools they have installed are being used effectively. While phishing schemes continue to pose a major threat to companies' customer information and brand reputations, only 18 percent of those executives surveyed said that their firms have employed technologies aimed at preventing the attacks. Deloitte said that 37 percent of the companies it interviewed have provided additional security training to their employees within the last 12 months. At the heart of the issue, the report said, is companies' reluctance to increase their spending on new security measures. While 74 percent of survey respondents said that they expect to spend more time and money on improving security in 2006, the average budget increase among those companies was only 9 percent. Fewer than 15 percent of those increasing their security budgets planned to do so by over 20 percent, Deloitte said. Despite the sobering statistics, Deloitte researchers said that technology, media and telecommunications companies are beginning to make changes to improve their IT defenses and security policies. Regulations such as the U.S. government's Sarbanes-Oxley Act have help pave the way for those improvements, said Brian Geffert, principal of security and privacy services at Deloitte. Sarbanes got people to understand security a bit more, and now more people are catching up; more CEOs are communicating directly with chief information security officers, and I think we will see a lot more investment from these particular companies, said Geffert. To a degree people are in the stage where they are still making plans, and not yet fully engaged in moving forward, but there's progress. Only 63 percent of respondents to the survey said they have a senior-level executive in their company dedicated to managing security issues, with 53 percent of information technology companies employing those types of leaders. Deloitte noted that those numbers were lower than the proportion of companies in other industries with C-level security executives already in place. Further, the survey found that 52 percent of technology, media and telecommunications companies consider security a problem for IT departments, rather than viewing the issue as a central business concern. The top five information security concerns identified by the executives polled were those related to instant messaging systems, phishing schemes, viruses that attack mobile devices, hacks into online brokerage accounts and other Web-based crimes. So-called insider attacks, or threats emanating from employees or other people with legitimate access to IT systems, are another major concern. However, only 59 percent of the companies interviewed said that they have any form of employee behavior monitoring technology in place. While 25 percent of respondents listed cited insider fraud as their primary internal security concern, 22 percent pointed to data losses such as the incidents that have recently victimized the U.S. Department of Veterans Affairs and insurance giant American International Group as their greatest fear. These data leaks are starting to make people think differently about the manner in which they handle data, and you also have the emergence
[ISN] A Dozen Security Patches and Several Related Exploits
This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. CrossTec http://list.windowsitpro.com/t?ctl=2F22B:4FB69 Faxback http://list.windowsitpro.com/t?ctl=2F235:4FB69 Scalable Software http://list.windowsitpro.com/t?ctl=2F230:4FB69 1. In Focus: A Dozen Security Patches and Several Related Exploits 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Takes Security to the Forefront - Will Ethereal Be Devoured by Wireshark? - SmartLine DeviceLock Minireview 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Instant Poll - Share Your Security Tips 4. New and Improved - Virtual Security Gateway Sponsor: CrossTec Just Released - New NetOp Remote Control v9.0 Work at blazing speeds with new NetOp Remote Control v9.0. NetOp, already one of the fastest remote control tools on the market, has gotten even faster. You won't even realize you are working remotely! With more than 40 new features, NetOp 9.0 lets you work smarter and offers a higher ROI. Complete central administration with the NetOp Security Server means that v9.0 is the most secure remote control product on the market and new Smart Card support keeps your remote technology cutting edge. Click to download the latest version of NetOp today. http://list.windowsitpro.com/t?ctl=2F22B:4FB69 1. In Focus: A Dozen Security Patches and Several Related Exploits by Mark Joseph Edwards, News Editor, mark at ntsecurity / net As you hopefully know by now, Microsoft released a dozen security patches last week. Microsoft rated eight of the patches as critical, meaning that the related problems could be exploited without user interaction to possibly spread a worm. The remaining four patches are rated important, meaning that the related problem could be exploited to compromise sensitive information, hinder access to data, or affect availability and integrity of processing resources. After Microsoft releases security patches, intruders often quickly release exploits that take advantage of the vulnerabilities or researchers sometimes discover that previously known security problems still exist and that the latest batch of patches left problems unfixed. This past week was no different. Reading the Handler's Diary blog at SANS Internet Storm Center (at the URL below) last week, I learned that the day after Microsoft released its security patches, there were at least six new exploits. Fortunately, two of those exploits, which affect Microsoft Windows Media Player and RRAS, were released by a security vendor to its customers, so those weren't floating around in the wild. Another exploit, which affects TCP/IP networking, was released privately, so it wasn't in the wild either. Yet another exploit, which affects Microsoft Word, was already in the wild before the related patch was released. That leaves at least two new exploits that are in the wild, both of which affect Server Message Block (SMB) and could be used to elevate privileges or hide a running process. http://list.windowsitpro.com/t?ctl=2F246:4FB69 These last two exploits caught my attention because installing the patch in the related Microsoft Security Bulletin MS06-030: Vulnerability in Server Message Block Could Allow Elevation of Privilege doesn't completely fix the security problems. Even with the patch installed, vulnerability remains, although to an arguably lesser extent. Ruben Santamarta, who runs the reversemode.com Web site, posted a message to SecurityFocus's BugTraq mailing list (at the URL below) in which he stated in reference to MS06-030, Microsoft has not fixed the NtClose/ZwClose DeadLock vulnerability I think that the Driver Developer community should be informed that using NtClose/ZwClose, the driver will be exposed to a security issue by default. http://list.windowsitpro.com/t?ctl=2F23B:4FB69 Santamarta published a document on his Web site that discusses the problem in considerable technical detail (at the URL below). If I understand correctly, Santamarta has found that a malware writer could use the still existing vulnerability to essentially hide a process. As demonstrated in one of his published exploits, even if you try to terminate the process, it will disappear but not actually stop running. This of course gives the malware writer a great way to avoid malware removal. Santamarta's proof of concept points out that Microsoft needs to fix this problem sooner rather than later. http://list.windowsitpro.com/t?ctl=2F231:4FB69 Finally, another exploit you need to be aware of, which isn't related to
[ISN] Voylent beta released for public download
Voylent beta released for public download Voylent is a client for cellphones that encrypts voice conversations (IP support not available in this version). We have just released our first public beta and are looking for testers, feature requests and feedback. The client has been tested only a few models, mainly Nokia S60 with Symbian OS. The full list of devices it runs on is included in the release notes FAQ. We also decided to publish the information regarding the secure channel and key negotiation protocol. The PDF is available for download without registration on our website. We understand that installing (and running successfully) a new application on a cellphone is not as straightforward as it should be, but we offer support via email and phone and we are keen to squash as many bug / UI improvements as possible. More information at http://www.voylent.com/ _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] USDA covers its bases with a detailed plan
http://www.gcn.com/print/25_16/41041-1.html By Brad Grimes and Jason Miller GCN Staff 06/19/06 issue The Agriculture Department's wireless policy, updated in April through a series of departmental notices, comprises everything from architectural requirements to acquisition guidance. Unlike the Defense Department's most recent wireless memorandum, USDA's policy covers technologies such as Bluetooth and infrared communications, which the department tightly restricts, requiring that Bluetooth and infrared be used only between government-owned devices or within secure government facilities. These technologies also can only be used with strict security measures turned on, including Encryption Mode 3, use of temporary personal identification numbers and more. It's a very detailed policy. We have 3,000 county offices where they use wireless devices, and we have to make sure we have a policy that takes care of all our concerns from a security perspective, said Robert Suda, USDA's associate CIO. For instance, if an employee teleworks and uses a wireless LAN at home, a department representative must inspect the employee's home to ensure the use of Secure Sockets Layer protocol, virtual private networking or the IEEE 802.11i wireless security standard with AES encryption. Within USDA, the policy requires the use of 802.11i. Approved two years ago, the standard can be a hurdle for agencies that deployed pre-802.11i networks, because the accompanying encryption algorithms often require hardware upgrades. USDA offices must also deploy 802.11i wireless equipment certified by the National Institute of Standards and Technology to conform to Federal Information Processing Standards 140-2. As in the recent DOD wireless policy, FIPS-140-1 cryptographic modules are not acceptable. Offices that deployed wireless networks before 802.11i came out have a year from April to upgrade, and they're not allowed to connect their noncompliant networks to any other USDA network without a waiver. Aside from 802.11i requirements, USDA has taken many of the same steps as DOD, requiring wireless intrusion detection devices and firewalls along the wireless network. But unlike DOD, USDA is particularly concerned with access point configuration. The department requires X.509 certificates in all devices to authenticate actual access points. USDA also requires that all APs be registered with the department and maintain logs of unauthorized access attempts for 30 days. In addition, the policy said, APs will be located on interior walls of buildings. Agriculture is one of only a handful of agencies with a mature wireless policy. © 1996-2006 Post-Newsweek Media, Inc. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Hacker enters Agriculture dept. computers
http://seattlepi.nwsource.com/business/1700AP_Agriculture_Hacker.html By Libby Quaid AP FOOD AND FARM WRITER June 21, 2006 WASHINGTON -- A hacker broke into the Agriculture Department's computer system and may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors, the department said Wednesday. Agriculture Secretary Mike Johanns said the department will provide free credit monitoring for one year to anyone who might have been affected. The break-in happened during the first weekend in June, the department said. Technology staff learned of the breach on June 5 and told Johanns the following day but believed personal information was protected by security software, the department said. However, on further analysis, staff concluded that data on current or former employees might have been accessed and informed Johanns on Wednesday, according to the department. The department said it notified law enforcement agencies. Its inspector general is investigating the break-in. The information was used for staff or contractor badges in Washington and the surrounding area, spokeswoman Terri Teuber said. Those who might have been affected were notified by e-mail and were being sent letters. People who believe they may be affected by the data breach can go to http://www.firstgov.gov for more information. The Agriculture Department has a toll-free number to call for information about the incident or about consumer-identity protections. The number, 1-800-FED-INFO (1-800-333-4636), is a call center that operates from 8 a.m. to 9 p.m. EDT Monday through Saturday. Other federal departments have acknowledged recently that private information had been compromised. As many as 26.5 million people may have been affected by the theft of a laptop computer containing Veterans Affairs information including Social Security numbers and birth dates. The computer was taken from the home of a VA employee, and officials waited nearly three weeks before notifying veterans on May 22 of the theft. Earlier this month, the Health and Human Services Department discovered that personal information for nearly 17,000 Medicare beneficiaries may have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file. Social Security numbers and other information for nearly 1,500 people working for the National Nuclear Security Administration may have been compromised when a hacker gained entry to an Energy Department computer system last fall. Officials said June 12 they had learned only recently of the breach. -=- On the Net: Agriculture Department: http://www.usda.gov _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Wi-Fi drivers open laptops to hackers
http://www.techworld.com/mobility/news/index.cfm?newsID=6272 By Robert McMillan IDG News Service 22 June 2006 Hackers can take control of laptops by Wi-Fi, even when the user is not connected to a wireless LAN, according to security researchers. The hack, which exploits bugs in wireless device drivers, will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems, and Jon Ellch, a student at the US Naval postgraduate school in Monterey, California. Device driver hacking is technically challenging, but the field has become more appealing in recent years, thanks in part to new software tools that make it easier for less technically savvy hackers, known as script kiddies, to attack wireless cards, Maynor said in an interview. The two researchers used an open-source 802.11 hacking tool called Lorcon (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorised software when they are bombarded with unexpected data. Using tools like Lorcon, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access). The two researchers declined to disclose the specific details of their attack before the August 2 presentation, but they described it in dramatic terms. This would be the digital equivalent of a drive-by shooting, said Maynor. An attacker could exploit this flaw by simply sitting in a public space and waiting for the right type of machine to come into range. The victim would not even need to connect to a network for the attack to work. You don't have to necessarily be connected for these device driver flaws to come into play, Ellch said. Just because your wireless card is on and looking for a network could be enough. More than half of the flaws that the two researchers found could be exploited even before the wireless device connected to a network. Wireless devices are often configured to be constantly sniffing for new networks, and that can lead to security problems, especially if their driver software is badly written. Researchers in Italy recently created a hacking lab on wheels, called project BlueBag, to underscore this point by showing just how many vulnerable Bluetooth wireless devices they could connect with by wandering around public spaces like airports and shopping malls. After spending about 23 hours wandering about Milan, they had found more than 1,400 devices that were open to connection. Wireless device drivers are like the Wild, Wild West right now, Maynor said. Lorcon has really brought mass Wi-Fi packet injection to script kiddies. Now it's pretty much to the point where anyone can do it. Part of the problem is that the engineers who write device drivers often do not have security in mind, he said. A second problem is that vendors also make devices that go beyond the requirements of a particular wireless standard. That piling on of features can open security holes as well, he said. All contents © IDG 2006 _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] UBS Trial: Defense Attacks 'Sloppy' Investigation
http://www.informationweek.com/management/showArticle.jhtml?articleID=189600069 By Sharon Gaudin InformationWeek Jun 21, 2006 Newark, N.J. -- After taking it on the chin last Friday, the defense in a computer sabotage trial here pounded away at the Secret Service agent on the stand, riding him on missteps in the investigation, and once again attacking the fact that hackers worked at one of the computer forensics companies involved in the case. Special Agent Gregory O'Neil of the U.S. Secret Service was repeated questioned by defense attorney Chris Adams about an initial forensic report with a missing page, an unidentified latent fingerprint on a key piece of evidence, and some incorrect dates on a Secret Service report. O'Neil, who was a lead investigator in the matter, took the stand as a witness for the prosecution in the federal computer sabotage case. Adams, a partner at Walder Hayden Brogan in Roseland, N.J., is the lead defense lawyer for Roger Duronio, the 63-year-old former systems administrator accused of planting a logic bomb that crippled the network at UBS PaineWebber four years ago. Duronio is facing four charges in connection with allegedly writing and planting malicious code on the Unix-based network at UBS PaineWebber, where he had been working for three years. The attack effectively took down about 2,000 of the company's servers, some of which were brought back up in a day, but others remained down for two to three weeks. In his cross examination of O'Neil, Adams also focused his sights on one specific forensic investigator who had been a hacker before working at @Stake, Inc., the security company that UBS first called in to check out the March 4, 2002 incident. Karl Kasper, known in the industry as John Tan, identified himself to the federal agent as John Tan, and signed documents with that name. The defense asked O'Neal why he would trust the word, or the work, of someone who gave a false name to the Secret Service. O'Neal replied that he didn't regard it as a false name, simply a name Kasper uses in the trade. And last Friday, O'Neil said that all roads in the investigation led back to Duronio. First off, he had pointed out that a digital trail led from Duronio's home IP address through the corporate VPN and into the company's servers, on exactly the same dates and times that the malicious code was planted or modified. O'Neil also told the jury that during the execution of a search warrant on the Duronio home, Secret Service agents found parts of the malicious code on two of his home computers, as well as printed out in a hardcopy that was found on his bedroom dresser. Following the Money When the trial resumed Tuesday morning, Agent O'Neil took the stand for the second day, and laid out a summary of Duronio's trading activity that he had put together based on the defendant's banking, trading and mortgage information. He testified that Duronio bought a total of 330 put options in the month before the security attack at UBS. He had bought stocks before, but never puts, which basically are a way to place bets that the company's stock will go down. The investor only gets a payoff if the company stock drops. Duronio, according to Agent O'Neil, spent $23,025,12 on puts between Feb. 5, 2002 and March 1, 2002. While he bought a handful of puts on other companies, like Merrill Lynch and Citigroup, 96% of them were against UBS. The agent also pointed out to the jury that Duronio, who allegedly became disgruntled with the company when his annual bonus came in $15,000 under expectations, had recently made two payments of approximately $18,000 each to New York University for his oldest son's tuition. Hackers and Pseudonyms During the cross, Adams lost no time in taking another swing at @Stake, the first company on scene to do a forensics investigation. Last week, Adams repeatedly asked witnesses from UBS' IT department if they trusted hackers or would hire a security company that employs hackers. The research labs in @Stake, which was bought by Symantec, Corp. in 2004, were headed up by Peiter C. Zatko (also known in the industry as Mudge), the former CEO and chief scientist of the L0pht, a high-profile hacker think tank. Zatko, however, worked his way into the legitimate business world, testifying before a Senate Committee on Government Affairs, and counseling President Clinton in the White House on security issues. Mendez testified that other Wall Street firms had recommended several forensic companies, including @Stake, to UBS after their servers were taken down. In Tuesday's testimony, Agent O'Neil said he had received 10 items of evidence from Kasper (John Tan), who worked at @Stake and was involved in the UBS investigation. Adams projected a Documentation of Evidence sheet onto a screen in front of the jurors that showed that Kasper had signed his name as 'John Tan' on the official list that was handed over to the government. He also had signed another Certified
[ISN] Audit finds state computer security needs improvement
http://www.billingsgazette.net/articles/2006/06/20/news/state/24-computer-audit.txt By The Associated Press June 20, 2006 HELENA -- The state computer system building, and the taxpayer information and other sensitive data it holds, are vulnerable to security breaches, legislative auditors told lawmakers Tuesday. The audit came one day after the state computer system's second failure in less than a month. The computer system for much of state government, including servers and key network systems, is housed in the basement of a 60-year-old building that is not completely secure, legislative auditors said. The computer systems are behind a door that requires an access keycard, but the wall does not extend to the ceiling, the audit said. Legislative Audit Division staff said the computer center relies on security through obscurity. State Chief Information Officer Dick Clark said his staff has developed a series of quick deadlines to meet improvements suggested by the auditors. The governor's office also has talked about constructing a new building for the computer system. Lawmakers said the lack of security is a big problem because state computers warehouse a lot of sensitive data, including complete records on taxpayers and others. I think this is some pretty serious stuff, said Rep. Dee Brown, R-Hungry Horse. Clark said his agency also is reviewing the credentials given to people who have access to the computer system's location. Auditors made a number of suggestions, including the need for a better inventory of all the systems and data in the computer center, more intense security precautions, and strengthened safeguards to mitigate risks associated with earthquakes or flooding in the building's basement. The shutdown of the computer system on Monday had nothing to do with security. The system shut itself down after a fire alarm went off in the building and fire extinguishers released a chemical to suck oxygen from the air. The equipment was brought back on line late in the afternoon. In late May, most of the state computer system went down for a day when a major piece of network equipment failed. Copyright © The Billings Gazette _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] 'UFO Hacker' Tells What He Found
http://www.wired.com/news/technology/internet/0,71182-0.html By Nigel Watson June 21, 2006 The search for proof of the existence of UFOs landed Gary McKinnon in a world of trouble. After allegedly hacking into NASA websites -- where he says he found images of what looked like extraterrestrial spaceships -- the 40-year-old Briton faces extradition to the United States from his North London home. If convicted, McKinnon could receive a 70-year prison term and up to $2 million in fines. Final paperwork in the case is due this week, after which the British home secretary will rule on the extradition request. McKinnon, whose extensive search through U.S. computer networks was allegedly conducted between February 2001 and March 2002, picked a particularly poor time to expose U.S. national security failings in light of the terror attacks of Sept. 11, 2001. McKinnon tells what he found and discusses the motivation behind his online adventures in this exclusive phone interview with Wired News. Wired News: What was your motive or inspiration for carrying out your computer hacking? Was it the War Games movie? Gary McKinnon: This is a bit of a red herring. I have seen it but I wasn't inspired by it. My main inspiration was The Hacker's Handbook by Hugo Cornwall. The first edition that I read was too full of information It had to be banned, and it was reissued without the sensitive stuff in it. WN: Without this book would you have been able to do it? McKinnon: I would have done it anyway because I used the internet to get useful information. The book just kick-started me. Hacking for me was just a means to an end. WN: In what way? McKinnon: I knew that governments suppressed antigravity, UFO-related technologies, free energy or what they call zero-point energy. This should not be kept hidden from the public when pensioners can't pay their fuel bills. WN: Did you find anything in your search for evidence of UFOs? McKinnon: Certainly did. There is The Disclosure Project. This is a book with 400 testimonials from everyone from air traffic controllers to those responsible for launching nuclear missiles. Very credible witnesses. They talk about reverse-(engineered) technology taken from captured or destroyed alien craft. WN: Like the Roswell incident of 1947? McKinnon: I assume that was the first and assume there have been others. These relied-upon people have given solid evidence. WN: What sort of evidence? McKinnon: A NASA photographic expert said that there was a Building 8 at Johnson Space Center where they regularly airbrushed out images of UFOs from the high-resolution satellite imaging. I logged on to NASA and was able to access this department. They had huge, high-resolution images stored in their picture files. They had filtered and unfiltered, or processed and unprocessed, files. My dialup 56K connection was very slow trying to download one of these picture files. As this was happening, I had remote control of their desktop, and by adjusting it to 4-bit color and low screen resolution, I was able to briefly see one of these pictures. It was a silvery, cigar-shaped object with geodesic spheres on either side. There were no visible seams or riveting. There was no reference to the size of the object and the picture was taken presumably by a satellite looking down on it. The object didn't look manmade or anything like what we have created. Because I was using a Java application, I could only get a screenshot of the picture -- it did not go into my temporary internet files. At my crowning moment, someone at NASA discovered what I was doing and I was disconnected. I also got access to Excel spreadsheets. One was titled Non-Terrestrial Officers. It contained names and ranks of U.S. Air Force personnel who are not registered anywhere else. It also contained information about ship-to-ship transfers, but I've never seen the names of these ships noted anywhere else. WN: Could this have been some sort of military strategy game or outline of hypothetical situations? McKinnon: The military want to have military dominance of space. What I found could be a game -- it's hard to know for certain. WN: Some say that you have given the UFO motivation for your hacking as a distraction from more nefarious activities. McKinnon: I was looking before and after 9/11. If I had wanted to distract anyone, I would not have chosen ufology, as this opens me up to ridicule. WN: Tell me about your experiences with law enforcement and the procedures you have gone through. McKinnon: I was arrested by the British National Hi Tech Crime Unit in March 2002. They held me in custody for about six or seven hours. My own computer and ones I was fixing for other people were taken away. The other machines were eventually returned, but they kept my hard drive that was sent to the U.S. It was November 2002 when the U.S. Department of Justice started their efforts to extradite me. WN: The British Crown Prosecution
[ISN] Ohio U. Suspends Two Over Hackers' Theft
http://www.phillyburbs.com/pb-dyn/news/95-06202006-673296.html The Associated Press June 20, 2006 ATHENS, Ohio - Ohio University said Tuesday it has suspended two information technology supervisors over recent breaches by hackers who may have stolen 173,000 Social Security numbers from school computers. The school did not identify the director of communications network services - identified on the school's Web site as Thomas Reid - and manager of Internet and systems. Both were suspended pending the school's investigation of the breaches, five of which have happened since March 2005. A message was left late Tuesday at a home phone listing for Reid. Citing results from an independent audit, the school also said University President Roderick McDavis will ask trustees for up to $2 million to improve computer security. McDavis said he deeply regretted the inconvenience and stress the breaches caused university employees. Click here We hold ourselves fully accountable, McDavis wrote Monday in an e-mail to faculty and staff. The school said in April it had discovered a computer breach at its training center for fledgling businesses. Since then, electronic break-ins also were reported at the school's alumni office, health center and the department that handles records for businesses the university hires. Students, alumni and employees have been told to run credit checks and place fraud watches on their credit card and bank accounts. About two dozen people have told the school they were victimized by identity theft in the past year. -=- On the Net: Ohio University data theft: http://www.ohio.edu/datatheft _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Attend the Black Hat Briefings Training USA event!
Attend the Black Hat Briefings Training USA event! July 29 - August 2, 2006 at Caesars Palace in Las Vegas, the world's premier technical event for IT security experts. Black Hat profiles next generation threats, delivers practical security techniques, and an understanding of legal and policy issues. The Briefings are designed to foster peer-to-peer communication and networking opportunities with over 2,500 security professionals from 40+ nations. Includes 36 hands-on training courses July 29 - August 1, and 60 presentations at the Briefings August 2-3, featuring security experts and underground security specialists. Register before June 30 for early-bird savings! http://www.blackhat.com _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] UAB Computer Theft Puts Thousands At Risk Of Identity Theft
http://www.nbc13.com/news/9398562/detail.html June 20, 2006 BIRMINGHAM, Ala. -- A computer possibly containing the names, Social Security numbers and medical information for almost 10,000 people has been stolen from the University of Alabama at Birmingham. The computer had lists of donors, recipients and potential recipients of the university's kidney transplant program. UAB officials said there is no indication that the information has been used. This could mean that personal information of 9,800 UAB kidney patients is out on the street and subject to possible identity theft. The computer was stolen from the UAB School of Medicine Research Department in February. The people affected were not notified until June 8. UAB said that was because it took months for the school to reconstruct the missing database. The university said it has apologized to those affected and offered assistance. UAB said a letter was sent to each person alerting them of the crime and giving them the option of subscribing to a credit monitoring company that will alert them of any suspicious activity that might indicate identity theft. Copyright 2006 by NBC13.com _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Worm burrows into Google's Orkut
http://www.techworld.com/security/news/index.cfm?newsID=6251 By John E. Dunn Techworld 19 June 2006 An automated information theft worm has been discovered spreading through Google's social networking website, Orkut. Using a URL as the lure, MW.Orc installs itself in an Orkut scrapbook, a public guestbook where visitors can leave comments or links. Infection follows for anyone clicking on this, after which it attempts to steal banking user names and passwords in trusted phishing style, should such services be accessed. The worm also gives criminals the potential to use the infected PC as a bot for the distribution of pirated movie files. Written in Portuguese, the link is believed to be designed to hook Brazilians, the main users of the system. Google is said to have come up with a temporary patch to stop its activities, although a posting by FaceTime Security Labs' researchers on blog.spywareguide states that the worm has been causing problems for some time. The idea of problems behind gated communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to keep the bad guys out would be a great idea. But what happens when those bad-guys are already inside the gates?, the blog entry continues. Sometimes there is a false sense of security and trust that an end user has in a gated community such as Orkut. This is similar to what we see happening in instant messaging, was the official comment from FaceTime's Chris Boyd. A relatively obscure part of the Google empire, the invitation-only Orkut is said to have been named after its creator, Google employee Orkut Buyukkokten. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Lord battles government over cybercrime laws
http://news.zdnet.co.uk/internet/security/0,39020375,39276193,00.htm Tom Espiner ZDNet UK June 20, 2006 Lord Northesk wants to protect IT pros and the police from criminalisation, and nail down the law covering denial of service attacks Sweeping changes to UK computer crime laws have been proposed by a Conservative peer. Lord Northesk is seeking to amend the Computer Misuse Act (CMA) 1990 to give the police and judiciary greater legal clarity when dealing with computer crime. The proposed changes would alter the law regarding launching denial of service attacks, the creation of tools that could be used for hacking, and bot attacks. The UK government is currently trying to update the CMA through amendments in the Police and Justice Bill 2006, which will be debated in the House of Lords this week. Northesk has proposed amendments to the government's own amendments. As it stands, paragraph 1b of Clause 41 of the Police and Justice Bill would make it an offence to release a computer tool that is likely to be used in a computer offense. As reported last month, experts are concerned that the government's proposals would have criminalised IT and security professionals who make network monitoring tools publicly available or who disclose details of unpatched vulnerabilities. Northesk's amendments, if passed, would see this paragraph deleted. He believes that it could even criminalise the police, if they create and distribute tools for forensic investigation. Northesk is pushing for the concept of recklessness to be introduced into the updated CMA. He is seeking to amend Clause 40 of the Police and Justice Bill so that malicious denial of service (DoS) attacks are criminalised by the CMA but legitimate political protests that slow down servers would not be. The key point in Clause 40 is the inclusion of recklessness and intention [in launching attacks]. With effective civil disobedience, a whole series of people petition online [which may cause servers to crash]. Under the current draft this form of legitimate protest may be denied, said Northesk. The purpose of the Clause 40 amendment is to address the fundamental issue that a lot of Internet activity - such as electronic civil disobedience - currently comes under CMA. By introducing the issue of recklessness, Lord Northesk also hopes to protect the police themselves from prosecution. With [establishing] recklessness there is no bar on forensic hacking, he said. Northesk has also proposed modifying Clause 39 of the Police and Justice Bill so that Trojan horse software that inserts itself onto a system, allowing remote access by hackers, will be specifically covered by the law. The current text of the CMA doesn't deal with bot attacks inserting software onto a machine that allows remote attacks, said Northesk. The peer said he hopes the legislation will enable the police and judiciary to better tackle cybercrime, and provide the government with guidance in understanding it. I'm a great believer in legal clarity. Too often within government it's not properly understood that which is trying to be achieved. In the desire to future-proof legislation, they tend not to address problems that are sitting there because they are seen as difficult to understand, Northesk told ZDNet UK. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Microsoft France site cracked
http://www.theinquirer.net/?article=32509 By INQUIRER newsdesk 19 June 2006 TURKISH CRACKERS wheedled their way onto a Microsoft site in France over the weekend, leaving a cheeky message for vexed voles. The crackers, who operate under the name of TiTHacK, taunted Microsoft: Your System 0wned By Turkish Hackers! The naughty fellows threatened that Microsoft.com would be next. The site was out of action for some time and the affected page now directs vistors away from it and back to their own country pages. Zone-h.org posted a mirror of the site and has more details here [1]. µ [1] http://www.zone-h.org/content/view/4767/31/ _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Phishing scam uses PayPal secure servers
http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9001247 By Peter Sayer IDG News Service June 16, 2006 A cross-site scripting flaw in the PayPal Web site allows a new phishing attack to masquerade as a genuine PayPal log-in page with a valid security certificate, according to security researchers. Fraudsters are exploiting the flaw to harvest personal details, including PayPal log-ins, Social Security numbers and credit card details, according to staff at Netcraft Ltd., an Internet services company in Bath, England. The PayPal site, owned by eBay Inc., allows users to make online payments to one another, charged to their credit cards, and log-in credentials for the service are a prized target of fraudsters. The attack works by tricking PayPal members into following a maliciously crafted link to a secure page on PayPal's site. Anyone thinking to check the site's security certificate at this point will see that it is a valid 256-bit certificate belonging to the site, Netcraft employee Paul Mutton wrote in the company's blog on Friday. However, the URL (uniform resource locator) exploits a flaw in PayPal's site that allows the fraudsters to inject some of their own code into the page that is returned, he wrote. In this case, the result is a warning that the user's account may have been compromised, and that they will now be redirected to Resolution Center. The page to which they are redirected asks for their PayPal account details -- but thanks to the cross-site scripting flaw in the PayPal site, and the data injected into the URL by the fraudsters, the page is no longer on the PayPal site. Instead, the page steals the log-in details and sends them to the fraudsters' server, then prompts the user for other personal information, Mutton said. The Web server harvesting the personal details is hosted in Korea, Mutton said. The cross-site scripting technique makes the phishing attempt difficult to detect, said Mike Prettejohn, also of Netcraft. If the malicious link arrived by e-mail, then there would be clues in the mail that it's not genuine, he said. It's a technique chosen by fraudsters because it is hard to spot. Although there could be benign uses of cross-site scripting to transfer data between sites, the technique has an inherent security risk, Prettejohn said. I don't think people would intentionally use it, he said. If somebody knows there's a cross-site scripting opportunity on their site, the right thing to do would be to fix it, he said. Staff at PayPal could not immediately be reached for comment. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Stratcom leads DOD cyberdefense efforts
Forwarded from: William Knowles [EMAIL PROTECTED] http://www.fcw.com/article94954-06-19-06-Web By Josh Rogin June 19, 2006 Information sharing and protection is a crucial front in the war on terrorism. Consequently, the Strategic Command (Stratcom) is leading Defense Department efforts to create a virtual environment, including nonstop virtual meetings and blogging so warfighters can disseminate information across locations, commands and rank securely and in real time. Lt. Gen. Robert Kehler, deputy commander of Stratcom, explained these efforts in a keynote speech at AFCEA International's TechNet International 2006 conference today in Washington, D.C. Unfortunately for us, cyberterrorism is cheap, and it's fast, Kehler said. Today's terrorist moves at the speed of information. Cyberterrorism is anonymous and far-reaching. Government, corporate, personal, public works and airline computers are all attractive targets that cyberterrorists could attack remotely. To that end, Stratcom's top priority is to speed the transformation of DOD into a network-centric force in which all commands are interconnected and secured. Information sharing is a strategic advantage, Kehler said. Achieving the full potential of net-centricity requires viewing information as an enterprise to be shared and as weapons system to be protected, the 2006 Quadrennial Defense Review states. Stratcom is also the lead operator of the Global Information Grid, which aggregates all interconnected and secure DOD information systems. The command seeks to implement 24-hour, real-time communications from generals to warfighters while protecting those communications from adversaries. The latest innovation is Strategic Knowledge Integration, known as SKI-web. Part of Stratcom's classified network, SKI-web functions as a never-ending virtual operation and intelligence meeting. It is the key tool that the senior leadership uses to stay abreast of events unfolding throughout the command and the world, in real time, Kehler said. Blogging is one of the ways SKI-web allows users to contribute to discussions. Every command member, regardless of rank, can blog on issues that affect them, eliminating the vetting process of command bureaucracy. We have a command chain at Stratcom, not an information chain, Kehler said. All command levels receive information at the same time, creating an infosphere inside which command is exercised, he said. Changing the culture of information sharing is the most difficult step toward using technology to better distribute and protect information, Kehler said. The first step in sharing information is the realization that you must, can and will share it, he said. *==* Communications without intelligence is noise; Intelligence without communications is irrelevant. Gen Alfred. M. Gray, USMC C4I.org - Computer Security, Intelligence - http://www.c4i.org *==* _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] SCADA industry debates flaw disclosure
http://www.theregister.co.uk/2006/06/19/scada_flaw_debate/ By Robert Lemos SecurityFocus 19th June 2006 The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities. The flaw, in a particular vendor's implementation of the Inter-Control Centre Communications Protocol (ICCP), could have allowed an attacker the ability to crash a server. Yet, unlike corporate servers that handle groupware applications or websites, the vulnerable server software - from process-control application maker LiveData - monitors and controls real-time devices in electric power utilities and healthcare settings. The best known types of devices are supervisory control and data acquisition (SCADA) devices and distributed control system (DCS) devices. A crash becomes a more serious event in those applications, said Dale Peterson, CEO of Digital Bond, the infrastructure security firm that found the flaw. These are what you would consider, in the IT world, critical enterprise applications. But the companies don't act like these are critical enterprise applications. LiveData maintains that the flaw is a software bug, not a security vulnerability, pointing out that it only affects how the LiveData ICCP Server handles a non-secure implementation of the communications protocol - typically used only in environments not connected to a public network. In general, SCADA networks are run as very private networks, LiveData CEO Jeff Robbins said. You cannot harness an army of public zombie servers and attack them, because they are not accessible. The incident has touched off a heated debate among a small collection of vulnerability researchers, critical infrastructure security experts and the typically staid real-time process control systems industry. The controversy mirrors the long-standing dispute between independent researchers and software vendors over disclosing vulnerabilities in enterprise and consumer applications. In that industry, researchers have taken Apple, Oracle, Cisco and Microsoft to task at various times over the last year for the perception that the companies were not responding adequately to reports of flaws in their software products. Last week, at the Process Control System Forum (PCSF), a conference on infrastructure management systems funded by the US Department of Homeland Security, a similar debate played itself out. Perhaps three dozen industry representatives and security researchers met during a breakout session to hash out the issues involving disclosure. The tone became, at times, contentious, said Matt Franz, the moderator at conference panel on the topic and a SCADA security researcher with Digital Bond. The vendors were sticking together saying that (researchers) didn't need to be involved with SCADA flaws, he said. 'It puts people and infrastructure in danger,' they said. Moreover, many vendors did not appreciate the involvement of the US Computer Emergency Readiness Team (US-CERT), the nation's response group tasked with managing the process of vulnerability remediation for critical infrastructure, Franz said. The LiveData flaw was the first flaw in SCADA systems handled by US-CERT and the CERT Coordination Centre, the group that manages the national agency. While valuable as a learning experience, the entrance of a third party into the disclosure of a flaw in an infrastructure system brought up more questions than answers. At the PCSF session, many vendors voiced concerns over involving a third party. I did not come away with a feeling that any issues were settled, said Art Manion, internet security analyst for the CERT Coordination Centre and a participant in the discussion at the conference. The debate over how disclosure should be handled underscores both the intense focus on SCADA and DCS systems as potential targets of cyberattacks and the position of many companies in the real-time process control systems industry that vulnerabilities in such systems require special treatment. In security circles, it is widely discredited that you can secure something though obscurity - yet SCADA systems are really obscure, LiveData's Robbins said. That is not a statement of a principle of security and doesn't rationalise anything, but is a fact. Even SCADA security specialists agree that obscurity can raise the hurdle enough to keep most online attackers from jumping into SCADA systems. There are some legacy systems out there running plants that are more secure than many latest and greatest systems, because they are not connected to the internet or they are using obscure standards, said Ernest Rakaczky, program director for process control systems at infrastructure firm Invensys. That's true - at least to an extent, said CERT Coordination Centre's Manion. The information on these systems can be found by a determined attacker, he said. Part of our outreach is to show that people can find out about these
[ISN] Hello, is this Gov. Minner's secret hot line? Have we got a deal for you
http://www.delawareonline.com/apps/pbcs.dll/article?AID=/20060616/NEWS/606160329/1006 By JENNIFER BROOKS News Journal Washington Bureau 06/16/2006 WASHINGTON -- For a governor with a secret hot line to the Department of Homeland Security, the only thing worse than hearing that phone ring, is answering the call and hearing: Hello! Are you satisfied with your long-distance service provider? Every time that phone rings, it's telemarketers, grumbled Gov. Ruth Ann Minner, whose secret homeland defense hot line sits in her office, ringing occasionally with offers of time share condominiums and great deals on long distance. I wonder about the security of that line, said Minner, noting that other governors have reported similarly unwelcome intrusions on the hot line phones that are supposed to ring only in the event of a national catastrophe. Minner, who sits on a homeland security advisory panel of the National Governors' Association, mentioned the annoying phone calls Thursday on a visit to Washington. The problem, Minner said, seems to be the random-number generators that telemarketers use. So what's a governor to do? According to Minner's office, the Department of Homeland Security placed all the hot line numbers on the federal government's Do Not Call Registry, which is supposed to ward off telemarketers. The Department of Homeland Security did not return calls for comment. Copyright © 2006, The News Journal. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Microsoft Posts Excel 'Zero-Day' Flaw Workarounds
http://www.eweek.com/article2/0,1895,1978835,00.asp By Ryan Naraine June 19, 2006 Microsoft's security response center is recommending that businesses consider blocking Excel spreadsheet attachments at the network perimeter to help thwart targeted attacks that exploit an unpatched software vulnerability. The Redmond, Wash., software giant published a pre-patch advisory on June 19 with a list of workarounds that include blocking Excel file-types at the e-mail gateway. File extensions associated with the widely deployed Microsoft Excel program are: xls, xlt, xla, xlm, xlc, xlw, uxdc, csv, iqy, dqy, rqy, oqy, xll, xlb, slk, dif, xlk, xld, xlshtml, xlthtml and xlv. The company's guidance comes just a few days after public confirmation that a new, undocumented Excel flaw was being used in an attack against an unidentified business target. The attack resembles a similar exploit that targeted Microsoft Word users, prompting suspicion among security researchers that the attacks may be linked. The Excel attack includes the use of Trojan horse program called Trojan.Mdropper.J that arrives as an Excel spreadsheet with the file name okN.xls. When the Trojan is executed, it exploits the Excel flaw to drop and execute a second piece of malware called Downloader.Booli.A. It then silently closes Microsoft Excel. Downloader.Booli.A attempts to run Internet Explorer and inject its code into the browser to bypass firewalls. It then connects to a remote Web site hosted in Hong Kong to download another unknown file. In the latest advisory, Microsoft confirmed that the vulnerability exists in Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. Excel 2000 users are at highest risk because the program does not prompt the user to Open, Save, or Cancel before opening a document. Other versions of the software present a warning before a file is opened, Microsoft said. The company insists that a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker to be at risk. The flaw is described as improper memory validation in Excel that occurs only when the program goes into repair mode. Microsoft also recommends that businesses using Excel 2003 prevent Excel Repair mode by modifying the ACL (Access Control List) in the Excel Resiliency registry key. Detailed instructions can be found in the advisory. Microsoft said businesses should also consider blocking the ability to open Excel documents from Outlook as attachments, Web sites and the file system directly. This can be done by removing the registry keys that associate the Excel documents with the Excel application. As best practice, the company said Excel users should remember to be very careful opening unsolicited attachments from both known and unknown sources. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] UK's first computer hacking degree launched
http://software.silicon.com/security/0,39024655,39159714,00.htm By Andy McCue 19 June 2006 A degree course in computer hacking has been launched by a Scottish university in response to industry demand for IT security experts. The University of Abertay in Dundee will run the BSc (Hons) undergraduate course in Ethical Hacking and Countermeasures from the start of the next academic year in October. Around 30 places are available on the course, which the university says will provide a graduate with knowledge of how illegal computer attacks can be performed and how they can be stopped. The university prospectus said: In the same way that police detectives need to know how thieves can steal, computer systems administrators need to know what hackers can do. The university said it has launched the degree course in response to demand from industry for people with the skills to test the security of corporate IT networks. A university spokesman said: There are an increasing number of compliance regulations and insurance policies that insist businesses carry out security checks on their networks. The university also stressed it will be vetting students very carefully in accordance with Home Office guidelines and that they will be monitored closely throughout the course. The spokesman said: We are not going to give them the full set of tools on day one. Although many existing undergraduate computing degrees cover elements of this new course, Abertay claims to be the first UK university to offer a dedicated degree course in hacking. There are also ethical hacking courses and qualifications offered by private sector IT training organisations such as the Training Camp, which launched a course two years ago. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Spoofing Defense Dissed By Security Experts
http://www.informationweek.com/news/showArticle.jhtml?articleID=189500626 By Sharon Gaudin InformationWeek June 19, 2006 A defense lawyer in an ongoing federal computer sabotage trial is pushing the idea that four years ago, a hacker masqueraded as his client to surreptitiously plant the logic bomb that took down thousands of servers at UBS PaineWebber, thus framing an innocent man. Roger Duronio, a former systems administrator at UBS, is currently on trial in a District Court in Newark, N.J., for allegedly building and distributing the logic bomb that crippled the company's ability to do business for a day in some locations, and for as long as two to three weeks in others, costing UBS a reported $3.1 million in cleanup costs alone. If convicted, Duronio faces a maximum sentence of 30 years, fines of up to $1 million and restitution for the money UBS spent on recovery. Chris Adams, Duronio's attorney and a partner at Walder Hayden Brogan in Roseland, N.J., has been throwing a slew of who-done-it theories at the jury, including an outside hacker, another systems administrator or even a slip-up by Cisco Systems, Inc., which was doing a penetration test of the UBS network during the March 4, 2002 incident. But one major theme that Adams keeps returning to is the idea of someone whether inside UBS or outside using IP spoofing to pretend to log into the company's Unix-based network from Duronio's home, using the defendant's own corporate VPN connection. That's Adam's explanation for why forensics examiners and federal investigators traced remote connections to the network directly back to Duronio's own IP address, during the times when pieces of the malicious code were being planted on the system. The problem with this theory, according to several security professionals and even one long-time hacker, is that, technically, it simply can't be done. ''Spoofing the IP address is not difficult,'' says Johannes Ullrich, chief research officer at the SANS Institute, a Bethesda, Md.-based cyber security training and certification organization. ''The problem is transferring data with a spoofed IP addressIt's close to impossible to do.'' Ullrich also is the chief technology officer for the Internet Storm Center, a cooperative cyber threat monitoring and alert system. IP spoofing (short for Internet Protocol address spoofing) is a way to fool a computer into thinking that a packet is coming from machine A when it is really coming from machine B. The header of every IP packet contains its source address normally the address that the packet was sent from. By putting a different address into the header, a hacker can give the appearance that the packet was sent from a different machine. IP spoofing often is used for denial-of-service attacks because the attacker simply has to overwhelm a network with a flood of pings or useless traffic. explains Ken van Wyk, a 20-year IT security veteran and principal consultant with KRvW Associates, LLC of Alexandria, Va. A session doesn't have to be established. The attacker, simply put, has to pound on the door he doesn't actually need to be let inside. But Duronio's defense attorney has been asking various UBS witnesses who have taken the stand so far to talk about IP spoofing and sniffing, which is the act of capturing information generally packets as they go over the network. ''You can read the packets and use them to pretend you're coming from another IP address, can't you?'' Adams last week asked Rafael Mendez, who was UBS' division vice president for network services at the time of the attack. Mendez responded that spoofing becomes much more difficult to do if the packets are encrypted. He also said most ISPs set up sniffing roadblocks, blocking that kind of security problem. The idea of hackers using IP spoofing is generally traced back to Kevin Mitnick, one of the world's most famous hackers and a cause celebre at one time in the hacker community. Mitnick was arrested in 1995 and was convicted of wire fraud and breaking into computer systems at major companies like Sun Microsystems, Inc. and Motorola. He used IP spoofing to try to hide his identity during at least one attack. The difference between what Mitnick did, and what the defense in the Duronio trial is suggesting happened in this case, is that in this latest scenario, IP spoofing would have had to have been used to load actual lines of code onto the UBS servers. Mitnick just needed to get a few packets through to the receiving server a real session wouldn't have had to have been established. That's a whole different story from starting and maintain a session long enough to load on, or modify code, says George Bakos, a self-proclaimed hacker with 20 years of experience, and a senior security expert with the Institute for Security Technology Studies at Dartmouth College in Hanover, N.H. ''When you connect to a machine, there are dozens of packets that are exchanged just to authenticate and get ready to
[ISN] Linux Advisory Watch - June 16th 2006
+-+ | LinuxSecurity.com Weekly Newsletter| | June 16th, 2006Volume 7, Number 25n| | | | Editorial Team: Dave Wreski [EMAIL PROTECTED]| | Benjamin D. Thomas [EMAIL PROTECTED] | +-+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for freetype, webcalendar, kernel, horde3, horde2, wv2, subversion, ruby, squid, dovecot, gdm, autofs, shadow-utils, rsync, mysql, python, scim, freetype2, squirrelmail, libtiff, spamassassin, sendmail, mailman, kdebase, postgresql, and php. The distributors include Debian, Fedora, Mandriva, Red Hat, and SuSE. --- Security on your mind? Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data. The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates. The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- How To Break Web Software By: Eric Lubow With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand. Although this book may be geared more towards the developer, it is really a book for everyone. As I mentioned before, security is everyone's responsibility. The ideas, concepts, and procedures outlined in this book are things that even just the average user should be able to pick up on and alert the webmaster of in order to prevent potential disaster. It is necessary to keep in mind that this book, although seemingly full of information on how to attack web sites and bring down servers is for informational and educational purposes. It is to inform the developers of common programming and design mistakes. It is also to ensure that common users with no malicious intent can spot problems in design and nip them in the bud before the problems become catastrophic. The book begins by very basically showing the reader in no uncertain terms the basic concepts that are going to be outlined through the book. The first idea to geteveryone on the same page with client-server relationships and general information about the world wide web. One of the most important aspects of an attack is knowing your victim. The first informational chapter in this book discusses gathering information on a potential target. Just as with all forthcoming chapters, this one begins with the obvious information and progresses into the more obscure, less thought about topics. Once the information has been gathered, either via source code, URLs, or any other method that potentially puts information out in the open, the attacks can begin. There are many way in which these attacks can happen. The authors begin by discussing attacks on the user (client) input and how validation needs to occur or the input needs to be sanitized. They then move on to talk about state based attacks, either through CGI parameters or hidden fields within forms. These ideas were also extended to discuss cookie poisoning, URL jumping, and session hijacking (can also include man in the middle attacks). Without all this information consistently being checked and verified, it is possible to for those with malintent to inject information into a session. http://www.linuxsecurity.com/content/view/122713/49/ -- Linux File Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are
[ISN] Laptop with City Employees' Info Stolen
http://www.wjla.com/news/stories/0606/337194.html June 18, 2006 Washington (AP) - Information on 13,000 D.C. government workers and retirees has been stolen, along with the laptop computer where it was stored. Officials with ING Financial Services say the Social Security numbers and other information on the employees were stored on computer that was stolen from an ING employee's Southeast Washington home. ING administers the District's retirement plan. Company officials say the laptop was stolen on Monday but they didn't notify the city about the theft until late Friday because they had to figure out what information was stored on the computer. The laptop was not protected by a password or encryption. ING alerting all affected account holders to the risk of identity theft. The company will set up and pay for a year of credit monitoring and identity fraud protection. City officials say they're concerned that the information was not protected, and that the company waited so long to report it. Copyright 2006 by The Associated Press. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Encryption can save data in laptop lapses
http://seattlepi.nwsource.com/business/1700AP_Laptops_Security.html By STEPHEN MANNING ASSOCIATED PRESS WRITER June 17, 2006 ROCKVILLE, Md. -- Reports of data theft often conjure up images of malicious hackers breaking into remote databases to filch Social Security numbers, credit card records and other personal information. But a lot of the time, the scenario is much simpler: A careless worker at company or agency with weak security policies falls prey to a low-tech street thug who runs off with a laptop loaded with private data. In the biggest case, the Department of Veterans Affairs recently lost data on 26.5 million veterans and military personnel stored on a laptop and external drive stolen from the suburban Washington home of a VA employee. Security experts and some privacy groups say simple measures could protect data if a laptop falls into nefarious hands. They include encrypting the information so it's nearly impossible to access without the correct credentials. It is shocking how many of these are stolen laptops and that fact that the users of the laptops did not use encryption to secure the data, Beth Givens, director of the Privacy Rights Clearinghouse, said of recent data losses. If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware. Since June 2005, there have been at least 29 known cases of misplaced or stolen laptops with data such as Social Security numbers, health records and addresses of millions of people, according to the Privacy Rights Clearing House, a San Diego-based nonprofit that tracks data thefts. So far, there is no evidence the stolen data were used for identity theft or other nefarious purposes. In most cases, the laptop itself, not the personal information on it, was the likely target of the theft. Sometimes, there's no good reason for why so much information is being kept on individual machines that are designed to be carried out of the office. In other cases, workers were allowed to have the data on the laptops but didn't follow proper procedures for keeping it safe. In others, they broke the rules by taking personal data out of the office or not protecting it with digital tools. Laptops have been stolen from cars, gone missing when checked for airline flights, and been taken from offices and employee homes. Hospitals, universities, consulting firms, banks, health insurers and even a YMCA have lost personal data. The portable computers are usually protected by passwords needed to boot them up, but the data on their drives are still accessible. Encryption, on the other hand, scrambles the information and would render it useless to a thief without a digital key that decrypts the data. A variety of encryption tools are available, including software as well as specialized chips. But many people are reluctant to use them because losing the key can make it hard to access the data and the programs can slow down data access, said Alan Paller, director of research at the SANS Institute, a computer-security organization in Bethesda. That could change as computer manufacturers start selling laptops with encryption built in. Microsoft's Windows Vista operating system, due late this year for businesses and early next year for consumers, is expected to make it easier for users to encrypt all their data. Many states now require companies and organizations that store personal information to inform the public when the data leaks. But those laws generally don't make reporting obligatory if the lost data were encrypted. Some companies that have lost laptops are responding with better security measures. Ernst Young, which has 30,000 laptops used by its highly mobile staff of consultants, is encrypting all contents on the computers, according to company spokesman Charlie Perkins. But in February, as the policy was being implemented, a laptop that hadn't been encrypted was stolen from an employee's car. With it went the names, addresses, and credit card information of about 243,000 customers of Ernst Young client Hotels.com. Perkins said there is no evidence any of the data was misused. We evaluated our polices in this area across the board, he said. Encryption is the most significant step. Of course, security measures can only work if they are actually used. In several cases, laptops were lost or stolen when employees violated company rules by leaving them in parked cars or in their homes. And data that are supposed to be encrypted by an employee sometimes aren't. On June 2, grocery retailer Royal Ahold NV said contractor Electronic Data Systems Corp. lost a laptop with personal information on an undisclosed number of retirees and former workers of Ahold companies, including grocery chains Stop Shop and Giant Food. The EDS worker was asked to check the laptop on a flight because the plane's storage bins were full, according to EDS spokesman Kevin Lightfoot. When the flight arrived, the laptop never
[ISN] Web used to lure terror suspects
Forwarded from: William Knowles [EMAIL PROTECTED] http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1c=Articlecid=1150494610771call_pageid=968332188492 By SANDRO CONTENTA EUROPEAN BUREAU June 17, 2006 LONDON - On a cold night last October, police stormed a West London apartment and found Younis Tsouli at his computer, allegedly building a Web page with the title You Bomb It. Initially, the raid seemed relatively routine, one of about 1,000 arrests made under Britain's terrorism act during the last five years. The more eye-popping evidence was allegedly found in the London-area homes of two accused co-conspirators: a DVD manual on making suicide bomb vests, a note with the heading Welcome to Jihad, material on beheadings, a recipe for rocket fuel, and a note with the formula hospital = attack. But as investigators sifted through computer disk information the picture that emerged was dramatic. Police had apparently stumbled on the man suspected of being the most hunted cyber-extremist in the world. Tsouli, a 22-year-old Moroccan, is being widely named as a central figure in a cyber-terrorist network that has inspired suspected homegrown extremists in Europe and North America, including the 17 people recently arrested in the Toronto area. The massive, 750 gigabytes of confiscated computer and disk information - an average DVD movie is 4.7 gigabytes - found on Tsouli's computer files is an Internet trail believed to link some of the 39 terror suspects arrested in Canada, Britain, the United States, Sweden, Denmark and Bosnia over the past eight months. A source with close knowledge of the Tsouli case has told the Toronto Star of evidence that he used the Web address Irhabi007 the cyber-persona of the most notorious extremist hacker on the World Wide Web. Irhabi007 was like the Godfather of cyber-terrorism for Al Qaeda, says Evan Kohlmann, an Internet terrorism consultant and determined Irhabi tracker. Since coming on the cyber-extremist scene in late 2003, Irhabi's Internet exploits have become the stuff of legend for the scores of militants reading and chatting on Al Qaeda-inspired sites. He almost single-handedly brought the hardcore network into the modern computer age, solving its most pressing propaganda challenge - how to distribute heavy multi-media files, such as videos of beheadings, to the growing ranks of jihadis. A self-starter believed to have worked mainly from his home, he hacked and linked his way to become the administrator of the password-protected forum, Muntada al-Ansar al-Islami, the main Internet mouthpiece of Abu Musab al-Zarqawi, Al Qaeda's leader in Iraq until he was killed last week by a U.S. aerial attack. But his downfall has been as dramatic as his rise. Says Aaron Weisburd, another Irhabi tracker: While he was at large, he was a leader, an opinion-shaper, a solver of problems, and an inspiration to his friends and associates. Now that the authorities have him and his hard disk drive, he has become a major liability. The London-area raid resulted in terrorism related charges against Tsouli, Waseem Mughal, 22, and Tariq Al-Daour, 19. Their trial is expected to begin in January. Among the items allegedly found in Tsouli's computer is a video slide film on how to make a bomb and another showing sites in Washington, D.C. The images of the American capital were reportedly filmed by two Georgia men arrested by the FBI in March and accused in U.S. court documents of having travelled to Toronto to meet like-minded Islamists. Tsouli immigrated to London four years ago. At the time of his arrest, his father said Tsouli spoke often of the West waging a war against Islam. Bachir Tsouli, then deputy head of Morocco's tourism office in London, said his son had few friends and spent most of his time at his computer. What can you do on the computer? Bachir, 60, told the Daily Mail newspaper. He hasn't been to Iraq or to training camps in Afghanistan. Tomorrow they will be saying he is a friend of Osama bin Laden. No one has accused him of that, but experts who tracked Irhabi007 believe he had links to al-Zarqawi, credited with having turned the Web into a powerful tool for global jihad. During the past two years, al-Zarqawi's followers produced scores of videos on suicide bombings, attacks against U.S. forces in Iraq, beheadings of hostages, propaganda tracts and terrorist how to manuals. The problem was distribution - how to post and move heavy files on the Internet without sites crashing or being shut down. Irhabi007 met the challenge. In May 2004, he helped distribute the video of al-Zarqawi's beheading of American contractor Nicholas Berg. It was quickly copied on Internet sites and downloaded half a million times within 24 hours. He got his name on the map with the Nicholas Berg beheading video, says Ned Moran, intelligence analyst with the Virginia-based, Terrorism Research Center. Irhabi007's distribution technique became
[ISN] Suspected Chinese hacker attacks target AIT, MND
http://www.taipeitimes.com/News/taiwan/archives/2006/06/19/2003314414 STAFF WRITER June 19, 2006 The American Institute in Taiwan (AIT) and the Ministry of National Defense (MND) were both recently targeted by computer hackers believed to be based in China, Defense News reported last week. The report cited anonymous AIT and defense ministry sources, who said the attackers were believed to have been China-based hackers looking to spread misinformation. On June 5, a hacker sent an e-mail to the media with an attachment containing a fake press release from the military spokesman's office, the report said. The release described a meeting between People First Party mem-bers and ministry officials, and was riddled with distortions and lies, Defense News reported last Tuesday. Shortly after the e-mail was sent out, officials scrambled to warn local media not to download any attachments purportedly sent from the ministry. Some outlets had already reported the story, but others sought confirmation from officials and were told that that the e-mails were part of a smear campaign targeting the ministry, the Defense News report said. Our computer was [infected] by a virus. That virus sent a news release to the media. Some of the information [in the release] was incorrect, a ministry source reportedly told Defense News. The report also stated that the account number and password of the ministry's Web mail system, operated by Chunghwa Telecom, were stolen by hackers. So frequent and serious are cyber attacks against government agencies that the Straits Exchange Foundation, which handles cross-strait communications with China, issued a letter of complaint to China in 2003, the report said, adding that China did not respond to the complaint. Private companies also routinely come under attack by China-based hackers, making Taiwan the most hacked country in the world, according to a Central News Agency report in April. The Defense News report cited local media claims that the nation suffered 250,000 cyber attacks between 1996 and 2000. China's People's Liberation Army is widely believed to have a special unit devoted to information warfare and computer hacking. Copyright © 1999-2006 The Taipei Times. All rights reserved. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] NBA investigates security breach
http://www.palmbeachpost.com/heat/content/sports/epaper/2006/06/15/a8c_mavsnotes_0615.html By Tom D'Angelo Palm Beach Post Staff Writer June 15, 2006 MIAMI - NBA security continues to investigate a breach that allowed two women who were unauthorized to enter the Dallas Mavericks' locker room following Miami's Game 3 victory and wander into the showers. Dallas forward Josh Howard chased the women out of the showers. They then were escorted out of the building. No arrests were made. We're continuing to review the situation but we will certainly have enhanced security for the remaining games of the series, NBA spokesperson Tim Frank said. Some Mavericks players believe the women took pictures with camera phones before the phones were confiscated. The NBA would not comment on the possibility that pictures were taken. There have been situations in the NBA where things happen, but that might be the wildest situation that I have ever seen, Mavericks guard Darrell Armstrong said. I have never seen that before. [...] _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] ...and now a word from one of our sponsors II
http://attrition.org/news/content/06-06-15.001.html After a frustrating day at the coke web site (mycokerewards.com which leads to another server/domain), I finally got all the FAQs and rules to load. Frustrating because the site is poorly written, the pages randomly 404, inputing codez or entering the daily contests error out frequently. Add to that the codes are not always 100% legible on the bottles and boxes. Anyway, after a little math, I see that this loyalty reward program is a complete scam! Here are a few key rules: http://mcr.us.icoke.com/rules.do 1. The Program begins at 12:00 p.m. Eastern Time (ET) on February 27, 2006 and is scheduled to end at 12:00 p.m. ET on January 15, 2007 The Website will indicate whether there is an active Double Points period in effect. 3. Codes can only be used 1 time. Limit: 10 valid codes per Account, per day (12:00 p.m. ET through 11:59 a.m. ET). However, if an Enrollee enters 20 invalid codes before entering 10 valid codes, Enrollee will be unable to enter any more codes for that day. Enrollees may not combine codes obtained by others for deposit into a single Enrollees account, nor transfer, sell, or otherwise dispose of codes in any manner in violation or attempted subversion of these Terms and Conditions. Any attempt to combine or transfer codes or points will result in disqualification from the Program and forfeiture of all points in any Enrollees Account. 9. Enrollees must save the bottle cap, product packaging, and/or promotional item with official code for at least 90 days after the date Enrollee redeems an item online, as it may be necessary to submit it later for verification. 3. The Program is provided to individuals only. Corporations, associations or other groups may not participate in the Program. Cliff notes: You alone, not a group/company/assocation must enter the contest. You have 322 days to input codes, but only 10 codes a day. That is 100 points a day max, for 32,220 points total. So the 20,000 point TV and the rewards for 24,000+ seem feasible. Until you see that you can't combine codes from other people, and must keep the physical cap/box with the code for 90 days after prize redemption. In short, they think that a single person can purchase and presumably consume *2,000* cases of coke in 322 days? If you can drink 74.5 cans of coke per day, every day, for the entire duration of the contest, then you have a chance of getting that prize. Does Coca-cola realize it has implemented a loyalty program that baits people into participating, but won't actually give out the rewards because it isn't possible as outlined in the rules? Is this a cheap gimmick or corporate oversight? I'd like to find out. I'm still aiming to get codes from the masses.. but now, instead of a nice TV as a generous reward for eight years of indentured servitude, it is likely going to be a chance to write a scathing article about corporate lies and the reality of such loyalty reward programs. If I get 20,000 points (which is only now possible if they carry through with the 'double point' days), will they actually part with said TV? Let's find out. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Microsoft Has a Big Date Set with 'Black Hat ' Hackers
http://www.eweek.com/article2/0,1759,1976171,00.asp By Ryan Naraine June 13, 2006 Microsoft's Windows Vista has a date with some of the world's smartest hackers. The software maker will use the spotlight of the Black Hat security conference in August to show off some of the key security features and functionality being fitted into Vista. Microsoft's appearance on the Black Hat stage is a first on many fronts. Microsoft will be the first software vendor to present an entire Black Hat Briefing track on a pre-release product. It is also the first time a representative from Redmond Wash., will make an official presentation at the controversial hacker confab. According to Microsoft program manager Stephen Toulouse, the idea is to provide deeply technical presentations on Vista security to the hacking community. We submitted several presentations to the Black Hat event organizers and, based on the technical merit and interest to the audience, they were accepted, Toulouse said. In total, the day-long track will include five presentations from Microsoft security engineers and Toulouse said researchers and architects from Redmond will also be actively participating in the event. We want to make sure we're gathering as much feedback as we can, so that Windows Vista succeeds as the most secure version of Windows ever released, he added. The sessions will include a talk by John Lambert, group manager in Microsoft's Security Engineering and Communications Group on the security engineering process behind Windows Vista. Lambert is expected to hold up Vista as the first end-to-end major operating system release in the Trustworthy Computing era from Microsoft. His talk will cover how the Vista engineering process is different from Windows XP and details from what is described as the largest-commercial-pentest-in-the-world. Lambert plans to give Black Hat researchers a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. Wi-Fi in Vista will also come under the microscope when Noel Anderson, group manager in Microsoft's wireless networking group, talks about the way the operating system will handle support for 802.11 wireless technologies. Anderson is expected to outline the new UI experience and updated Wi-Fi default behaviors in Vista and information on a new software stack that is designed to be more secure, more open and extensible. He is expected to describe the various components of the stack and show developers how to create code to modify and extend the client. Anderson will also outline the different ways Microsoft tests Wi-Fi in the new operating system. Also on the Black Hat agenda is a talk by Abolade Gbadegesin, an architect in Microsoft's Windows Networking and Device Technologies Division, on the way Microsoft rearchitected and rewrote the TCP/IP stack in Vista. Adrian Marinescu, a lead developer in the Windows Kernel group will outline the enhancements made in Vista's heap manager to show how the OS has been hardened to thwart certain types of heap usage attacks. Microsoft previously fitted technology into Windows Server 2003 and Windows XP SP2 to reduce the reliability of heap usage attacks, but Marinescu plans to talk about how the heap manager in Vista pushes the innovation much further in that area. His talk will describe the challenges the company faced and the technical details of the changes coming in Vista. Microsoft's oft-criticized Internet Explorer browser will also get Black Hat billing this year when IE program manager Tony Chor discusses the security engineering methodology that is being applied to the new IE 7. Chor is expected to detail key vulnerabilities and attacks this methodology revealed, as well as how the new version of IE will mitigate those threats. Also on tap is a talk by Andrew Cushman, director of Microsoft's Security Response, Engineering and Outreach Team, on the way the company has changed its internal processes to deal with the changing security landscape. Microsoft won't be alone shining the spotlight on Vista's security. Joanna Rutkowska, a renowned researcher specializing in rootkits, plans to talk about the stealthy malware threats can still be inserted into the latest Vista Beta 2 kernel (x64 edition). Rutkowska is expected to show how to bypass the Vista policy for allowing only digitally signed code to be loaded into the kernel. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Stolen computer server sparks ID theft fears
http://msnbc.msn.com/id/13327187/ By Jim Popkin, Tim Sandler the NBC Investigative Unit NBC News June 14, 2006 WASHINGTON - A thief recently stole a computer server belonging to a major U.S. insurance company, and company officials now fear that the personal data of nearly 1 million people could be at risk, insurance industry sources tell NBC News. The computer server contains personal electronic data for 930,000 Americans, including names, Social Security numbers and tens of thousands of medical records. The server was stolen on March 31, along with a camcorder and other office equipment, during a break-in at a Midwest office of American Insurance Group (AIG), company officials confirm. An AIG spokesman says that there's no evidence that the thief has accessed the personal data on the server or used it for any illicit purpose. The server is password protected, the AIG spokesman adds. The server contains detailed personal data from 930,000 prospective AIG customers, whose information had been forwarded to the insurance firm from 690 insurance brokers around the country. The potential customers' employers were shopping with AIG for rates for excess medical coverage, the spokesman says, when they forwarded the personal data to AIG. AIG has not yet notified any of the people whose personal data are on the stolen server. AIG security officials have been conducting a forensic analysis of the theft, and warned the 690 insurance brokers of the problem on May 26. The AIG spokesman tells NBC: There is no indication that the thieves were seeking data, rather than valuable hardwareTo date, we are unaware of any of this information being compromised. In a police report on the incident, officers in the Midwestern city state that the stolen server was worth $10,000. The police write that the thief came through the ceiling, going into their [AIG's] server room. NBC News is not identifying the city at the company's request, so as to not tip off the thief who may not realize he/she has valuable personal information. AIG describes itself as the leading international insurance organization with operations in more than 130 countries and jurisdictions. Ironically, an AIG member company announced earlier this year that it now offers identity-theft insurance coverage. © 2006 MSNBC Interactive _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Intelligence can be pretty dumb
http://www.theinquirer.net/?article=32411 By Nick Booth 14 June 2006 SECURITY FIRMS must be ruthlessly cunning and intelligent to stay ahead of the fiendish legions of hackers, crackers and cunning con artists they constantly warn us about. Or so you'd think. But not if this recent example of 'intelligence' is typical. All companies keep tabs on the opposition. Usually, they employ competitive intelligence companies, who use all kinds of dirty tricks to find out about rival's products, their marketing strategies and the incentives offered to resellers. A typically fiendish scam would be to set up a phoney head hunting agency, then invite everyone that matters, at the target firm, for an off the record interview. Flattered by the attention, most CTOs and marketing directors are only too pleased to boast of the projects they're working on, the budgets they're in charge of and how many people are under them. This information is all tabulated, and sold for hundreds of thousands of dollars, to the client. Clients like to outsource this furtive behaviour so they can distance themselves from it if they get caught. Very cunning. Some security firms are slightly less sophisticated, it seems. When security vendor Countersnipe launched its latest product, it expected a few bogus enquiries from its rivals. But a request from an outfit calling themselves Ychange seemed genuine enough. 'Jeff' from Ychange saw a demo and was so impressed he promised to show the product to Superluminal, his financial services client, which was just gagging to place a multi-million dollar order. But a quick Whois check revealed that Superluminal's web site was owned by one of Countersnipe's rivals, Sourcefire. Perhaps Sourcefire didn't think anyone else would know about this new-fangled Internet thing. This has to be the least sophisticated attempt at spying I've ever seen, laughed Countersnipe's Amar Rathore, I wouldn't mind, but they're a security firm, for God's sake. You'd think they'd know some cleverer tricks than that. Sourcefire was unavailable for comment. µ _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Spam Is Good for Antispam Vendors
This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. St. Bernard Software http://list.windowsitpro.com/t?ctl=2E774:4FB69 Patchlink http://list.windowsitpro.com/t?ctl=2E786:4FB69 CrossTec http://list.windowsitpro.com/t?ctl=2E76E:4FB69 1. In Focus: Spam Is Good for Antispam Vendors 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Releases Rebranded Antigen Products - 180solutions Merges with Hotbar, Renames Company Zango - Two-Factor Authentication Tokens 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Host-Based IPS Monitors Application Behavior Sponsor: St. Bernard Software Get the #1 Ranked Internet Filtering Appliance Free iPrism, ranked #1 by IDC, gives you comprehensive protection from Web-based threats at the perimeter - spyware, IM and P2P are stopped before they can invade your networks. Now, get the appliance at no charge when you purchase a multi-year subscription. This is a limited- time offer, so get a Quick Quote today. http://list.windowsitpro.com/t?ctl=2E774:4FB69 1. In Focus: Spam Is Good for Antispam Vendors by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about Okopipi--the current successor to Blue Security's Blue Frog antispam service. In closing that article, I described a dream situation in which Microsoft philanthropically backs the Okopipi project and bundles the antispam solution with every copy of Windows. This week, I'll point out some statistics and financial figures that show why I think that dream will never become a reality-- not with Microsoft or any other major antispam-solution provider. First, let's look at the cost of spam for businesses: In February 2005, Ferris Research said, Lost productivity and other expenses associated with spam will cost US businesses $17 billion in 2005 Worldwide costs could reach $50 billion, primarily because of lost employee productivity. Not included in these figures are immeasurable items, such as the missed opportunity cost of a new customer order that's incorrectly discarded as spam. That's a lot of incentive for businesses to implement antispam solutions. http://list.windowsitpro.com/t?ctl=2E77B:4FB69 Next, let's look at antispam-solution revenue figures: Also in February 2005, IDC predicted that ...worldwide revenue for antispam solutions will exceed $1.7 billion in 2008, far surpassing the $300 million generated in 2003 [The] development of spam from a mere nuisance to an increasingly serious problem [is] the driver for explosive revenue growth, innovation, and investment in the antispam market. The worldwide revenue for antispam solutions will experience a compound annual growth rate (CAGR) of 42% through 2008. http://list.windowsitpro.com/t?ctl=2E77A:4FB69 Now let's look at email usage and spam volume growth: In January 2006, the Radicati Group estimated that there were more than 1.2 billion active email accounts. Worldwide email traffic per day was about 135 billion messages, of which 67 percent were spam. Then in May 2006, Radicati estimated that there were nearly 1.4 billion active email accounts and worldwide email traffic per day of about 171 billion messages, of which 71 percent were spam. http://list.windowsitpro.com/t?ctl=2E771:4FB69 http://list.windowsitpro.com/t?ctl=2E775:4FB69 Summarizing Radicati's data, the number of mailboxes increased by 200 million, the volume of email traffic increased by 36 million messages, and the volume of spam increased by 31 million messages--all in less than half a year! The increases represent a tremendous gain in potential customers for antispam vendors, which of course can readily equate to huge increases in revenue. The spam problem has given birth to a billion-dollar market for antispam-solution providers. If we keep in mind that most companies exist for the primary purpose of generating income for their owners and investors, then we can easily see that no current antispam vendor has the impetus to stamp out spam because doing so would run counter to its fiduciary responsibility. Therefore, the Okopipi project will probably not be seen in a good light by any antispam-solution provider, except of course one that finds a way to profit from the ultimate antispam solution of stamping out spam completely. Sponsor: PatchLink Does your patch management solution automatically track and re-deploy to ensure network security? 20% of patches unknowingly become un-patched. Learn more about automating the analysis,
[ISN] Hacker disrupts state disaster site
http://www.tallahassee.com/apps/pbcs.dll/article?AID=/20060614/NEWS01/606140312 By Stephen D. Price CAPITOL BUREAU June 14, 2006 As Tropical Storm Alberto barreled toward Florida, a computer hacker disrupted public access to the state's emergency Web site for about 20 minutes Tuesday morning, but the glitch did not affect emergency workers, officials said. The Web site, www.floridadisaster.org, is set up by the Division of Emergency Management and allows Floridians to access information about emergency situations. The problem delayed a briefing by emergency workers. Someone intentionally did this, said Carla Boyce, plans chief for the Division of Services Management. Loopholes get discovered and hackers take advantage of them. The Florida Department of Law Enforcement is investigating the incident. At 7:30 Tuesday morning, emergency workers noticed the site showed error messages, said David Halstead, State Emergency Response Team chief. He said a similar problem happened a week ago. It takes someone with good computer skills to do this, Halstead said. Boyce said workers are reviewing logs and network tools for clues to learn who did the hacking and from where. The problem was fixed, and extra precautions are being taken so it doesn't happen again, she said. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] VA IT security gaps extend to contractors
http://www.gcn.com/online/vol1_no1/41035-1.html By Mary Mosquera GCN Staff 06/14/06 The Veterans Affairs Department said today that it has been investigating allegations that an offshore medical transcription subcontractor last year threatened to expose 30,000 veterans' electronic health records on the Internet in a payment dispute with a VA contractor. The VA assistant inspector general referred to the investigation during questioning in a congressional hearing on VA's data security environment in the wake of the theft of sensitive data of 26.5 million veterans, active duty military and reserves officers. The medical transcription incident highlights how gaps in information security also extend to contractors, said Michael Staley, VA's assistant inspector general for auditing. Some VA medical transcription contractors have used offshore subcontractors in India and Pakistan without VA's approval and without adequate controls to ensure veterans' health information was secure under the Health Insurance Portability and Accountability Act, according to an audit released today. Contracts do not specify criteria for how to protect information, Staley told the House Veterans Affairs Committee. Staley enumerated audits of information management security under the Federal Information Security Management Act, the Consolidated Financial Statement and Combined Assessment Program that revealed significant vulnerabilities. These include VA not controlling and monitoring employee access, not restricting users to only the data they need and not terminating accounts of departing employees in a timely manner. In last year's FISMA review, the IG provided 16 recommendations, including addressing security vulnerabilities of unauthorized access and misuse of sensitive information and data throughout VA demonstrated during its field testing. All 16 recommendations remain open, he said. Audits also found instances where out-based employees send veterans' medical information to the VA regional office through unencrypted e-mail; monitoring remote network access and usage does not routinely occur; and off-duty users' access to VA computer systems and sensitive information is not restricted. VA has implemented some recommendations for specific locations identified but has not made corrections VA-wide, he said. From fiscal years 2000 to 2005, the IG identified IT and security deficiencies in 141, or 78 percent, of 181 Veterans Health Administration facilities reviewed, and 37, or 67 percent, of the 55 Veterans Benefits Administration facilities reviewed. We recommended that VA pursue a more centralized approach, apply appropriate resources and establish a clear chain of command and accountability structure to implement and enforce IT internal controls, Staley said. The underlying situation is the VA's department CIO does not have authority to enforce compliance with data security and information management and recommendations from GAO, said Veterans Affairs Committee chairman Steve Buyer (R-Ind.). Buyer traced problems in security enforcement to a memo dated April 2004 from the general counsel that said the department CIO did not have enforcement authority. The CIO, undersecretaries who lead VA's benefits, health and burial administrations, and the VA secretary share responsibility for enforcement, said Gregory Wilshusen, director of information security issues for the Government Accountability Office. Information security is a governmentwide problem, and we have talked with OMB about that, said Linda Koontz, director of GAO's information management issues. Buyer expressed frustration that there are no consequences for recalcitrant agencies that do not correct problems that GAO has repeatedly highlighted. He cited the Privacy Act, which has been strengthened with consequences. If you have a bureaucracy so strong in the department that the secretary or political bodies are unable to act, don't you think the president or vice president or OMB needs to know that because there are monetary consequences behind that inaction? I'm bothered that GAO doesn't have the higher authority to which they can turn, Buyer said after the hearing. After several more hearings this month, Buyer and his committee will make recommendations or craft legislation. He suggested that Congress consider looking at strengthening FISMA. We can even come up with that in our language, but we're not going to have jurisdiction over that. We'll have to work with Mr. Davis [House Government Reform Committee chairman Tom Davis (R-Va.)] and his committee. I'd be more than happy to do that, he said. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] FBI loses 400 pieces of equipment
http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060614-024108-3918r 6/14/2006 WASHINGTON, June 14 (UPI) -- The U.S. FBI may have lost 400 pieces of equipment, National Journal's Technology Daily reported Monday. The Federal Bureau of Investigation still has not told the Government Accountability Office what has happened to hundreds of pieces of equipment that were supposed to be part of a failed department-wide case-management system. The FBI also has not provided any additional explanation for the remaining roughly 400 missing assets, Linda Calbom, the GAO's director of financial management and assurance wrote in a letter. The letter, dated Friday, was addressed to Senate Judiciary Committee Chairman Arlen Specter, R-Pa., and addressed many of the follow-up questions that the committee had for GAO. The GAO released a report in May detailing the flaws in the FBI's Trilogy system, Technology Daily said. It reported that the FBI could not locate more than 1,200 pieces of equipment, valued at about $7.6 million. The FBI responded by saying that it had accounted for 800 of those items, but GAO could not verify that claim, Calbom wrote, the report said. © Copyright 2006 United Press International, Inc. All Rights Reserved _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Money lost to cybercrime down--again
http://news.com.com/2100-7349_3-6083860.html By Joris Evers Staff Writer, CNET News.com June 14, 2006 SCOTTSDALE, Ariz.--While many headlines spell doom and gloom when it comes to computer-related misdeeds, the average losses at businesses due to cybercrime continue to drop, according to a new survey. For the fourth straight year, the financial losses incurred by businesses due to incidents such as computer break-ins have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI. Robert Richardson, editorial director at the CSI, discussed the survey's findings in a presentation at the CSI NetSec conference here Wednesday. Respondents in the 2005 survey reported an average of $204,000 in cybercrime losses, Richardson said. This year, that's down to $168,000, about an 18 percent drop, he added. Compared with 2004, the average loss is down 68 percent. How do you go about reconciling the sense of things getting worse with the respondents who are saying they are losing less money? Richardson asked. The 2006 survey, a final version of which is slated to be released next month, could provide some answers. Most important, perhaps, the 615 U.S. CSI members who responded to this year's survey reported fewer security incidents. Viruses, laptop theft and insider abuse of Net access are still the most reported threats, but all have decreased compared with last year. The danger of insiders may be somewhat overstated, according to the survey group, Richardson said. About a third of respondents said they had no losses at all due to insider threats, another 29 percent said less than one-fifth of overall losses came from insider threats. Consistent use of security technology may also contribute to the improvements, with essentially all of the respondents stating that they use firewall and antivirus software, not much of a change from last year. This year, eight out of 10 said they also use spyware protection, a category not listed a year ago. Overall, you have a picture that is pretty good in many ways, Richardson said. We're seeing fewer of some of the attacks that have been such a plague for us in many years, and respondents are using less and less money. That less money may be good for companies, but not for security vendors. It refers to the percentage of IT budgets spent on security. In the 2006 survey, nearly half of the respondents said less than 2 percent of the budget is spent on security. Last year that percentage was 35 percent. When it comes to cybercrime losses, consumers might be bearing the brunt of them, and they are not covered by the survey, Richardson suggested. Consumers are the low-hanging fruit, he said. Costs related to identity theft, for example, fall largely back onto the consumer, he added, even if it did start with a data breach at an enterprise. Copyright ©1995-2006 CNET Networks, Inc. All rights reserved. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Exploits for Microsoft flaws circulating
http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9001182 By Jaikumar Vijayan Computerworld June 14, 2006 Security firms are warning about the availability of attack code targeting some of the flaws for which Microsoft Corp. released patches yesterday (see Microsoft releases fixes for 21 vulnerabilities [1]). Most of the exploits target flaws that were previously known but for which patches became available only as part of Microsoft's June monthly security update. But at least two publicly available exploits are directed at newly disclosed flaws in the company's products. Exploit code had already existed for three of the vulnerabilities prior to yesterday, as they were already public issues, said Michael Sutton, director of VeriSign Inc.'s iDefense Labs. Beyond that, we're seeing public exploit code emerge for some of the new vulnerabilities and are hearing rumors of private code existing for others. The availability of such exploits heightens the risk for companies that have not yet been able to patch their systems and are important factors to consider when deciding which systems to patch first, he said. We believe that it is far more beneficial to withhold proof-of-concept code for an amount of time so that customers can get the vulnerabilities patched, said Stephen Toulouse, security program manager at Microsoft's security response center. The public broadcasting of code so quickly after a bulletin release, we believe, tends to help attackers. Microsoft is telling its cusomers to pay special attention to three key updates -- MS06-021, MS06-022 and MS06-023 -- because they could be particularly easy to exploit using Internet Explorer. There are methods by which if you just browse to a Web site, there could be code execution, Toulouse said. According to iDefense, some form of exploit code is publicly available against the cross-domain information disclosure vulnerability described in bulletins MS06-021, the address bar spoofing flaw in MS06-021 and the Word malformed object pointer vulnerability described in MS06-027. All three were previously known flaws and were given a severity rating of critical by Microsoft. In addition, exploits have also become publicly available for both of the newly disclosed server message block vulnerabilities in MS06-030, according to iDefense. The SANS Internet Storm Center this morning posted a note also listing exploits released by penetration-testing vendors to customers. One of the exploits was directed against the Windows Media Player flaw in MS06-024, while the other was targeted at the routing and remote-access vulnerability in MS06-025. Denial-of-service attack codes are also privately available for a TCP/IP flaw in MS06-032, according to SANS. Outside of the Word malware, which began circulating last month, Microsoft has not yet seen any of these exploits used by attackers, Toulouse said. The availability of exploit code once again shows that there is no longer any patching window for companies, said Johannes Ullrich, chief research officer at the Internet Storm Center. Companies don't have the luxury of sitting back and waiting, Ullrich said. They have to expect that public exploits will become available the day after vulnerabilities are disclosed, and they have to expedite the patching process, despite the challenges involved, he said. Robert McMillan of the IDG News service contributed to this report. [1] http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9001163 _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Hanford workers warned about security breach
http://seattlepi.nwsource.com/local/273650_hanfsecurity13.html By SHANNON DININNY THE ASSOCIATED PRESS June 13, 2006 The U.S. Energy Department has warned about 4,000 current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. The discovery marks the second time in less than a week that the Energy Department has warned employees and its contractors' employees that their personal information may have been compromised. Police in Yakima discovered the list while investigating an unrelated criminal matter, the Energy Department said, adding that the list included the names of people who worked for a former Hanford contractor, Westinghouse Hanford, who were transferring to Fluor Hanford or companies under contract to Fluor Hanford in 1996. The Energy Department awarded Fluor Hanford the contract to clean up the highly contaminated nuclear site in December 1996. The list also included workers' Social Security numbers and birthdates, as well as work titles, assignments and telephone numbers. The department began notifying workers about the discovery Sunday. Employees at seven companies were warned to monitor their financial accounts and billing statements for any suspicious activity. There was no indication that Hanford's computer network was compromised. The Energy Department and Fluor Hanford were working with law enforcement officials to determine how the list was obtained and why it was in the home, the Energy Department said in a statement Monday. We, along with Fluor, are taking this very seriously, said Karen Lutz, an Energy Department spokeswoman at the south-central Washington site. Obviously, there's a concern to get the word out, because so many workers transfer to other contractors and other federal sites. Also on Monday, Energy Department officials began contacting 1,502 individuals by phone to inform them that their Social Security numbers and other information might have been compromised when a hacker gained entry to a department computer system eight months ago. The workers, mostly contract employees, worked for the National Nuclear Security Administration, a semiautonomous agency within the department that deals with the government's nuclear weapons programs. The computer theft occurred last September, but Energy Secretary Samuel Bodman and his deputy, Clay Sell, were not informed of it until last week. It was first publicly disclosed at a congressional hearing on Friday. Following the Hanford report Monday, Sen. Maria Cantwell, D-Wash., demanded corrective actions to ensure that federal employees' personal information remains secure. Today's news that the personal information of 4,000 Hanford workers has been floating around in the open shows that we still have a long way to go when it comes to keeping sensitive information out of the wrong hands, Cantwell said. Workers from the following companies were urged to check their financial statements: Fluor Daniel Hanford, Lockheed Martin Hanford, Rust Federal Services of Hanford, BW Hanford, Numatec Hanford, DynCorp Tri-Cities Services and Duke Engineering and Services Hanford. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Elections hacks don't guard us against hackers
http://www.miami.com/mld/miamiherald/14803773.htm By FRED GRIMM fgrimm at MiamiHerald.com Jun. 13, 2006 For a county supervisor of elections needing someone to test the vulnerabilities of his voting system, Dan Wallach's the man. Wallach, who runs the security computer lab at Rice University, is a nationally regarded expert on computer network security and voting system vulnerabilities. He's associate director of ACCURATE (A Center for Correct, Usable, Reliable, Auditable and Transparent Elections). Besides, his parents live in Lauderdale-by-the-Sea. He is a perfect choice. But not in Florida. Wallach and his associates at ACCURATE may represent academia's leading experts on voting system security, but under the new rules promulgated by the Florida Secretary of State, they don't qualify. Any security test, the secretary of state's office insists, must be performed by someone certified by the American Software Testing Qualifications Board, the American Society for Quality or the EC (E-Commerce) Council. Not only is Wallach not certified by the three organizations, ''I've never heard of them,'' he says. TRAINING COURSE Actually, the first two organizations are concerned with the overall quality of manufactured software, not security. The EC Council website offers a five-day training course into something called ''ethical hacking.'' Five days of training, under the new rules, would trump the most sophisticated résumés in computer science. Computer professor David Dill, of Stanford University, who served on California's Ad Hoc Task Force on Touch Screen Voting, and whose degree -- not the five-day kind -- comes from MIT, added his apprehensions to the comments on the proposed rules the Florida Secretary of State's office collected Monday. He said they would ``would exclude the most competent evaluators, such as those who have found most of the reported security holes in existing voting systems. ''I have checked with several computer security experts, who not only do not have these qualifications, but, like me, have never heard of them. A little research on the Web reveals these certifications to be of dubious relevance to voting system evaluation,'' Dill wrote. Other rules would require that the voting-machine vendors and the secretary's office get advance notice of any security test. And a supervisor of elections contemplating a security test must first take special pains to protect the machine manufacturer's secret operating code. CERTIFIED HACKERS Wallach and Dill seemed puzzled. Wallach noted that a voting machine ought to be secure no matter who tries to hack the system. The notion that a would-be hacker must first be properly certified and possess special qualifications (like a five-day online course), and the vendors need advance notice becomes utterly irrelevant in cyberspace. ''If someone is malicious and his goal is to throw the election, they're not going to ask permission.'' Wallach said. Of course, the new rules aren't really about protecting the integrity of elections. Only one Florida supervisor of elections allowed outside experts to test his voting system security. And when Ion Sancho's hackers discovered they could alter the outcome of an election and wipe out all trace of the tampering last year, it was a huge embarrassment to the Secretary of State's office. Instead of trying to fix the flaws, state officials and Diebold -- a maker of voting machines -- went after Sancho, disparaging his findings and suggested that he ought to be tossed from office. Then California -- not Florida -- directed a panel of computer science experts to look into the Leon County findings. The panel found the same flaws and more. Florida election bureaucrats were humiliated. ''The new rules are designed to make sure that they're never embarrassed again, '' Sancho said Monday. Florida first priority is to protect the vendors. We'll let California worry about the damn voters. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] KDDI suffers massive data breach
http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9001150 Martyn Williams June 13, 2006 IDG News Service Personal data on almost 4 million customers of Japanese telecom carrier KDDI Corp. has been breached, the company said Tuesday. The data includes the name, address and telephone number of 3,996,789 people who had applied for accounts with KDDI's Dion Internet provider service up to Dec. 18, 2003, KDDI said. Additionally the gender, birthday and e-mail addresses of some of the people was also leaked. KDDI is Japan's second largest telecommunications carrier. It operates fixed line, dial-up Internet, broadband and cellular services through a number of different companies. The carrier became aware of the leak on May 31 this year when it received a phone call from someone claiming to possess a CD-ROM of the data, said Yoko Watanabe, a spokeswoman for the Tokyo-based carrier. The original source of the data has yet to be determined and Watanabe declined to comment on other aspects of the case, which is being investigated by the police, she said. The leak is just the latest of several to hit the headlines in Japan this year. Personal information has been leaked by companies a number of times onto the Internet through viruses that infect PCs running file sharing programs. While the source of the data lost by KDDI is not yet clear, the episode is likely to increase fears of identity theft and other fraud in Japan. In recent years the number of frauds committed against consumers using such information has been on the rise. Armed with the name and address or telephone number of a consumer, fraudsters can send out bills or make calls demanding payment for services that were never delivered. The slick frauds often dupe consumers into sending money before they realize they have been tricked. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] ...and now a word from one of our long time sponsors
http://attrition.org/news/content/06-06-13.001.html Cliff Notes: If you drink Coca-Cola products, email the 'coke reward' code to [EMAIL PROTECTED] to support a bunch of wack job heathens How many times have you thought, If everyone sent me one penny, i'd be rich!? In the case of attrition staff, maybe you thought If everyone sent me one beer, i'd need a new liver in three months! Attrition has been going strong for almost eight years now. In that time we haven't plagued the site with ad banners, pop-ups, or even the cute little google ad-words. We've accepted PayPal donations for several years and raked in a whopping 250 bucks (which we are honestly very thankful for). Our Amazon wishlists are never used, half the mail we get is mindless drivel complaining about insipid crap that is usually answered by actually reading the web pages. The box has been fully replaced two times due to hardware problems, payments are routinely made to our landlord for the bandwidth abuse and to keep him too drunk to find our power plug. In short, this isn't a site based around profit or self reward. We're more like those monks that inflict self pain thinking it brings them closer to a higher power. Misguided, pain-ridden, stupid monks. Since we've long been fans of the sci-fi idea of 'micro payments', and no system is in place for such a beast to really work, we've come up with one. Now you too can actually support the site without sending us money or hate mail. Chances are, you are a cracked-out coke fiend like most of us. I prefer the hard-core street drug they call Coke Zero these days, moving on from the weak suburban Diet Coke or that old-folks home Caffeine Free Diet Coke that Munge sips on between shots of Everclear. If you support Coca-Cola like a true patriot, and not those Pepsi jerks like a terrorist would, then you are in the perfect position to contribute. Coca-Cola is running a promotion where you receive a code for each purchase you make. With those codes, you register on one of their web sites and type in the codes to earn points. Enough points and you can earn various prizes, most of which are not worth the time to read about on the web site. If you click around enough, you get to the distant 10,000+ Points reward list, and things become brighter. In this pipe dream category is a pretty swell Sony LCD HDTV that would be a nice reward for the pain and suffering we're put through. So, next time you are getting your fix, take a few seconds to type in the coke code and mail it to us. Only takes a minute of your time and you can spend the rest of the day bragging about how you supported a non-profit site on the intarweb. The codes can be found inside the bottle caps of 2 liter, 1 liter or 20oz bottles, or in the tear off flap of 12-pack cases. They can be found in just about every variety of Coca-Cola products and look something like BNMW7 Y49XR 4X7VJ. This is it net denizens. Some 100,000,000 of you out there, and all it takes is 2,000 of you to mail in the code from a single 12-pack to reach our goal. You would be showing a small token of appreciation for eight years of hard work and it doesn't even require a visit to the post office. If you send in 100 points worth of codes (ten cases, or 33 bottles), we'll hook you up with private access to the old image gallery we used to make available (shut down long ago due to bandwidth abuse), which is up to 5,263 unique images of all varieties, and zero advertisements. That's it, simple and possibly rewarding. [EMAIL PROTECTED] Cut this out and post it at your work lounge! .--. | | | E-mail Coca-Cola Reward Code | |to the heathens at| | [EMAIL PROTECTED] | | | `--' _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] ADSM endorses XBRL technology
http://www.itp.net/business/news/details.php?id=21007 By David Ingham 13 June 2006 Abu Dhabi Securities Market (ADSM) has recently taken further steps to boost market transparency and improve its information technology systems. ADSM has declared its aim to become ISO 17799 compliant and has thrown its weight behind the XBRL information reporting standard. EXtensible business reporting language (XBRL) enables computer-readable tags to be applied to individual items of financial data in business reports. This helps to turn them from blocks of text into information that can be understood and processed by computer software. XBRL complements ADSM's programme to adopt international best practise standards of regulation and governance throughout the UAE markets, said Rashed Al Baloushi, acting director general of ADSM. It will give investors better access to a company's financial information, allowing them to make more informed decisions. Furthermore, analysts will be able to compare detailed data more efficiently and with increased accuracy. Under the current system, it can be difficult to benchmark data efficiently. ADSM said it will encourage all listed companies to adopt the technology, which it says can reduce data processing costs in addition to improving transparency. It has already held one educational seminar, which was attended by listed UAE companies and representatives from other markets in the region. Separately, ADSM has said that it plans to become the first UAE bourse to achieve ISO 17799 certification. ISO 17799 is a set of procedures designed to help companies improve their level of information security. It covers ten aspects of e-security, including policies procedures, access control and business continuity. Company and Cybertrust have been appointed to help ADSM benchmark its systems against the ISO 17799 requirements. Since ADSM was established, we have been constantly reviewing and updating our security systems in line with our growth, said Khalfan Al Mazrouei, IT manager of ADSM. But, in order to bring our systems up to an international standards we need ISO 17799 certification. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] PCs to developing world 'fuel malware'
http://www.theregister.co.uk/2006/06/13/pc_donation_peril/ By John Leyden 13th June 2006 Programs to send PCs to third world countries might inadvertently fuel the development of malware for hire scams, an anti-virus guru warns. Eugene Kaspersky, head of anti-virus research at Kaspersky Labs, cautions that developing nations have become leading centres for virus development. Sending cheap PCs to countries with active virus writing cliques might therefore have unintended negative consequences, he suggests. A particular cause for concern is programs which advocate 'cheap computers for poor third world countries', Kaspersky writes. These further encourage criminal activity on the internet. Statistics on the number of malicious programs originating from specific countries confirm this: the world leader in virus writing is China, followed by Latin America, with Russia and Eastern European countries not far behind. But what about all the positive uses in education, for example, possible through the use of second-hand PCs in developing nations? We reckon these more than outweigh the possible misuse of some computers at the fringes of such programs. We wanted to quiz Kaspersky more closely on his comments but he wasn't available to speak to us at the time of going to press. A spokesman for Kaspersky Labs agreed that PC donation programs have benefits but maintained that in countries with fewer legitimate openings for work the possibility of unintended side effects can't be overlooked. He said that Eugene Kaspersky's comments should be viewed in the context of a wider discussion of criminal virus writing, contained in an essay on the anti-virus industry here. ® _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Black Hat Speakers + 2005 Content on-line
Forwarded from: Jeff Moss [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello ISN readers, I have a brief announcement I would like to make. The speaker selection for Black Hat USA 2006 is now complete. We have a fantastic line up of Briefings presentations and our largest selection of Training this year. Briefings: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-schedule.html Training: http://www.blackhat.com/html/bh-usa-06/train-bh-usa-06-index.html For the first time in four years, we have been able to expand our speaking line. This is due to Caesars Palace has expanded their conference space, and Black Hat will be getting the entire fourth floor to ourselves! This means that for the first time in four years, we were able to expand the number of presentation tracks, panels as well as offer more opportunities for networking in our Human Network area. Some notes from the schedule: *A Root-kit focused track draws attention to the amount of work, and the speed of advancement, going into this field. *Ajax to Fuzzers--web app sec is taken to a new level. The largest number of talks dealing with web application security ever delivered at a Black Hat. As the web moves to a more interactive web 2.0 model of participation it is only natural for there to be more risks involved. *A Windows Vista Security track which has been garnering a lot of press lately... this will be an unprecedented first comprehensive look at Vista security issues *Jim Christie is bringing his Meet the Fed panel over from DEF CON, and the Hacker Court is back along with panels on Disclosure, a Public Forum on Corporate Spyware Threats hosted by The Center for Democracy and Technology Anti-Spyware Coalition, and a new challenge will be presented by the Jericho Forum. Remember, prices increase July 1st for both the Briefings and Trainings. Register now to get the best rates! http://www.blackhat.com/html/bh-registration/bh-registration.html#us Other News: Black Hat is pleased to release the presentations from last years Black Hat 2005 Briefings in both audio and video format. Also a first they will be available for download in both H.264 .mp4 format (iPod compatible) as well as .mp3 audio. Currently you have to subscribe to the Black Hat .rss feed to get them, but in the coming weeks we will make them available through the past conventions archive page. http://www.blackhat.com/BlackHatRSS.xml Black Hat would like to welcome the ISSA as a world wide supporting association. http://www.issa.org/ Thank you, Jeff Moss -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBRI9L4kqsDNqTZ/G1AQKjlQgAnLKMSLL6Uc4BznLQ+sGkCf+v4kBXmSR2 ogJYZ8eciZxwJMrAFGhXGhJOHGQJxp2U/HEnISNhg+3W6TGhyl9rVO62z+2aBSfw bvb+RSWWgMitiQqZcsRO8LkPorJlnpHSLzNxpH1GaVLFyJ17YwSCm1a/n2QPv+Pq 4nlC3KLKwgmFXY6uAkg95InvOeLly5uIelAGEllzIZ676A4fp5VMBeXtT/PDJwbs 49nZE8IPmxFPL1d9V47eWmjNpqMZBtNHuTaEhBhpWc1YbY0oE7Txv0EFWY2HGBLZ S4XnlJCO9rbD1y0fbd1qof3BKVGW/nXaBG9SBOnctbFSDeyEVUTD3w== =++JQ -END PGP SIGNATURE- _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Lights out
http://www.fcw.com/article94825-06-12-06-Print By Brian Robinson June 12, 2006 Most federal agencies and an increasing number of state and local offices have made significant investments in communications services that run over government-owned or commercial fiber-optic networks. Fiber can carry much more data than traditional copper lines and at lower costs. Besides government operations, a growing part of the country's economy depends on the Internet and its fiber-based backbone - everything from online shopping and entertainment to banking and health care. But given its vital importance as a communications medium and general concerns about terrorist threats to the country's economic and critical infrastructure, just how secure are the country's fiber networks? Experts say fiber, like any network technology, is indeed vulnerable to a determined eavesdropper with the know-how and right equipment. That means agencies should safeguard sensitive data. From a broader, more systemic perspective, however, the country's fiber-optic infrastructure is more redundant and thus more resilient than it was a few years ago, reducing the chances that an attacker could cripple large segments of it, experts say. But localized problems stemming from physical damage to the infrastructure - intentional or not - still have the potential to affect its availability. Not a priority For an increasingly technology-dependent country, the security of fiber-optic networks is apparently low on the list of concerns for those whose job it is to worry about such threats. For example, in its recently published Federal Plan for Cyber Security and Information Assurance, the National Science and Technology Council identified the Internet's Domain Name System, network routing protocols and a host of other process control systems most in need of security research and development. The report did not address fiber networks and other infrastructure issues. Meanwhile, the U.S. Cyber Consequences Unit (US-CCU), an independent research group that advises the Homeland Security Department, did not include the fiber infrastructure in a recent draft of a cybersecurity issues checklist it gave to DHS. That checklist identified measures at the enterprise or organizational level, said Scott Borg, director of the US-CCU. The unit will probably investigate fiber infrastructure security issues later, he said. With technology budgets tighter than ever, organizations may decide that fiber security is just not that pressing compared with other cybersecurity issues, said Bernard Skoch, executive vice president of Suss Consulting and a former principal director for network services at the Defense Information Systems Agency. People in government are in a classic fight over funding and have to prioritize their needs, Skoch said. In some ways, it takes a greater level of sophistication to say why something is not needed, and right now, I think there are a lot of people who have concluded that the fiber infrastructure mesh is well-enough protected. Hacking fiber Some experts say the notion that fiber networks are sufficiently secure may not be a well-informed conclusion. Tapping fiber without detection is difficult but certainly not impossible, they say. One of the classic assumptions about such networks is that it is inherently more secure than copper cable. A signal traveling over copper tends to leak outside the cable, so anyone with a sensitive scanner could pick up those signals and access the data. Because fiber uses various wavelengths of light rather than electrons to carry data, it does not routinely suffer from similar leakage. Stealing data in transit - between the two ends of the fiber - means someone has to physically break a fiber strand to tap it or somehow bend the fiber enough to induce light to exit the fiber. That is not an easy task, some experts say. Physically tapping into fiber means you will interrupt the data stream, which will alert a network operator, said Frank Dzubeck, president of Communications Network Architects, a network integrator. To detect the light passively, you have to first strip away all of the shielding around the fiber and then put something in place to catch the light bouncing off the glass of the fiber strand, he said. And then you have to determine what the data is that you are capturing. This is all involved specialty equipment. It's not something you can purchase on the open market. But Seth Page, chief executive officer of New York-based Oyster Optics, which makes intrusion-detection equipment, said he believes that the fiber infrastructure is vulnerable to hackers who can tap fiber with common maintenance tools that are available worldwide. This same equipment with modifications can be used to capture 100 percent of the voice, video and data going across the network, Page said. All you need to do is get access to the fiber loop serving a particular building. Hackers don't even need to
[ISN] OU has been getting an earful about huge data theft
http://www.athensnews.com/issue/article.php3?story_id=25220 By Jim Phillips Athens NEWS Senior Writer 2006-06-12 Ohio University has spent more than $77,000 sending letters to alumni and students affected by a computer security breach. It's harder to put a price tag on the blow to alumni goodwill, as the number of people affected by hacking of OU computer databases continues to rise with the discovery of new hacking incidents. This is damaging OU's reputation far more than its drunk football coach, magazine pictorials or its #2 party-school ranking, and you can tell (OU President Roderick) McDavis that this really sucks. A lot! wrote one incensed alum May 10. Another signed off his May 3 e-mail with, You incompetent f---ing a--holes. I will never donate a penny to you. After announcing two computer security breaches in May, OU got hundreds of e-mails from alums regarding the issue. The Athens NEWS has examined more than 600 of them, provided by the university in response to a records request. The great majority were simply requests for information, trying to learn whether the sender's personal data were accessed by the hackers, and to get more detailed guidance on what to do if they were. A number of writers, however, expressed anger, frustration and in some cases, a distinct reluctance to donate any more money to OU. It was my intention to leave a sizable endowment to OU, but not any longer, announced one. My husband has graciously given to the university's alumni association many times; we will now think twice before we do it again, warned another. Other comments along these lines include: I am disgusted with you and will NEVER do anything to help you financially. I will definitely be reflecting on this incident the next time I receive an appeal for a donation to OU. I have donated to the university for many years, but this shortcoming, and other matters having to do with the university, make me hesitant to make further contributions. Some alums questioned why OU keeps Social Security numbers on long-gone graduates, including those who haven't been donors. Some asked to have their data removed from OU computers - a request the university promptly grants. Dozens wanted to know if OU will cover the expenses they rack up in taking precautions against identity theft, or financial losses if they're the victim of such thefts. A handful talked about lawsuits, and one alum simply sent OU a bill. Molly Tampke, interim vice president for university advancement, admitted last week that she can't gauge how the alumni perception of the computer data breaches will affect giving to OU. Tampke acknowledged that the incidents seem to have undermined alumni confidence in some cases, but she continued to hold out hope that alums will look past the problems when it comes time to open their checkbooks. It does concern me that alumni would feel like they couldn't trust us, Tampke said. In terms of long-term effects for financial support, I don't think we know. But I think ultimately people believe in us, and want to support Ohio University... I don't want to look cavalier by any means, but I believe in the loyalty of our alums. THE PICTURE JUST GOT darker, however. While investigating the previous cases in which hackers gained access to personal data - including Social Security numbers - on close to 200,000 students and alums, OU recently found two more such incidents. These affect the personal data of about 2,480 university subcontractors and an additional 4,900 current and former students. According to a story in the Columbus Dispatch Saturday, the latest hackings put OU at the top of universities nationally for the amount of computer data stolen, well ahead of the next school on the list, the University of Southern California. More than one alum correspondent has questioned the competency of those watching over OU's data cache, and one question in particular keeps coming up in the e-mails sent by alums: Why did you have my Social Security number on file, anyway? I'm trying to fathom a situation in which a serious breach of Social Security numbers could occur and not be discovered for 13 months, wrote one alum who works in fraud and compliance for Microsoft. How could this possibly happen without utter rank incompetence and a carefree attitude toward data security?... I hope your IT staff was fired. Another writer noted that the trend across the country is to de-link Social Security numbers from other important identifying information in computer databases. Tampke said the reason for holding the numbers is primarily to track lost alumni. When an alum moves and doesn't leave a forwarding address, she said, OU will give the person's Social Security number to a tracking service, to find the new residence. Given the risk of data theft, is this convenience worth it? That's a good question, Tampke said, adding that the issue is something that we want to sit down and have a very structured
[ISN] Backdoors, Bots Biggest Threats To Windows
http://www.informationweek.com/news/showArticle.jhtml?articleID=189400457 By Gregg Keizer TechWeb.com Jun 12, 2006 Backdoor Trojans are a clear and present danger to Windows machines, Microsoft said Monday as it released the first-ever analysis of data collected by the 15-month run of its Malicious Software Removal Tool, a utility that seeks out and destroys over five-dozen malware families. According to Microsoft's anti-malware engineering team, Trojans that, once installed, give an attacker access and control of a PC, are a significant and tangible threat to Windows users. Of the 5.7 million unique PCs from which the Malicious Software Removal Tool (MSRT) has deleted malware, 3.5 million of them -- 62 percent -- had at least one backdoor Trojan. Backdoor Trojans are a large part of the malware landscape, said Matt Braverman, program manager on the team, and the author of a report on the tool's data that was released Monday at Boston's TechEd 2006 conference. Bots, a subset of Trojan horses, were especially popular on infected PCs, Microsoft's data showed. Bots are small programs that communicates with the controlling attacker, usually through Internet Relay Chat (IRC) channels, less frequently via instant messaging. Of the top 5 on the MSRT's removed malware list, three families -- Rbot, Sdbot, and Geobot -- were bots. Once backdoors and bots are accounted for, all other malware types were seen on only a minority of machines. Rootkits are certainly present, but compared to other [malware types] they're not extremely widespread yet, added Braverman. A rootkit was present on 14 percent of the nearly 6 million computers that had to be cleaned. Since it debuted in January 2005, the MSRT has been run some 2.7 billion times on an increasing number of PCs. In March 2006, the last month for which data was compiled, 270 million unique systems ran the tool, which is automatically downloaded and run on systems with Windows/Microsoft Update turned on. Over those 15 months, the MSFT found malware on one in every 311 computers. I think that's a valid, accurate number, argued Braverman, even though the MSFT doesn't detect and delete every form of malicious software, and runs predominantly on Windows XP SP2 (and not at all on older operating systems, such as Windows 98 and Windows NT). The MSFT data also seemed to validate the long-standing premise that Windows XP SP2 is more secure than earlier Microsoft operating systems, said Braverman. Although Windows XP SP2 systems account for 89 percent of all machines from which malware was deleted, when the numbers are normalized -- to take into account the number of tool executions on each OS -- SP2's rate falls precipitously to just 3 percent. Together, Windows XP Gold (the original edition launched in October 2001) and Windows XP SP1 account for 63 percent of the deletions when the numbers are normalized. This makes sense, Braverman's report read. Windows XP SP2 includes a number of security enhancements and patches for vulnerabilities not found in earlier versions of Windows XP, making it more difficult to be infected by malware in some cases. And it is likely that a user who has not yet upgraded to the latest service pack would be more susceptible to social-engineering-based attacks. In fact, this seems to hold true for Windows 2000 and Windows Server 2003 as well, where the latest versions of the service packs for those operating systems have the lowest number of normalized disinfections compared with the older versions of the operating systems. No, I couldn't claim that Windows XP SP2 itself was the only reason why its normalized numbers are so low, admitted Braverman, who pointed to the prodding those users get to turn on Automatic Update (which not only patches their OS, but also runs MSFT monthly) and the idea that they're less likely to engage in potentially risky behavior, like opening attachments or visiting dangerous parts of the Internet. Microsoft uses a combination of internally-generated metrics and outside feedback -- including the WildList and customer comments -- to decide which malware is added to the list targeted by the tool. Anti-virus scan results of Microsoft's for-a-fee security service, OneCare, and its for-free Windows Live Safety Center, said Braverman, are taken into account, as is data from the crash analysis tool that users can invoke when Windows dies. While the MSFT data has been used mostly by the anti-malware team itself to develop new tools -- such as ones to more quickly crank out signatures for bots -- Braverman sees it as a way for Microsoft and its partners to get a better feel for the current security situation. It demonstrates Microsoft's understanding of the malware landscape, he said even as that landscape -- and the tool itself -- change. We've already morphed our thinking about how to best attack malware families, he added. A version of the tool for Windows Vista Beta 2 will be released within weeks,